(12) United States Patent
`Turtiainen
`
`USOO6430407B1
`(10) Patent No.:
`US 6,430,407 B1
`(45) Date of Patent:
`Aug. 6, 2002
`
`(54) METHOD, APPARATUS, AND
`6,038,445 A * 3/2000 Alperovich et al. ........ 455/456
`ARRANGEMENT FOR AUTHENTICATING A
`6,047,270 A
`4/2000 Joao et al. .................... 705/44
`USER TO AN APPLICATION IN A FIRST
`E. A : 3.
`et ... ..
`EEE 331 B 536 And Sohai...SSAS
`6.256,503 B1 * 7/2001 Stephens .................... 455/456
`S.6.RESERS WRK
`2002/0O25797 A1
`2/2002 Joao et al. .................. 455/406
`FOREIGN PATENT DOCUMENTS
`
`2 - a 1-2
`
`:
`
`OC. C. a.
`
`(75) Inventor: Esa Turtiainen, Espoo (FI)
`(73) Assignee: Telefonaktiebolaget LM Ericsson
`(publ), Stockholm (SE)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 09/244,018
`
`Feb. 4, 1999
`(22) Filed:
`O
`O
`(30)
`Foreign Application Priority Data
`
`(FI) ................................................. 980427
`Feb. 25, 1998
`(51) Int. Cl. ............................ H04M 1/66; H04K 1/10
`(52) U.S. Cl. .................
`... 455/411; 455,456; 38033
`(58) Field of Search ................................. 455/411, 410,
`455/414,432, 456, 407, 406, 408; 380/247,
`270, 33, 248,271
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`5,225,713 A
`7/1993 Henneberry et al. ....... 307/102
`5,537474. A * 7/1996 Brown et al. .....
`... 455/411
`5,568,535 A 10/1996 Sheffer et al. ................ 379/39
`5,615,110 A * 3/1997 Wong ........................ 340/7.23
`5,652,564 A 7/1997 Winbush ......
`... 340/426
`5,661.806 A : 8/1997 Nevoux et al. ...
`... 380/247
`5,668.875 A 9/1997 Brown et al. .....
`... 455/411
`5,668,876. A 9/1997 Falk et al. .....
`... 380/271
`5,719,918 A * 2/1998 Serbetciouglu et al. ..... 380/271
`5,878.337 A * 3/1999 Joao et al. ...........
`... 455/410
`5,903,830 A * 5/1999 Joao et al. .................. 455/410
`
`DE
`
`1/1997 ............ HO4M/1/00
`296 17 734
`3.g
`g C 3.
`- - - Egy
`- - -
`O71298O1 A 5/1995
`... GO7B/15/OO
`JP
`O8249530
`9/1996
`... GO7F/9/OO
`JP
`O9081811
`to:
`... GO7B,28
`JP
`1007409
`11/1997
`... HO4L/9/32
`NL
`94/11982
`5/1994
`HO4M/11/02
`WO
`94/30O23
`12/1994
`... HO4O/7/04
`WO
`95/19593
`7/1995
`............. GO6F/1/OO
`WO
`95/34998
`12/1995
`WO
`96/OO485
`* 1/1996 ............ HO4O/7/38
`WO
`96/11453
`4/1996
`... GO7C/1/30
`WO
`96/13814
`5/1996
`... GO6F/17/60
`WO
`97/31306
`8/1997
`... HO4O/7/38
`WO
`97/45814
`12/1997
`... GO7F/7/08
`WO
`98/06214
`* 2/1998 .......... HO4M/11/00
`WO
`ited by air
`y
`Primary Examiner William Trost
`ASSistant Examiner Rafael Perez-Gutierrez
`(74) Attorney, Agent, or Firm Nixon & Vanderhye P.C.
`(57)
`ABSTRACT
`A method, arrangement, and apparatus for providing an
`authentication to an application provided through a commu
`nications network. A connection is established between the
`application and a user interface through Said communica
`tions network So as to enable an access of a user to the
`application. An authentication is provided to Said application
`by means of a mobile Station communicating through a
`mobile communications network
`
`20 Claims, 6 Drawing Sheets
`
`Start
`
`w
`Establish a connection between
`an application and a user interface
`through a communications network
`
`y
`
`02
`
`Wy
`
`1\ 104
`
`Access the application
`y
`Authenticate the userby means of a MS
`by establishing a communication
`connection through a separate
`NEE ×
`
`06
`
`
`
`Authentication
`confirmed
`
`-\- - 108
`No
`
`Close
`connections
`
`Proceed as required by the application
`procedures
`
`-
`
`Ciose correctios
`
`v
`
`End
`
`PETITIONERS' EXHIBIT 1021
`
`Page 1 of 14
`
`

`

`U.S. Patent
`U.S. Patent
`
`Aug. 6, 2002
`Aug. 6, 2002
`
`Sheet 1 of 6
`Sheet 1 of 6
`
`US 6,430,407 B1
`US 6,430,407 B1
`
`
`
`43
`
`43
`
`Page 2 of 14
`
`Page 2 of 14
`
`

`

`U.S. Patent
`
`Aug. 6, 2002
`
`Sheet 2 of 6
`
`US 6,430,407 B1
`
`21
`
`16
`
`23 24 22
`
`-Il-t/USER
`
`27 28
`
`46 45 26 29
`
`Fig. 2
`
`1
`
`
`
`CRC = 2adF23Z
`Transfer 200 FIM
`From: 1234-4567
`TO: 4321-7654
`
`Accept? Y/N
`
`
`
`
`
`
`
`
`
`Controller
`
`Fig. 3
`
`Page 3 of 14
`
`

`

`U.S. Patent
`
`Aug. 6, 2002
`
`Sheet 3 of 6
`
`US 6,430,407 B1
`
`Start
`
`v
`Establish a connection between
`an application and a user interface
`a communications network
`
`r102
`
`
`
`
`
`
`
`Access the application
`
`Authenticate the user by means of a MS
`by establishing a communication
`connection through a separate
`communications network
`
`104
`
`06
`
`108
`
`1 10
`
`112
`
`4
`
`
`
`NO
`
`Close
`connections
`
`
`
`
`
`
`
`Authentication
`confirmed ?
`
`Yes
`
`Proceed as required by the application
`procedures
`
`-
`
`End
`
`Fig. 4
`
`Page 4 of 14
`
`

`

`U.S. Patent
`
`Aug. 6, 2002
`
`Sheet 4 of 6
`
`US 6,430,407 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Start
`
`Establish a connection between
`banking Services and user interface
`
`Request for a transaction from one
`account to another
`
`Retrieve related user authentication
`data from database
`
`Send a text message to the MS of the
`user of the banking services in
`accordance with the user data
`
`Display the message, ask for
`an acknowledgement
`
`accepts 2
`
`Yes
`
`
`
`
`
`210
`
`2
`
`2
`14
`
`Proceed the transaction
`
`Close connections
`
`202
`
`204
`
`206
`
`208
`
`"Please
`re-enter"
`
`End
`
`Fig. 5
`
`Page 5 of 14
`
`

`

`U.S. Patent
`
`Aug. 6, 2002
`
`Sheet 5 of 6
`
`US 6,430,407 B1
`
`IN
`Services
`
`60
`
`20
`
`PSTN
`
`
`
`6-CS
`7 e o O =
`4 is
`//
`1.
`61 - i
`
`USER
`
`22
`
`27 28 1
`
`Fig. 6
`
`Page 6 of 14
`
`

`

`U.S. Patent
`U.S. Patent
`
`
`
`Aug. 6, 2002
`Aug. 6, 2002
`
`Sheet 6 of 6
`Sheet 6 of 6
`
`US 6,430,407 B1
`
`US 6,430,407 B1
`
`Fig. 7
`
`= D
`
`Page 7 of 14
`
`Page 7 of 14
`
`

`

`25
`
`1
`METHOD, APPARATUS, AND
`ARRANGEMENT FOR AUTHENTICATING A
`USER TO AN APPLICATION IN A FIRST
`COMMUNICATIONS NETWORK BY MEANS
`OF A MOBILE STATION COMMUNICATING
`WITH THE APPLICATION THROUGH A
`SECOND COMMUNICATIONS NETWORK
`FIELD OF THE INVENTION
`The present invention relates to a method for providing an
`authentication to an application. The invention relates fur
`ther to an arrangement for providing an authentication to an
`application and further to an apparatus to be used in the
`authentication.
`BACKGROUND OF THE INVENTION
`Various electronic applications exist which involve a need
`for an authentication. Authentication may be required, for
`example, when a user is accessing a specific application
`and/or when a user already uses an application and there
`arises a need to verify the user or to receive Such an
`acknowledgment from the user which allows the application
`to make Some further proceedings.
`Examples of applications which might require an authen
`tication include various commercial Services obtained
`through communications networks, Such as Internet, Intranet
`or Local Area Networks (LAN), payments and banking
`Services accessed through communications networks,
`resource access, remote programming, reprogramming or
`updating of Software etc. Even certain free of charge Ser
`vices obtained through communications networks may
`require an authentication. The amount of Services or appli
`cations which require at least Some degree of authentication
`of the user who is trying to access them (or of the user who
`is already using them but where there is a need to check
`authorization during the use of the Service or a need to
`acknowledge Something during the use) has increased
`greatly during the past years. The need for the authentication
`is also expected to increase further in the future.
`At present there are already Some well known Solutions
`for communication authentication. These normally use Vari
`ous cryptographic techniques between two communicating
`computer devices. According to a basic Scenario for the
`authentication, a random challenge is given to encryption
`functions of said two computer devices. Both of these
`45
`computers have a Secret, i.e., an encryption key, which is
`also given to the encryption function in both of the com
`puters. Thereafter, the results of the calculations of the two
`encryption functions are compared, and if the result of the
`comparison is positive, the authentication is considered as
`being in force. If the comparison gives a negative result, then
`the authentication test is considered as having failed.
`There are also various already existing authentication
`arrangements. The following examples of the prior art
`arrangements are given with a brief description of Some of
`the drawbacks thereof:
`Passwords. At present, the use of a password or Several
`passwords is the most often used approach for the authen
`tication. The password is given to the remote application
`through an user interface, e.g., through a computer terminal
`connected to a communications network. However, this
`solution does not take the vulnerability of the network into
`account, Since the password is exposed to everyone who has
`access to the network (and who is skilled enough to read the
`passwords).
`A Secret. This may be described as an electronic password
`or a signature or an encryption key which is Stored and used
`
`35
`
`40
`
`50
`
`55
`
`60
`
`65
`
`US 6,430,407 B1
`
`5
`
`15
`
`2
`by for example the user interface. Even though the Secret is
`not revealed to the network, it may end up in the “wrong
`hands” and could be used by some party other than those
`who are originally intended to be the users of the Secret.
`Authentication Software in the user interface. This is a
`more Sophisticated approach to authentication. The pass
`word is given to a program in the user interface, which then
`automatically authenticates cryptographically access to the
`requested application. Even though this provides a more
`Secure arrangement than the above Solution, it still leaves a
`possibility for catching the passwords from the user inter
`face. It is also possible to modify the Software without notice
`to the actual user.
`Smart cards with associated readers. A Smart card is
`capable of communicating encrypted challenge-response
`messages, but it does not contain a user interface for
`receiving an authorization from the user itself. Such an
`interface may exist in the Smart card readers, but Such
`readers must be well protected against any possibilities for
`misuse, and thus the ordinary users (i.e., the large majority
`of users, i.e., the public) cannot usually have physical access
`to these reader interfaces, but they have to trust to the
`organization providing the Smart cards. In addition, the
`Smart card readers cannot be shared between organizations
`which do not have trust to each others.
`Smart cards with a user interface. These do already exist,
`but they are expensive Since each Security processor must
`have a Secure user interface of its own. These are rare and
`the input/output capability thereof is still eXtremely limited,
`and thus they are not held to be an economically Suitable
`Solution for the authentication problem.
`A separate personal authentication device. In this
`approach the user is used as “a communication means'
`between the user interface and a separate authentication
`device. The user interface gives a challenge which the user
`then types in to a hand held authentication device (pocket
`calculator like device). The authentication device may, e.g.,
`give a number as a response, and the user then types this
`number in to the user interface. In this the problems relate
`to the need of purchasing, using and carrying a separate
`device. In Some instances there is also a possibility of
`incorrect typing of the usually long and complex character
`Strings.
`The above already mentions. Some parties which may be
`involved when implementing the present authentication Sys
`tems. They are briefly explained in more detail in the
`following:
`The user is usually a human being who uses various
`applications or Services. The user can be identified by means
`of a password (or Secret) which is only known by him/her (a
`public key method), or by means of a Secret which is shared
`between the user and the application (a Secret key method).
`The application is the party that wants to ensure the
`authenticity of the user. The application can also in Some
`occasions be called as a Service. From the application's point
`of view the authenticity question can be divided in four
`different categories (questions): 1) is the user at the moment
`in the other end? (So called peer-entity-authentication), 2)
`are the further messages received from the same user?
`(integrity of the message stream), 3) does a specific message
`originate from a certain user? (data origin authentication),
`and 4) is the message Such that even a third party may
`believe it to originate from a certain user? (non-repudiation).
`The user interface is the device or arrangement which
`enables the user to access the application or Service. In most
`instances it can also be referred to as a terminal, and may
`
`Page 8 of 14
`
`

`

`3
`consist of devices Such as computers (e.g., Personal
`Computer, PC), workstations, telephone terminals, mobile
`Stations Such as mobile telephones or radioS or pagers,
`automatic money teller and/or banking machines, etc. The
`user interface provides input/output facilities and it may
`possibly even provide a part of the application.
`The Personal Authentication Device (PAD) is a piece of
`hardware that the user carries with him. The PAD may have
`Some basic input/output functionality and even Some pro
`cessing facilities. The above referred Smart cards and Sepa
`rate authentication devices may also be considered as PADS.
`In most cases the user can rely on his PAD, Since the user has
`it (almost) always with him and thus under continuous
`control. All the possible passwords or Secrets are hidden in
`the hardware thereof Such that there is no easy manner to
`reveal them. The device itself is not easy to modify such that
`the communication path between the user and the Security
`processor could be endangered. In addition, the PADS usu
`ally have a minimum amount of Stored State and the pro
`grams thereof are not easily modifiable.
`SUMMARY OF THE INVENTION
`Even though the above described prior art solutions for
`authentication already exist, there are Still Some Shortages, in
`addition to those already referred to above, in the area of
`authentication.
`In case the access to the application is made absolutely
`Secure, or as Secure as possible, the application easily
`becomes extremely complex from the architecture thereof,
`and becomes also complicated and more time consuming to
`access and use. The increased Security level increases the
`amount of the required hardware and Software, which leads
`to an increased need for maintenance and updating thereof,
`and thus the total costs of the authentication may become
`high. The complexity and costs could be decreased by
`lowering the level of Security, but this is expected to lead to
`an insufficient Security level in the communications. In
`addition, it is believed that an “absolutely secure” condition
`does not even exist in the communications networks, as the
`technical development makes it possible for hackers to Solve
`even the most complicated Security arrangements.
`A human problem lies on the fact that the passwords or
`Secrets may become quite complicated and/or too long, or
`that there may be too many of them. Thus the users may find
`it hard to remember them. Typically a secret which is
`considered as Secure in the Secret key method is 128 bits and
`in the public key method it is 1024 bits. For most people it
`is impossible to remember this kind of key.
`In addition, users are not able to perform the calculations
`required in the authentication without external devices. AS
`was explained above, the basic authentication is often made
`by challenge and response method. This would require the
`user (i.e., a human) to encrypt Something with his Secret.
`This is not held to be possible in practice.
`In addition to the possibility of catching the password or
`Secret during it's transmission over an open communications
`network as was discussed above, today's Solutions do not
`pay sufficient attention to the vulnerability of the user
`interfaces either. The terminal devices have developed to be
`full of complex technology and Software Such that most of
`the users are no longer capable of fully controlling the
`terminals, or understanding the operation thereof. In
`addition, it often occurs that many users share the same
`terminal device (e.g., is a commonly used PC) and/or that
`external maintenance perSonnel has access to the computers
`of a per se closed organization.
`
`1O
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 6,430,407 B1
`
`4
`The computer terminals contain Stored State and programs
`in the memory means thereof, which can be modified. In
`modern computers it is possible to modify the Software
`thereof even Such that the user does not notice this, and even
`through the communication paths without any physical
`access to the device itself. To give an example of the risks,
`it is possible to modify a program in a computer terminal
`Such that it modifies the data the user Sends for example to
`a bank Such that the computer modifies all bank transferS on
`a certain day to another account than what was designated by
`the user. This modifying or reprogramming without notice
`may cause Serious and huge damageS when used against
`ordinary individual users, and especially when used against
`organizations Such as companies or public administration.
`This all means that the ordinary terminal devices and
`communication paths cannot be trusted.
`Therefore it is an object of the present invention to
`overcome the disadvantages of the prior art Solutions and to
`provide a new type of Solution for authentication.
`An object is also to provide a method and an arrangement
`by means of which a user who wishes to access an appli
`cation can be authenticated in a more Secure manner than has
`been possible in the prior art. An object is also to provide an
`authentication when a need for the authentication arises
`during the use of an already accessed application.
`An object of the present invention is also to provide a
`method and arrangement by means of which a mobile Station
`can be utilized in the authentication.
`An additional object of the present invention is to provide
`a Solution in which an identification module of a mobile
`Station can be utilized in the authentication.
`Other objects and advantages of the present invention will
`be brought out in the following part of the Specification
`taken in conjunction with the accompanying drawings.
`The objects are obtained by a new method for providing
`an authentication to an application provided through a
`communications network. According to the present inven
`tion a connection between the application and a user inter
`face through Said communications network is established So
`as to enable an access of a user to the application provided
`through the communications network, while an authentica
`tion to Said application is provided by means of a mobile
`Station communicating through a mobile communications
`network.
`According to one further embodiment the authentication
`method comprises a step of establishing a connection
`between an application and a user interface through a
`communications network So as to enable an access of a user
`to the application provided through the communications
`network. The authentication to Said application is provided
`by means of a mobile Station Such that a Secret of a
`Subscription Identification Module (SIM) of the mobile
`Station is utilized in encryption operations of the authenti
`cation.
`The invention provides further an arrangement for pro
`Viding an authentication to an application provided by an
`application provider through a communications network.
`The arrangement comprises a user interface and a connec
`tion between the application and the user interface through
`Said communications network So as to enable use of the
`application. The arrangement further comprises means for
`authenticating the use of the application, wherein Said means
`for authenticating comprise a mobile Station communicating
`through a mobile communications network and a link
`between the application implemented by the communica
`tions network and the mobile communications network.
`
`Page 9 of 14
`
`

`

`US 6,430,407 B1
`
`1O
`
`15
`
`25
`
`35
`
`40
`
`S
`According to an alternative embodiment the invention
`provides a mobile Station for providing an authentication to
`an application provided through a communications network.
`In this embodiment the application is accessed by means of
`a user interface connected to the communications network,
`while Said mobile Station is using a different communica
`tions network for the communications than the user inter
`face. Said mobile Station is used for authenticating the use
`of Said application accessed by the user interface.
`Several advantages are obtained by means of the present
`invention, Since the Solution introduces a new reliable man
`ner for authentication. The inventive authentication method
`and arrangement is easy to implement in already existing
`communications networks without any excessive alterna
`tions or additional devices. The arrangement can be used in
`connection with various different applications, in practice in
`connection with any Such application provided through a
`communications System which needs Some kind of authen
`tication.
`The user is freed from carrying a separate authentication
`device (PAD) or many different authentication devices. The
`user can also trust to the personal authentication device
`(PAD) according to the present invention, as the mobile
`Station is usually always with him, and the users tend to take
`good care of their mobile Stations. In addition, for instance
`in case of theft of a mobile station, the mobile subscription
`and/or the SIM thereof can be easily canceled by the
`operator. All Secrets of a mobile Station are well hidden in
`the hardware thereof such that it is not easy to reveal them.
`In addition, the mobile station device itself is not easily
`modifiable in Such a way that the communication path
`between the user and the Security processors could be
`endangered.
`The System includes a minimum amount of Stored State
`and the programs are not easily modifiable. The existing
`SIM of a mobile station, and more precisely the secret
`thereof, can be utilized for the required encryption proce
`dures. Thus the SIM can be utilized as a security card for
`new purposes, and there is already an existing party who will
`control the use of the SIM, i.e., the mobile network operator
`who can immediately cancel a SIM if fraud is suspected.
`In the following the present invention and the other
`objects and advantages thereof will be described by
`examples with reference to the annexed drawings, in which
`Similar reference numerals throughout the various Figures
`refer to similar features. It should be understood that the
`following description of the invention is not meant to restrict
`the invention to the Specific forms presented in this connec
`tion but rather the present invention is meant to cover all
`modifications, Similarities and alternatives which are
`included in the Spirit and Scope of the appended claims.
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 shows a general view of one possible arrangement
`of communications networks in which it is possible to
`implement the present invention;
`FIG. 2 is a Schematic presentation of an embodiment for
`authenticating a user according to the present invention;
`FIG. 3 discloses schematically one possible mobile sta
`tion and an embodiment of the present invention;
`FIGS. 4 and 5 disclose flow charts according to two
`embodiments of the present invention;
`FIG. 6 discloses an alternative embodiment for the
`authentication in accordance with the present invention; and
`FIG. 7 is a schematic presentation which relates to a
`further embodiment of the present invention.
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`DETAILED DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a Schematic representation of one network
`arrangement which can be used when implementing the
`present invention. The arrangement of FIG. 1 comprises a
`Public Switched Telephone Network (PSTN) which is sche
`matically shown as a box designated by 20. The exempli
`fying PSTN is a fixed line telephone network (or Plain Old
`Telephone Service, POTS), which forms a communications
`network through which a user interface 16 is enabled to
`access an application. According to this embodiment a user
`(not shown) may use the user terminal 16 connected to the
`PSTN as a user interface to access the desired service in one
`of the WWW servers 45 obtainable through an Internet
`connection. The disclosed terminal 16 is a personal com
`puter (PC), but other types of user interfaces, Such as
`WorkStations, automatic public teller machines etc. may also
`be used.
`A Public Land Mobile Network (PLMN) is also disclosed.
`This may be, for example, a cellular telephone network or
`Similar mobile communications System. Two mobile Stations
`MS 1 and MS+PC 2 are also disclosed. The MS+PC2 may
`be defined as an integrated mobile phone and a portable
`computer. Both of these are capable of communicating
`through an air interface 3 with the PLMN through one of
`several base stations (BS) 4 of the PLMN.
`One type of PLMN is a digital GSM network (GSM;
`Global System for Mobile Communications), which is well
`specified in the GSM recommendations by ETSI (European
`Telecommunications Standard Institute), the network archi
`tecture thereof being described in detail in recommendations
`GSM 01.02 or GSM 03.02 or the revised versions thereof.
`It is to be noted that while the invention is mainly described
`in the context of an exemplifying cellular telephone network
`using GSM terminology, those skilled in the art will appre
`ciate that the present invention can be implemented in any
`mobile system. Furthermore, it is to be noted that for clarity
`reasons only those parts of a mobile network Structure are
`shown which are considered as necessary for the purposes of
`illustrating the operation of the exemplifying System. The
`skilled person is well aware of the fact that the telephone
`networks may normally comprise also other necessary appa
`ratus than those illustrated, that Some of the disclosed
`elements of the PLMN or PSTN may be omitted or replaced
`by Some other type of elements, and that a great number of
`mobile networks and ordinary fixed land line networks may
`cooperate and interchange with each other. The Skilled man
`understands also that the connection to the Internet may also
`be a direct connection without any PSTN or similar network
`arrangement between the user terminal 16 and the Internet
`43. These alternatives are, however, not shown and
`explained in more detail as they are known to skilled man in
`the art.
`The GSM based public land mobile network (PLMN)
`usually includes several PY mobile service Switching cen
`ters (MSC) 10. Each of these is, in turn, connected to a
`plurality of base station subsystems (BSS) 6 (only one MSC
`and BSS is shown for clarity). The base station subsystem 6
`usually comprises a base Station controller BSC and neces
`Sary interface apparatus, and is connected to a plurality of
`base stations (BS)4, each of which Supervises a certain
`geographical area, referred to as a cell (for the cells, see FIG.
`7).
`The mobile services switching center 10 of FIG. 1 is
`further connected or linked to the public Switched telephone
`network (PSTN) 20 through an exchange 12 and lines 11.
`The MSC 10 is also connected to a global communications
`
`Page 10 of 14
`
`

`

`7
`network, which in the example is the Internet (designated by
`numeral 43). The MSC may be connected to an integrated
`services digital network (ISDN) or any other type of appro
`priate communications network. The necessary links
`between different components of different telecommunica
`tion network Systems are per Se well known in the art.
`The PLMN network further includes a database, the so
`called home location register (HLR) 9, which is connected
`to the MSC. Those mobile terminals 1 and 2 which are
`Subscribers of the mobile telecommunications network are
`registered in the HLR 9. Each local mobile telephone
`Switching center 10 further includes a local database called
`a visitor location register (VLR) 8, into which is registered
`all Such mobile stations 1 and 2 which are located within the
`area of one of the cells handled by that local mobile
`telephone Services Switching center MSC at any given
`moment.
`The mobile stations are identified by a SIM (Subscriber
`Identification Module) which is usually mounted within
`each of the mobile Stations, or otherwise physically con
`nected thereto. A SIM is a module which includes various
`user (Subscription) related information and Secrets. It may
`also include further information which relates to the encryp
`tion of the radio communications. The SIM may be
`25
`assembled fixedly or removably to the mobile station. The
`utilization of the SIM as well as the HLR and/or VLR
`registers in this invention will be discussed in more detail
`later in this specification.
`AS discussed, the user may be connected to the Internet 43
`via a fixed or a mobile network or via a direct connection.
`However, there may be some differences between the con
`nections when for example GPRS (General Packet Radio
`System) is concerned, but the service from the Internet
`network is available for the users of both PSTN and PLMN
`35
`systems. In the example, the Mobile Switching Center
`(MSC) 10 as well as the PSTN 20 are provided with an
`access to the multiprotocol Internet 43 by access nodes (AN)
`14 and 40. Even though only one AN per communications
`network is disclosed, it is to be understood that in practice
`the number of ANS may be essentially greater, and that the
`number of ANS is also increasing continuously. According to
`one Solution a special Internet Access Server IAS capable of
`converting the Signal into data packets is used as an AN
`towards the Internet.
`45
`The users of the Internet 43 have made a contract with a
`Internet Service Provider (ISP) 42, who provides the com
`munications connection to the Internet from the user termi
`nals 1, 2, or 16. When the user desires to have an Internet
`connection, he calls to the Internet Service Provider (ISP) 42
`So as to connect his terminal 16 to the desired address (So
`called Internet Protocol address). The call connection is
`established by the PSTN 20 and passes through at least the
`local eXchanges 18, and perhaps one or Several transit
`eXchanges which are connected or interconnected through
`trunk lines (not shown). It is to be understood that even
`though FIG. 1 discloses only one ISP through which both
`networks communicate towards the Internet, communica
`tion could be arranged through different ISPs.
`FIG. 1 discloses further a WWW server 45 (World Wide
`Web server) which includes server databases x, y and Z
`providing different Services. It discloses also a connection
`from the ISP through the router 44 to said server 45 via the
`Internet 43. It is to be understood that the service can be any
`Service obtainable through any communications network,
`Such as a banking Service, an electronic Shopping Service
`etc., in which authentication is required.
`
`50
`
`55
`
`60
`
`65
`
`US 6,430,407 B1
`
`15
`
`40
`
`8
`The mobile Station 1 (or 2) is used as a personal authen
`tication device (PAD) when the user accesses, or has already
`accessed, via the user interface 16 through the PSTN 20, a
`service X provided by the WWW server 45. The mobile
`Station 1 communicates with the Service X through a separate
`communications path or channel than is used by the actual
`user interface 16. The mobile station can be trusted because
`the user usually keeps it always with him. The ergonomic
`and functional requirements for the mobile Stations and for
`the conventional PADs are essentially the same, and the MS
`has a user interface that is Suitable for the PAD. A modern
`MS has even a Security processor interface that is Suitable
`for authentication purposes.
`There are Several alternatives to accomplish the authen
`tication by means of the mobile Station, and the examples
`thereof will be now discussed in the following in more
`detail.
`Reference is now made to FIGS. 2 and 4, of which FIG.
`2 discloses Schematically one arrangement for the authen
`tication and FIG. 4 a flow chart for the operation in accor
`dance with one basic embodiment. The user 22 Sends a
`request by means of the user terminal 16 to access a desired
`application 45, Such as a banking Service, through a con
`nection established by