WO2011003227A1 - Managing respective sequence numbers for different networks independently - Google Patents

Managing respective sequence numbers for different networks independently Download PDF

Info

Publication number
WO2011003227A1
WO2011003227A1 PCT/CN2009/072632 CN2009072632W WO2011003227A1 WO 2011003227 A1 WO2011003227 A1 WO 2011003227A1 CN 2009072632 W CN2009072632 W CN 2009072632W WO 2011003227 A1 WO2011003227 A1 WO 2011003227A1
Authority
WO
WIPO (PCT)
Prior art keywords
sequence number
network
authentication data
authentication
subscriber module
Prior art date
Application number
PCT/CN2009/072632
Other languages
French (fr)
Inventor
Dajiang Zhang
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Priority to PCT/CN2009/072632 priority Critical patent/WO2011003227A1/en
Publication of WO2011003227A1 publication Critical patent/WO2011003227A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Definitions

  • the present invention generally relates to communication networks. More specifically, the invention relates to managing respective sequence numbers for different networks independently.
  • Authentication generally involves a mutual authentication mechanism that a user is able to authenticate a network and the network is also able to authenticate the user.
  • the authenticating parties in 3GPP (3rd Generation Partnership Project) are an authentication center (AuC) of a user's home environment (HE) and a universal subscriber identity module (USIM) in the user's mobile station.
  • AuC authentication center
  • HE user's home environment
  • USIM universal subscriber identity module
  • a sequence number is an authentication parameter, which may be a number consisting of 48 bits, as specified in 3GPP TS33.102.
  • the USIM and the HE/AuC keep track of counters SQN MS and SQN HE respectively to support network authentication.
  • the sequence number SQN HE is an individual counter for each user and the sequence number SQN MS denotes the highest sequence number the USIM has accepted.
  • the AuC uses SQN to produce an authentication vector (AV). More information about SQN can be found in Annex C of 3GPP TS33.102.
  • the USIM verifies the freshness of the authentication vector that is used.
  • Each authentication vector consists of the following components: a random number RAND, an expected response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN.
  • RAND and AUTN the USIM derives the SQN from the AUTN and verifies whether the received sequence number is in a correct range. If the received SQN can not be accepted, then the USIM generates a synchronization failure message using SQNMS-
  • a method comprising determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network; and updating the first sequence number with the second sequence number, when the second sequence number is valid.
  • the determining may comprise identifying the network according to at least one identifier in the authentication data.
  • the at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
  • the updating may comprise storing the second sequence number into a storage area allocated for the determined network.
  • the method in the first aspect of the present invention may further comprise generating a failure message to be sent to the determined network by using the first sequence number, when the second sequence number is invalid.
  • the subscriber module may comprise a universal subscriber identity module.
  • the respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively.
  • the group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
  • the first sequence number may denote the highest sequence number having been accepted from the determined network.
  • the second sequence number is valid when the relationship between the second sequence number and the first sequence number meet a predetermined condition.
  • a subscriber module comprising: storage means for storing respective sequence numbers for authentication with a group of networks independently; determining means for determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving means for retrieving a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the first sequence number corresponds to the determined network; and updating means for updating the first sequence number with the second sequence number, if the second sequence number is valid.
  • the determining means may be configured to identify the network according to at least one identifier in the authentication data.
  • the at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
  • the updating means may be configured to store the second sequence number into a storage area allocated for the determined network.
  • the subscriber module in the second aspect of the present invention may further comprise: generating means for generating a failure message to be sent to the determined network by using the first sequence number, if the second sequence number is invalid.
  • the subscriber module may comprise a universal subscriber identity module.
  • the respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively.
  • the group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
  • the first sequence number may denote the highest sequence number having been accepted from the determined network.
  • the second sequence number is valid when the relationship between the second sequence number and the first sequence number meet a predetermined condition.
  • a user equipment comprising the subscriber module in the second aspect of the present invention.
  • a method comprising: setting at least one identifier in authentication data for a network; and sending the authentication data towards a user equipment; wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
  • the at least one identifier may be set by an authentication center of the network.
  • the at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
  • the respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively.
  • the group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
  • a network device comprising: setting means for setting at least one identifier in authentication data for a network; and sending means for sending the authentication data towards a user equipment; wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
  • the network device may comprise one of a home location register and a home subscriber server.
  • the setting means may comprise an authentication center of the network device.
  • the at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
  • the respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively.
  • the group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
  • a computer program product including a program for a processing device, comprising software code portions for performing the methods in the first aspect of the present invention, when the program is run on the processing device.
  • the software code portions may cause the processing device to perform the following operations: determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network; and updating the first sequence number with the second sequence number, if the second sequence number is valid.
  • a computer program product including a program for a processing device, comprising software code portions for performing the method in the fourth aspect of the present invention, when the program is run on the processing device.
  • the software code portions may cause the processing device to perform the following operations: setting at least one identifier in authentication data for a network; and sending the authentication data towards a user equipment; wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
  • the provided methods, subscriber module, user equipment, network device and computer program product can eliminate authentication failures due to storing sequence numbers together in a subscriber module indistinguishably, by managing respective sequence numbers for different networks in the subscriber module independently.
  • Fig.1 is a flowchart illustrating a method for generating authentication data at a network device in accordance with embodiments of the present invention
  • Fig.2 is a flowchart illustrating a method for managing respective sequence numbers for different networks independently, which can be implemented at a subscriber module in accordance with embodiments of the present invention
  • Fig.3 shows schematically a procedure of processing a SQN received in authentication data by a USIM in accordance with an embodiment of the present invention
  • Fig.4 is a block diagram of a network device in accordance with embodiments of the present invention.
  • Fig.5 is a block diagram of a user equipment (UE) comprising a subscriber module in accordance with embodiments of the present invention.
  • UE user equipment
  • HLR home location register
  • HSS home subscriber server
  • LTE long-term evolution
  • some operators may not upgrade the HLR to the HSS in the LTE system, but keep subscribers' data in both HLR and HSS.
  • UMTS Universal Mobile Telecommunications System
  • UTRAN Universal Mobile Telecommunications System Terrestrial Radio Access Network
  • the problem of this separation of subscriber data is that the HLR and the HSS each has an AuC, resulting in that the SQN HE which is used for authentication between the AuC and a USIM is generated independently. This may cause a check error of SQN in the USIM. For example, if the current SQN MS was received from a HLR/ AuC and the newly received SQN is from a HSS/AuC, then a synchronization failure would be caused when the received SQN is much lager than SQN MS or when the received SQN is much smaller than SQN MS - The reason of this failure is that the SQNs are generated in the HLR and the HSS independently, but stored together in the USIM indistinguishably. And this failure may happen frequently in an extreme case.
  • the HSS may fetch the SQN used for authentication from the HLR (or the HSS).
  • a new interface is introduced between the HSS and the HLR for synchronizing the SQN between them.
  • AuC evolved packet system
  • MME mobility management entity
  • the HSS gets SQN HE from the HLR through the newly added interface between them. In a ⁇ synchronization procedure, the HSS can get SQN HE from the HLR.
  • Fig.1 is a flowchart illustrating a method for generating authentication data at a network device in accordance with embodiments of the present invention. Since different networks may have their respective devices or elements which generate SQNs independently, it is advantageous that a UE is able to identify the network with which an authentication procedure is performed, so that the SQNs received by the UE can be processed properly. In this regard, at least one identifier for a network can be set in authentication data sent by the network device, as shown in step 102.
  • the at least one identifier may be located in at least one of: an authentication management field (AMF) in an authentication token (AUTN) of the authentication data (such as an authentication vector), and a network type field (NTF) predefined in the authentication data.
  • the NTF field may be a field which is negotiated by the UE with the network device, or defined by a specification. For example, when a network is an Evolved UTRAN (E-UTRAN), then the "separation bit" in the AMF field of AUTN is set to 1 to indicate to the UE that the authentication data is usable in an EPS context, when the "separation bit" is set to 0, the authentication data is usable in a non-EPS context (e.g.
  • E-UTRAN Evolved UTRAN
  • GSM Global System for Mobile communications
  • UMTS Universal Mobile Broadband
  • Annex F 3GPP T S33.102. It can be realized that the use of the AMF field or the NTF field or a combination thereof depends on requirements of a network operator or is specified by a specification.
  • the network device sends the authentication data containing the at least one identifier as defined above towards a UE to be authenticated.
  • the network device described herein may be a HSS or a HLR with an AuC setting the at least one identifier, or any other network element with similar functionalities, depending on which network the UE is accessing.
  • the UE described herein may refer to a mobile phone, a wireless device, a Personal Digital Assistant (PDA), a portable computer, a client terminal, or the like.
  • PDA Personal Digital Assistant
  • the at least one identifier can be used by the UE to retrieve from a subscriber module (for example, a USIM) a first sequence number for checking whether a second sequence number derived from the authentication data is valid.
  • the subscriber module independently stores respective sequence numbers for authentication with a group of networks, for example, by storing the respective sequence numbers separately according to the type of each network.
  • This group of networks may comprise at least one of the following: a UMTS, an EPS, and an I- WLAN (wireless local area network inter-working with 3 GPP). It is noted that other suitable networks such as those which employ an authentication mechanism consistent with that used in the present invention, also may be comprised in this group network.
  • the first sequence number for example SQN MS stored in the USIM
  • the first sequence number which corresponds to the network originating the authentication data can be retrieved from the stored sequence numbers to verify the SQN received from that network.
  • Fig.2 is a flowchart illustrating a method for managing respective sequence numbers for different networks independently. This method can be implemented at a subscriber module in accordance with embodiments of the present invention.
  • the subscriber module such as a USIM determines a network from which the authentication data is received, for example by identifying the network according to at least one identifier as discussed above.
  • respective sequence numbers for authentication with a group of networks are stored separately in the subscriber module, for instance, stored in separate storage areas allocated for different networks.
  • the subscriber module can retrieve a first sequence number corresponding to the determined network in step 204, so as to verify a second sequence number derived from the authentication data. If the second sequence number is valid, the subscriber module updates the first sequence number with the second sequence number, as shown in step 206. Otherwise, a failure message may be generated (not shown) using the first sequence number.
  • the subscriber module may store the second sequence number into a storage area allocated for the determined network (not shown), such that this sequence number can be used to verify the next sequence number received from the same network. It is noted that many algorithms can be employed by the subscribe module to verify the received sequence number.
  • the first sequence number denotes the highest sequence number the subscriber module has accepted from the network, and the second sequence number is valid when the relationship between the first sequence number and the second sequence number meet a predetermined condition. For instance, if the second sequence number is in a correct range when compared with the first sequence number, the second sequence number is considered to be fresh or valid.
  • Fig.3 shows schematically a procedure of processing a SQN received in authentication data by a USIM in accordance with an embodiment of the present invention.
  • the USIM may allocate a specified storage area to store the highest sequence number SQN MS it has accepted from that network.
  • the USIM also may keep track of an array of sequence number values it has accepted from that network.
  • the USIM may independently store a plurality of SQN arrays such as a SQN array of EPS, a SQN array of UMTS, or the like.
  • the size of an array may be a predefined positive integer, as described in 3GPP T S33.102.
  • These SQN arrays may be stored in separate storage areas allocated for the respective networks.
  • the USIM In response to receiving authentication data such as an authentication vector (AV) in step 302, the USIM derives a SQN from an AUTN comprised in the AV.
  • the USIM can determine from which network the AV is received (step 306). For example, if the "separation bit" in the AMF field is equal to 1, then the received AV is considered as an EPS AV, as described in 3GPP TS33.401. Otherwise, the received AV is a non-EPS AV such as a UMTS AV. If the AUTN is a part of the EPS AV, the USIM verifies the derived SQN with the SQN MS stored for the EPS, as shown in step 308.
  • the USIM Upon determining that the SQN is a valid one, the USIM updates the SQN MS corresponding to the EPS with the received SQN, and stores the updated SQN MS for the EPS. Similarly, if the AUTN is a part of the UMTS AV, the USIM verifies the received SQN with the SQN MS stored for UMTS, as shown in step 310. Upon determining that the SQN from the UMTS is a valid one, the USIM updates the SQN M s corresponding to the UMTS with the received SQN, and stores the updated SQN M s for the UMTS.
  • the authentication data may be sent from other networks (such as an I- WLAN or the like) than the UMTS, thus between steps 306 and 310, there may be one or more additional steps for checking other identifiers, so as to decide which SQN M s should be selected to verify the received SQN.
  • networks such as an I- WLAN or the like
  • the USIM may have many schemes to verify freshness and validity of the received SQN.
  • the USIM verifies whether the received SQN is in a correct range. For example, the USIM may not accept arbitrary jumps in sequence numbers, but only increases by a value of at most ⁇ . Therefore, the received sequence number SQN is only accepted by the USIM if SEQ - SEQ M s ⁇ ⁇ . If the SQN is not acceptable, then the USIM generates a synchronization failure message using the corresponding SQN M s-
  • the USIM may store an array of a previously accepted sequence number components: SEQ M s(0), SEQ M s(l), - - SEQ M s( «-l).
  • a limit L also can be put on the difference between SEQ M s and a received sequence number component SEQ. If such a limit L is applied, the received sequence number is only accepted by the USIM if SEQ MS - SEQ ⁇ L.
  • any other suitable field such as the NTF field discussed previously also can be used to indicate the network to the USIM. Accordingly, besides the SQN M s corresponding to the EPS and the UMTS, the USIM may utilize other SQN MS , which relies on from which network the USIM receives the authentication data.
  • Fig.4 is a block diagram of a network device 400 in accordance with embodiments of the present invention.
  • the network device 400 such as a HLR, a HSS or the like, may comprise various means and/or components for implementing functions of the foregoing steps and methods in Fig.l .
  • the network device 400 comprises setting means 402 and sending means 404, as shown in Fig.4.
  • the network device 400 also may comprise a transceiver (not shown) for transmitting and/or receiving signals and messages to/from a UE, and a processor (not shown) for processing these signals and messages.
  • the setting means 402 and the sending means 404 may be coupled to each other by a variety of communication links and/or interfaces.
  • the setting means 402 for example, an authentication center can set in authentication data at least one identifier for a network which the network device serves, before the sending means 404 sends the authentication data towards a UE.
  • the setting means 402 can set the at least one identifier in at least one of the AMF field, the NTF field and any other proper field as described previously, such that a subscriber module in the UE can use the at least one identifier to retrieve a stored sequence number corresponding to the network to be authenticated.
  • Fig.5 is a block diagram of a UE 500 comprising a subscriber module 510 in accordance with embodiments of the present invention.
  • the UE 500 may be a mobile terminal, a wireless device, a portable computer and the like.
  • the UE 500 also may comprise normal components and elements for communicate with the network device, for example, a transceiver 502 (or a transmitter and a receiver) and a processor 504. These components and elements can be connected with each other through one or more communication lines or interfaces.
  • the subscriber module 510 such as a USIM or the like, may comprise various means and/or components for implementing functions of the foregoing steps and methods in Fig.2. Particularly, as shown in Fig.5, the subscriber module 510 comprises storage means 512, determining means 514, retrieving means 516 and updating means 518.
  • the storage means 512 independently stores respective sequence numbers for authentication with a group of networks with which the subscriber module 510 may perform an authentication procedure.
  • the storage means 512 can respectively allocate separate storage areas for a UMTS, an EPS, an I-WLAN and etc., so as to store their respective sequence numbers.
  • the storage means 512 also can store the sequence numbers in a single storage area, and utilize additional information such as a network indicator applied to each sequence number to distinguish these sequence numbers.
  • the stored sequence number which is used to authenticate a sequence number received from a corresponding network, may denote the highest sequence number which the subscriber module has accepted from that network.
  • the determining means 514 determines this network or the type of this network, for example, by utilizing at least one identifier which can be found at an AMF field in an authentication token of the authentication data and/or at a NTF field predefined in the authentication data.
  • the retrieving means 516 retrieves a stored sequence number for checking whether a sequence number derived from the authentication data is valid, wherein the retrieved sequence number corresponds to the determined network. If the derived sequence number is valid, for example the relationship between these two sequence numbers meet a predetermined condition (for instance, the derived sequence number is in a correct range when compared with the stored sequence number), the updating means 518 updates the stored sequence number with the derived sequence number.
  • the updating means 518 may store the updated sequence number into a storage area allocated for the determined network.
  • the subscriber module 510 also comprises generating means (not shown) for generating a failure message to be sent to the determined network by using the retrieved sequence number, if the sequence number received from the network is invalid.
  • the network device 400, the UE 500 and the subscriber module 510 may comprise other functional means and/or modules not shown.
  • the foregoing and additional means and/or modules comprised in the network device 400, the UE 500 and the subscriber module 510 can be implemented as a software block or a hardware block or a combination thereof.
  • these means and/or modules can be implemented as a separate block or can be combined with any other standard block or it can be split into several blocks according to their functionality.
  • the present invention can be realized in hardware, software, firmware or a combination thereof.
  • the present invention also can be embodied in a computer program product, which comprises all the features enabling the implementation of the methods and devices or modules described herein, and when being loaded into a computer system or a processing device, is able to carry out these methods or constitute the functional means/modules in the apparatuses or devices according to embodiments of the present invention.
  • a program of the computer program product may be loadable into a memory of the processing device.
  • the computer program product may comprise a computer-readable medium on which software code portions for performing the methods, apparatus, devices and/or modules of the present invention are stored.

Abstract

A method for managing respective sequence numbers for different networks independently is provided. The method comprises: determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network; and updating the first sequence number with the second sequence number, if the second sequence number is valid.

Description

MANAGING RESPECTIVE SEQUENCE NUMBERS FOR DIFFERENT
NETWORKS INDEPENDENTLY
FIELD OF THE INVENTION
The present invention generally relates to communication networks. More specifically, the invention relates to managing respective sequence numbers for different networks independently.
BACKGROUND
Authentication generally involves a mutual authentication mechanism that a user is able to authenticate a network and the network is also able to authenticate the user. The authenticating parties in 3GPP (3rd Generation Partnership Project) are an authentication center (AuC) of a user's home environment (HE) and a universal subscriber identity module (USIM) in the user's mobile station.
In the context of authentication, a sequence number (SQN) is an authentication parameter, which may be a number consisting of 48 bits, as specified in 3GPP TS33.102. The USIM and the HE/AuC keep track of counters SQNMS and SQNHE respectively to support network authentication. The sequence number SQNHE is an individual counter for each user and the sequence number SQNMS denotes the highest sequence number the USIM has accepted. In its binary representation, the sequence number consists of two concatenated parts SQN = SEQ || IND. The AuC uses SQN to produce an authentication vector (AV). More information about SQN can be found in Annex C of 3GPP TS33.102. During the authentication, the USIM verifies the freshness of the authentication vector that is used. Each authentication vector consists of the following components: a random number RAND, an expected response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN. Upon receipt of RAND and AUTN, the USIM derives the SQN from the AUTN and verifies whether the received sequence number is in a correct range. If the received SQN can not be accepted, then the USIM generates a synchronization failure message using SQNMS-
SUMMARY
According to a first aspect of the present invention, there is provided a method comprising determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network; and updating the first sequence number with the second sequence number, when the second sequence number is valid.
According further to the first aspect of the present invention, the determining may comprise identifying the network according to at least one identifier in the authentication data. The at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data. The updating may comprise storing the second sequence number into a storage area allocated for the determined network. The method in the first aspect of the present invention may further comprise generating a failure message to be sent to the determined network by using the first sequence number, when the second sequence number is invalid.
According further to the first aspect of the present invention, the subscriber module may comprise a universal subscriber identity module. The respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively. The group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system. The first sequence number may denote the highest sequence number having been accepted from the determined network. In an embodiment, the second sequence number is valid when the relationship between the second sequence number and the first sequence number meet a predetermined condition.
According to a second aspect of the present invention, there is provided a subscriber module comprising: storage means for storing respective sequence numbers for authentication with a group of networks independently; determining means for determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving means for retrieving a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the first sequence number corresponds to the determined network; and updating means for updating the first sequence number with the second sequence number, if the second sequence number is valid.
According further to the second aspect of the present invention, the determining means may be configured to identify the network according to at least one identifier in the authentication data. The at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data. The updating means may be configured to store the second sequence number into a storage area allocated for the determined network. The subscriber module in the second aspect of the present invention may further comprise: generating means for generating a failure message to be sent to the determined network by using the first sequence number, if the second sequence number is invalid.
According further to the second aspect of the present invention, the subscriber module may comprise a universal subscriber identity module. The respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively. The group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system. The first sequence number may denote the highest sequence number having been accepted from the determined network. In an embodiment, the second sequence number is valid when the relationship between the second sequence number and the first sequence number meet a predetermined condition.
According to a third aspect of the present invention, there is provided a user equipment comprising the subscriber module in the second aspect of the present invention.
According to a fourth aspect of the present invention, there is provided a method comprising: setting at least one identifier in authentication data for a network; and sending the authentication data towards a user equipment; wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
According further to the fourth aspect of the present invention, the at least one identifier may be set by an authentication center of the network. The at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data. The respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively. The group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
According to a fifth aspect of the present invention, there is provided a network device comprising: setting means for setting at least one identifier in authentication data for a network; and sending means for sending the authentication data towards a user equipment; wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
According further to the fifth aspect of the present invention, the network device may comprise one of a home location register and a home subscriber server. The setting means may comprise an authentication center of the network device. The at least one identifier may be located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
According further to the fifth aspect of the present invention, the respective sequence numbers may be stored in separate storage areas allocated for the group of networks respectively. The group of networks may comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
According to a sixth aspect of the present invention, there is provided a computer program product including a program for a processing device, comprising software code portions for performing the methods in the first aspect of the present invention, when the program is run on the processing device. The software code portions may cause the processing device to perform the following operations: determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network; and updating the first sequence number with the second sequence number, if the second sequence number is valid.
According to a seventh aspect of the present invention, there is provided a computer program product including a program for a processing device, comprising software code portions for performing the method in the fourth aspect of the present invention, when the program is run on the processing device. The software code portions may cause the processing device to perform the following operations: setting at least one identifier in authentication data for a network; and sending the authentication data towards a user equipment; wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
In exemplary embodiments of the present invention, the provided methods, subscriber module, user equipment, network device and computer program product can eliminate authentication failures due to storing sequence numbers together in a subscriber module indistinguishably, by managing respective sequence numbers for different networks in the subscriber module independently.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention itself, the preferable mode of use and further objectives are best understood by reference to the following detailed description of the embodiments when read in conjunction with the accompanying drawings, in which:
Fig.1 is a flowchart illustrating a method for generating authentication data at a network device in accordance with embodiments of the present invention;
Fig.2 is a flowchart illustrating a method for managing respective sequence numbers for different networks independently, which can be implemented at a subscriber module in accordance with embodiments of the present invention;
Fig.3 shows schematically a procedure of processing a SQN received in authentication data by a USIM in accordance with an embodiment of the present invention;
Fig.4 is a block diagram of a network device in accordance with embodiments of the present invention; and
Fig.5 is a block diagram of a user equipment (UE) comprising a subscriber module in accordance with embodiments of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
With evaluation of radio communication networks, many network elements are required to update or displace so as to support the new network protocols. For example, a home location register (HLR) may need to be upgraded to a home subscriber server (HSS) in a long-term evolution (LTE) system. However, some operators may not upgrade the HLR to the HSS in the LTE system, but keep subscribers' data in both HLR and HSS. Thus, when a subscriber accesses a UMTS (Universal Mobile Telecommunications System) Terrestrial Radio Access Network, also known as UTRAN, the related subscriber data would be fetched from a HLR, and when the subscriber accesses a LTE system, the related subscriber data would be fetched from a HSS.
The problem of this separation of subscriber data is that the HLR and the HSS each has an AuC, resulting in that the SQNHE which is used for authentication between the AuC and a USIM is generated independently. This may cause a check error of SQN in the USIM. For example, if the current SQNMS was received from a HLR/ AuC and the newly received SQN is from a HSS/AuC, then a synchronization failure would be caused when the received SQN is much lager than SQNMS or when the received SQN is much smaller than SQNMS- The reason of this failure is that the SQNs are generated in the HLR and the HSS independently, but stored together in the USIM indistinguishably. And this failure may happen frequently in an extreme case.
It is possible to employ only one AuC either in a HSS or a HLR to generate SQNHE, and the HSS (or the HLR) may fetch the SQN used for authentication from the HLR (or the HSS). In this event, a new interface is introduced between the HSS and the HLR for synchronizing the SQN between them. For example, there is only one AuC in the HLR. When a UE accesses an evolved packet system (EPS), an authentication request is sent to the HSS from a mobility management entity (MME). The HSS gets SQNHE from the HLR through the newly added interface between them. In a ^synchronization procedure, the HSS can get SQNHE from the HLR. However, it is a waste if the new interface between the HSS and the HLR is used only to transfer SQN. In addition, this solution does not work well for a single mode UE. If the UE only has modules for a LTE system, its subscription data should be all stored in a HSS. It is complex to have part of its data like SQN stored in a HLR, and operators may bear the extra cost of storage. Moreover, there is a potential risk to transmit authentication data form the HLR to the HSS. It is desirable to design a scheme to avoid authentication failures and frequent resynchronizations due to indistinguishableness of SQNs in a USIM, which scheme can manage and store SQNs in the USIM separately without impact on the currently used network elements, especially within a multi-network environment.
The embodiments of the present invention are described in detail with reference to the accompanying drawings. Reference throughout this specification to features, advantages, or similar language does not imply that all of the features and advantages that may be realized with the present invention should be or are in any single embodiment of the invention. Rather, language referring to the features and advantages is understood to mean that a specific feature, advantage, or characteristic described in connection with an embodiment is included in at least one embodiment of the present invention. Furthermore, the described features, advantages, and characteristics of the invention may be combined in any suitable manner in one or more embodiments. One skilled in the relevant art will recognize that the invention may be practiced without one or more of the specific features or advantages of a particular embodiment. In other instances, additional features and advantages may be recognized in certain embodiments that may not be present in all embodiments of the invention.
Fig.1 is a flowchart illustrating a method for generating authentication data at a network device in accordance with embodiments of the present invention. Since different networks may have their respective devices or elements which generate SQNs independently, it is advantageous that a UE is able to identify the network with which an authentication procedure is performed, so that the SQNs received by the UE can be processed properly. In this regard, at least one identifier for a network can be set in authentication data sent by the network device, as shown in step 102. According to exemplary embodiments, the at least one identifier may be located in at least one of: an authentication management field (AMF) in an authentication token (AUTN) of the authentication data (such as an authentication vector), and a network type field (NTF) predefined in the authentication data. The NTF field may be a field which is negotiated by the UE with the network device, or defined by a specification. For example, when a network is an Evolved UTRAN (E-UTRAN), then the "separation bit" in the AMF field of AUTN is set to 1 to indicate to the UE that the authentication data is usable in an EPS context, when the "separation bit" is set to 0, the authentication data is usable in a non-EPS context (e.g. GSM, UMTS). More information about the AMF field can be found in Annex F of 3GPP T S33.102. It can be realized that the use of the AMF field or the NTF field or a combination thereof depends on requirements of a network operator or is specified by a specification.
Then in step 104, the network device sends the authentication data containing the at least one identifier as defined above towards a UE to be authenticated. The network device described herein, for example, may be a HSS or a HLR with an AuC setting the at least one identifier, or any other network element with similar functionalities, depending on which network the UE is accessing. The UE described herein may refer to a mobile phone, a wireless device, a Personal Digital Assistant (PDA), a portable computer, a client terminal, or the like. According to embodiments of the invention, the at least one identifier can be used by the UE to retrieve from a subscriber module (for example, a USIM) a first sequence number for checking whether a second sequence number derived from the authentication data is valid. The subscriber module independently stores respective sequence numbers for authentication with a group of networks, for example, by storing the respective sequence numbers separately according to the type of each network. This group of networks may comprise at least one of the following: a UMTS, an EPS, and an I- WLAN (wireless local area network inter-working with 3 GPP). It is noted that other suitable networks such as those which employ an authentication mechanism consistent with that used in the present invention, also may be comprised in this group network. With one or more identifiers in the authentication data, the first sequence number (for example SQNMS stored in the USIM) which corresponds to the network originating the authentication data can be retrieved from the stored sequence numbers to verify the SQN received from that network.
Fig.2 is a flowchart illustrating a method for managing respective sequence numbers for different networks independently. This method can be implemented at a subscriber module in accordance with embodiments of the present invention. In step 202, upon receipt of authentication data, the subscriber module such as a USIM determines a network from which the authentication data is received, for example by identifying the network according to at least one identifier as discussed above. In an exemplary embodiment, respective sequence numbers for authentication with a group of networks are stored separately in the subscriber module, for instance, stored in separate storage areas allocated for different networks. The subscriber module can retrieve a first sequence number corresponding to the determined network in step 204, so as to verify a second sequence number derived from the authentication data. If the second sequence number is valid, the subscriber module updates the first sequence number with the second sequence number, as shown in step 206. Otherwise, a failure message may be generated (not shown) using the first sequence number.
According to an embodiment, in case that the second sequence number is valid, the subscriber module may store the second sequence number into a storage area allocated for the determined network (not shown), such that this sequence number can be used to verify the next sequence number received from the same network. It is noted that many algorithms can be employed by the subscribe module to verify the received sequence number. In an exemplary embodiment, the first sequence number denotes the highest sequence number the subscriber module has accepted from the network, and the second sequence number is valid when the relationship between the first sequence number and the second sequence number meet a predetermined condition. For instance, if the second sequence number is in a correct range when compared with the first sequence number, the second sequence number is considered to be fresh or valid.
Fig.3 shows schematically a procedure of processing a SQN received in authentication data by a USIM in accordance with an embodiment of the present invention. For each network with which the USIM performs authentication, the USIM may allocate a specified storage area to store the highest sequence number SQNMS it has accepted from that network. The USIM also may keep track of an array of sequence number values it has accepted from that network. For example, the USIM may independently store a plurality of SQN arrays such as a SQN array of EPS, a SQN array of UMTS, or the like. The size of an array may be a predefined positive integer, as described in 3GPP T S33.102. These SQN arrays may be stored in separate storage areas allocated for the respective networks.
In response to receiving authentication data such as an authentication vector (AV) in step 302, the USIM derives a SQN from an AUTN comprised in the AV. Through checking the AMF field of the AUTN in step 304, the USIM can determine from which network the AV is received (step 306). For example, if the "separation bit" in the AMF field is equal to 1, then the received AV is considered as an EPS AV, as described in 3GPP TS33.401. Otherwise, the received AV is a non-EPS AV such as a UMTS AV. If the AUTN is a part of the EPS AV, the USIM verifies the derived SQN with the SQNMS stored for the EPS, as shown in step 308. Upon determining that the SQN is a valid one, the USIM updates the SQNMS corresponding to the EPS with the received SQN, and stores the updated SQNMS for the EPS. Similarly, if the AUTN is a part of the UMTS AV, the USIM verifies the received SQN with the SQNMS stored for UMTS, as shown in step 310. Upon determining that the SQN from the UMTS is a valid one, the USIM updates the SQNMs corresponding to the UMTS with the received SQN, and stores the updated SQNMs for the UMTS. It is noted that the authentication data may be sent from other networks (such as an I- WLAN or the like) than the UMTS, thus between steps 306 and 310, there may be one or more additional steps for checking other identifiers, so as to decide which SQNMs should be selected to verify the received SQN.
The USIM may have many schemes to verify freshness and validity of the received SQN. In an exemplary embodiment, the USIM verifies whether the received SQN is in a correct range. For example, the USIM may not accept arbitrary jumps in sequence numbers, but only increases by a value of at most Δ. Therefore, the received sequence number SQN is only accepted by the USIM if SEQ - SEQMs≤ Δ. If the SQN is not acceptable, then the USIM generates a synchronization failure message using the corresponding SQNMs- The USIM may store an array of a previously accepted sequence number components: SEQMs(0), SEQMs(l), - - SEQMs(«-l). A limit L also can be put on the difference between SEQMs and a received sequence number component SEQ. If such a limit L is applied, the received sequence number is only accepted by the USIM if SEQMS - SEQ < L.
It will be appreciated that in addition to the AMF field, any other suitable field such as the NTF field discussed previously also can be used to indicate the network to the USIM. Accordingly, besides the SQNMs corresponding to the EPS and the UMTS, the USIM may utilize other SQNMS, which relies on from which network the USIM receives the authentication data.
The schematic flow chart diagrams described above are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of specific embodiments of the presented methods. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated methods. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
Fig.4 is a block diagram of a network device 400 in accordance with embodiments of the present invention. The network device 400, such as a HLR, a HSS or the like, may comprise various means and/or components for implementing functions of the foregoing steps and methods in Fig.l . Particularly, the network device 400 comprises setting means 402 and sending means 404, as shown in Fig.4. Alternatively, the network device 400 also may comprise a transceiver (not shown) for transmitting and/or receiving signals and messages to/from a UE, and a processor (not shown) for processing these signals and messages. The setting means 402 and the sending means 404 may be coupled to each other by a variety of communication links and/or interfaces.
In an exemplary embodiment, the setting means 402, for example, an authentication center can set in authentication data at least one identifier for a network which the network device serves, before the sending means 404 sends the authentication data towards a UE. According to the specification or negotiation between the UE and the network device, the setting means 402 can set the at least one identifier in at least one of the AMF field, the NTF field and any other proper field as described previously, such that a subscriber module in the UE can use the at least one identifier to retrieve a stored sequence number corresponding to the network to be authenticated.
Fig.5 is a block diagram of a UE 500 comprising a subscriber module 510 in accordance with embodiments of the present invention. The UE 500 may be a mobile terminal, a wireless device, a portable computer and the like. In addition to the subscriber module 510, the UE 500 also may comprise normal components and elements for communicate with the network device, for example, a transceiver 502 (or a transmitter and a receiver) and a processor 504. These components and elements can be connected with each other through one or more communication lines or interfaces. The subscriber module 510, such as a USIM or the like, may comprise various means and/or components for implementing functions of the foregoing steps and methods in Fig.2. Particularly, as shown in Fig.5, the subscriber module 510 comprises storage means 512, determining means 514, retrieving means 516 and updating means 518.
In an exemplary embodiment, the storage means 512 independently stores respective sequence numbers for authentication with a group of networks with which the subscriber module 510 may perform an authentication procedure. For example, the storage means 512 can respectively allocate separate storage areas for a UMTS, an EPS, an I-WLAN and etc., so as to store their respective sequence numbers. Alternatively, the storage means 512 also can store the sequence numbers in a single storage area, and utilize additional information such as a network indicator applied to each sequence number to distinguish these sequence numbers. According to an embodiment of the invention, the stored sequence number, which is used to authenticate a sequence number received from a corresponding network, may denote the highest sequence number which the subscriber module has accepted from that network.
Upon receiving authentication data from a network, the determining means 514 determines this network or the type of this network, for example, by utilizing at least one identifier which can be found at an AMF field in an authentication token of the authentication data and/or at a NTF field predefined in the authentication data. Once the network which sent the authentication data is determined, the retrieving means 516 retrieves a stored sequence number for checking whether a sequence number derived from the authentication data is valid, wherein the retrieved sequence number corresponds to the determined network. If the derived sequence number is valid, for example the relationship between these two sequence numbers meet a predetermined condition (for instance, the derived sequence number is in a correct range when compared with the stored sequence number), the updating means 518 updates the stored sequence number with the derived sequence number. The updating means 518 may store the updated sequence number into a storage area allocated for the determined network. In an exemplary embodiment, the subscriber module 510 also comprises generating means (not shown) for generating a failure message to be sent to the determined network by using the retrieved sequence number, if the sequence number received from the network is invalid.
Those skilled in the art will realize that the network device 400, the UE 500 and the subscriber module 510 may comprise other functional means and/or modules not shown. According to an embodiment of the present invention, the foregoing and additional means and/or modules comprised in the network device 400, the UE 500 and the subscriber module 510 can be implemented as a software block or a hardware block or a combination thereof. Furthermore, these means and/or modules can be implemented as a separate block or can be combined with any other standard block or it can be split into several blocks according to their functionality.
The present invention can be realized in hardware, software, firmware or a combination thereof. The present invention also can be embodied in a computer program product, which comprises all the features enabling the implementation of the methods and devices or modules described herein, and when being loaded into a computer system or a processing device, is able to carry out these methods or constitute the functional means/modules in the apparatuses or devices according to embodiments of the present invention. For example, a program of the computer program product may be loadable into a memory of the processing device. The computer program product may comprise a computer-readable medium on which software code portions for performing the methods, apparatus, devices and/or modules of the present invention are stored.
Although specific embodiments of the invention have been disclosed, those having ordinary skill in the art will understand that changes can be made to the specific embodiments without departing from the spirit and scope of the invention. The scope of the invention is not to be restricted therefore to the specific embodiments, and it is intended that the appended claims cover any and all such applications, modifications, and embodiments within the scope of the present invention.

Claims

CLAIMS What is claimed is:
1. A method, comprising:
determining a network from which authentication data is received, in response to receipt of the authentication data;
retrieving from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network; and
updating the first sequence number with the second sequence number, when the second sequence number is valid.
2. The method according to claim 1, wherein the determining comprises: identifying the network according to at least one identifier in the authentication data.
3. The method according to claim 2, wherein the at least one identifier is located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
4. The method according to any one of claims 1 to 3, wherein the respective sequence numbers are stored in separate storage areas allocated for the group of networks respectively.
5. The method according to any one of claims 1 to 4, wherein the updating comprises: storing the second sequence number into a storage area allocated for the determined network.
6. The method according to any one of claims 1 to 5, wherein the subscriber module comprises a universal subscriber identity module.
7. The method according to any one of claims 1 to 6, wherein the group of networks comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
8. The method according to any one of claims 1 to 7, wherein the first sequence number denotes the highest sequence number having been accepted from the determined network.
9. The method according to any one of claims 1 to 8, wherein the second sequence number is valid when the relationship between the second sequence number and the first sequence number meet a predetermined condition.
10. The method according to any one of claims 1 to 9, further comprising: generating a failure message to be sent to the determined network based on the first sequence number, when the second sequence number is invalid.
11. A subscriber module, comprising:
storage means for storing respective sequence numbers for authentication with a group of networks independently;
determining means for determining a network from which authentication data is received, in response to receipt of the authentication data; retrieving means for retrieving a first sequence number for checking whether a second sequence number derived from the authentication data is valid, wherein the first sequence number corresponds to the determined network; and
updating means for updating the first sequence number with the second sequence number, when the second sequence number is valid.
12. The subscriber module according to claim 11, wherein the determining means is configured to identify the network according to at least one identifier in the authentication data.
13. The subscriber module according to claim 12, wherein the at least one identifier is located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
14. The subscriber module according to any one of claims 11 to 13, wherein the respective sequence numbers are stored in separate storage areas allocated for the group of networks respectively.
15. The subscriber module according to any one of claims 11 to 14, wherein the updating means is configured to store the second sequence number into a storage area allocated for the determined network.
16. The subscriber module according to any one of claims 11 to 15, wherein the subscriber module comprises a universal subscriber identity module.
17. The subscriber module according to any one of claims 11 to 16, wherein the group of networks comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
18. The subscriber module according to any one of claims 11 to 17, wherein the first sequence number denotes the highest sequence number having been accepted from the determined network.
19. The subscriber module according to any one of claims 11 to 18, wherein the second sequence number is valid when the relationship between the second sequence number and the first sequence number meet a predetermined condition.
20. The subscriber module according to any one of claims 11 to 19, further comprising: generating means for generating a failure message to be sent to the determined network based on the first sequence number, when the second sequence number is invalid.
21. A user equipment comprising the subscriber module according to any one of claims 11 to 20.
22. A method, comprising:
setting at least one identifier in authentication data for a network; and
sending the authentication data towards a user equipment;
wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
23. The method according to claim 22, wherein the at least one identifier is located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
24. The method according to claim 22 or 23, wherein the respective sequence numbers are stored in separate storage areas allocated for the group of networks respectively.
25. The method according to any one of claims 22 to 24, wherein the at least one identifier is set by an authentication center of the network.
26. The method according to any one of claims 22 to 25, wherein the group of networks comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
27. A network device, comprising:
setting means for setting at least one identifier in authentication data for a network; and
sending means for sending the authentication data towards a user equipment; wherein the at least one identifier is to be used by the user equipment to retrieve from a subscriber module a first sequence number for checking whether a second sequence number derived from the authentication data is valid, and wherein the subscriber module stores respective sequence numbers for authentication with a group of networks independently, and the first sequence number corresponds to the determined network.
28. The network device according to claim 27, wherein the at least one identifier is located in at least one of: an authentication management field in an authentication token of the authentication data, and a network type field predefined in the authentication data.
29. The network device according to claim 27 or 28, wherein the respective sequence numbers are stored in separate storage areas allocated for the group of networks respectively.
30. The network device according to any one of claims 27 to 29, wherein the setting means comprises an authentication center of the network device.
31. The network device according to any one of claims 27 to 30, wherein the network device comprises one of a home location register and a home subscriber server.
32. The network device according to any one of claims 27 to 31, wherein the group of networks comprise at least one of the following: a universal mobile telecommunications system, an evolved packet system, and a wireless local area network inter-working with a 3rd generation partnership project system.
33. A computer program product including a program for a processing device, comprising software code portions for performing the method according to any one of claims 1 to 10 and claims 22 to 26 when the program is run on the processing device.
34. The computer program product according to claim 33, wherein the computer program product comprises a computer-readable medium on which the software code portions are stored.
35. The computer program product according to claim 33 or 34, wherein the program is loadable into a memory of the processing device.
PCT/CN2009/072632 2009-07-06 2009-07-06 Managing respective sequence numbers for different networks independently WO2011003227A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/072632 WO2011003227A1 (en) 2009-07-06 2009-07-06 Managing respective sequence numbers for different networks independently

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/072632 WO2011003227A1 (en) 2009-07-06 2009-07-06 Managing respective sequence numbers for different networks independently

Publications (1)

Publication Number Publication Date
WO2011003227A1 true WO2011003227A1 (en) 2011-01-13

Family

ID=43428726

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/072632 WO2011003227A1 (en) 2009-07-06 2009-07-06 Managing respective sequence numbers for different networks independently

Country Status (1)

Country Link
WO (1) WO2011003227A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7565383B2 (en) 2004-12-20 2009-07-21 Sap Ag. Application recovery
CN110839239A (en) * 2018-08-17 2020-02-25 中国电信股份有限公司 Authentication method, equipment and system
WO2020216338A1 (en) * 2019-04-24 2020-10-29 华为技术有限公司 Parameter sending method and apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2365687B (en) * 2000-08-02 2004-06-09 Vodafone Ltd Telecommunications systems and methods
WO2008117006A1 (en) * 2007-03-27 2008-10-02 British Telecommunications Public Limited Company An authentication method
CN201191907Y (en) * 2008-03-26 2009-02-04 宇龙计算机通信科技(深圳)有限公司 User's identification card and mobile terminal using the same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2365687B (en) * 2000-08-02 2004-06-09 Vodafone Ltd Telecommunications systems and methods
WO2008117006A1 (en) * 2007-03-27 2008-10-02 British Telecommunications Public Limited Company An authentication method
CN201191907Y (en) * 2008-03-26 2009-02-04 宇龙计算机通信科技(深圳)有限公司 User's identification card and mobile terminal using the same

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7565383B2 (en) 2004-12-20 2009-07-21 Sap Ag. Application recovery
CN110839239A (en) * 2018-08-17 2020-02-25 中国电信股份有限公司 Authentication method, equipment and system
WO2020216338A1 (en) * 2019-04-24 2020-10-29 华为技术有限公司 Parameter sending method and apparatus

Similar Documents

Publication Publication Date Title
EP2223493B1 (en) Methods, apparatuses, system and related computer program products for handover security
JP7452600B2 (en) Communication terminal device and its method
CN105052184B (en) Method, equipment and controller for controlling user equipment to access service
US7970380B2 (en) User authentication in a communications system
US10798082B2 (en) Network authentication triggering method and related device
US11381964B2 (en) Cellular network authentication control
CN112219415A (en) User authentication in a first network using a subscriber identity module for a second, old network
CN109906624B (en) Method for supporting authentication in a wireless communication network, related network node and wireless terminal
WO2018011078A1 (en) Method and system for dual-network authentication of a communication device communicating with a server
US11381973B2 (en) Data transmission method, related device, and related system
WO2020238595A1 (en) Method and apparatus for acquiring security context, and communication system
US20220279471A1 (en) Wireless communication method for registration procedure
US20240073685A1 (en) Method for authentication for nswo service, device, and storage medium
US20090239534A1 (en) Apparatus and a system for registering profile information of a terminal
WO2011003227A1 (en) Managing respective sequence numbers for different networks independently
CN111448814A (en) Indicating a network for a remote unit
CN102652439A (en) Smart card security feature profile in home subscriber server
EP3146742B1 (en) Exception handling in cellular authentication
CN115942305A (en) Session establishment method and related device
CN115398946A (en) Authentication server function selection in authentication and key agreement
CN115769618A (en) Using pseudonyms for access authentication over non-3 GPP access
CN111480377A (en) Indicating a network for a remote unit
US11974132B2 (en) Routing method, apparatus, and system
WO2022174729A1 (en) Method for protecting identity identification privacy, and communication apparatus
EP4161113A1 (en) Communication method and related apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09846978

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09846978

Country of ref document: EP

Kind code of ref document: A1