DE29910700U1 - Device for performing access to a network via a terminal - Google Patents

Description

Device for providing access to a network via a terminal

The invention relates to a device that ensures access via a terminal device while guaranteeing secure management of user-specific data. Communication between the device and the terminal device preferably takes place via an air interface, which is, for example, a radio transmission with a short range.

In mobile radio networks such as GSM (Global System for Mobile Communication), GPRS (General Packet Radio Service) or UMTS (Universal Mobile Telecommunication System), where the basic idea is to support the mobility of the subscribers, a user is expected to be able to use the services of the network from any location. This requires, among other things, the identification of the subscriber with regard to the permission to use the requested service. The solution described in the GSM 03.2 0 standard proposes the introduction of a card identifying the subscriber, the so-called SIM (Subscriber Identity Module) card. The implementation of this card can be either in the form of software integrated in a terminal or in the form of removable hardware containing the relevant data and

EED98099-MAZ

1999-06-15

·

which a terminal device accesses by means of a card reader.

The solution with the separately arranged SIM card allows the subscriber to have greater independence with regard to the use of the terminal devices. This allows the subscriber to borrow and use different terminal devices that have been designed for different transmission standards. By inserting the SIM card into a borrowed terminal device, the subscriber can be identified by the network operator. This procedure also allows a network operator to determine which services the subscriber is entitled to use and how the costs incurred through the use of a network service are to be billed to the subscriber's account.

The prerequisite that must be met for this concept is the use of terminals that have a standardized interface for reading the data stored on a SIM card. However, this interface is not currently supported by every cellular system, or it deviates from the generally applicable standard. In addition, there are concepts in the development of future communication networks in which not every terminal has a card reader. For example, UMTS 23.30: "General Requirements of H2 on Iu" and UMTS 23.20: "HIPERLAN 2 UMTS Interworking" present an architecture in which a

EED98099-MAZ 1999-06-15

mobile subscriber is connected to a UMTS network via a WLAN (Wireless Local Area Network) as a broadband access network. A characteristic feature of this scenario is that the terminal does not currently have a card reader for a separately arranged card. This means that the user-specific data stored on the card is accessed via another device.

The provision of card readers is also necessary when using electronic payment services. This is particularly problematic in mobile networks where the terminals are characterized by a minimal form and therefore do not have a card reader for a credit card. In order to ensure the use of this service, it is necessary to provide a device that provides an interface for reading credit cards and at the same time provides communication with a mobile network.

The requirements expected from a network provider include the use of the same services regardless of the underlying network structure. For example, a user expects the same services to be provided regardless of whether he is connected to a fixed or a mobile network. This is particularly problematic for applications that have special requirements regarding the security aspects of

EED98099-MAZ 1999-06-15

the underlying network, as is the case, for example, with mobile electronic payments via a mobile network.

Accordingly, the object of the present invention is to create a device that provides universal access to a network. In particular, it is essential to ensure secure management of user-specific data. 10

This is achieved according to the invention by the teaching of claim 1. .

It has proven advantageous that the separately arranged personal device ensures universal access to the authorized networks. The invention eliminates the need to provide card readers in the terminal devices. This is achieved because the separately arranged personal device has a standardized interface for reading user cards, such as credit cards or SIM cards, and a terminal has access to the data via a communication connection, for example via a short-range radio connection.

For this reason, reducing the manufacturing costs of the end devices also proves to be advantageous.

EED98099-MAZ 1999-06-15

·

·

iX.fi:".

A uniform use of a created user profile in every type of network used also proves to be advantageous. In particular, this means that a user can create an individual user profile with regard to the use of network services and can integrate this into the present device so that this data can be accessed from every network, thus ensuring that a user does not have to create a separate profile for each network.

A further advantage is the increased security of network access by non-privileged persons by separating the user-identifying card from the terminal device.

A further advantageous embodiment of the invention is set out in claims 2 to 20. ■

In the following, the invention is explained in more detail using embodiments and figures.

The following figures show:

Fig.l: A schematic representation of the device Fig.2: An embodiment for access to a

mobile network
Fig.3: An example of access to a WLAN

EED98099-MAZ φφφφφ
Φ
ΦΦ·
&phgr;
Φ ·· ΦΦ
φ φ φ ·
Φ Φ Φ
φ φ φ φ φ Φ Φ
ϕ φ
ϕ ϕ
•ΦΦ Φ
ΦΦ
&phgr;
Φ ?? ΦΦΦΦ φφ φφ
• φ ? ? φ · φ
• · φ ? ? ? ?
• ? ? &phgr;&phgr;&phgr;&phgr; φφφφφ
ϕ ϕ ϕ ϕϕ
&phgr;
φφφφφ 1999-06-15 ΦΦΦ
ϕ ϕ
Φ Φ
ϕ ϕ
Φ Φ φφφφφ &phgr;&phgr;&phgr;&phgr; φφ φφ φφφφ • · ? &phgr;&phgr;&phgr;&phgr;
φ φ φ φ * ·· φφφφ φφφφ

Fig.4: Another example of access to a WLAN

In the following, the invention is explained with reference to Figure 1 and claim 1.

According to Figure 1 and claim 1, the device for realizing access to a network via a terminal device with a guarantee of secure management of user-specific data 1 consists of at least four components. A communication unit is responsible for sending, receiving and processing data that is sent to a terminal device 6 or received by a terminal device 6. The transmission of the processed data between the

The data is transmitted between the device and the terminal device via a transmission medium. The task of a management unit is to manage user-specific data, such as the user profile or the security key of a user. These security keys are used, for example, to carry out the authentication and encryption of information. These processes are implemented using appropriate algorithms, which are carried out in a control unit.

Furthermore, the device for realizing access via a terminal to a network with guarantee

EED98099-MAZ 1999-06-15

secure management of user-specific data is referred to as PSC (Personal Subscriber Companion).

In the following, the invention according to claims 2 to 20 is explained in more detail.

The communication unit 2 is responsible for receiving, sending and processing the data. The data is processed using a protocol stack integrated into the communication unit, the structure of which depends on the type of transmission medium. The processing is necessary for sending the data via the transmission medium provided. The data received from an application is divided into small data packets using a protocol stack and transferred to the transmission medium and sent to the recipient. A transmission medium provided is used to send the data. A protocol stack 0 also carries out a control with regard to error detection and error correction.

The data sent from a terminal device are received by the PSC by means of a receiving means and assembled into data packets of the higher layers of a protocol stack by means of a processing means.

The data packets sent from the PSC and the data packets received by a PSC are either

EED98099-MAZ 1999-06-15

&khgr;.&Pgr;&kgr;.&Ogr;&Ogr;

Signaling messages that are intended, for example, as an indication to carry out an action or they serve to transport informative data, i.e. data that is characterized by informative content and not a standardized form of signaling. For example, after receiving a signaling message that causes an indexing of the authentication process, this process is carried out in the PSC and the result, in this case the generated user certificate, is sent to the terminal device via the transmission medium using the transmission means integrated in the communication unit.

According to claims 14 and 15, the transmission takes place via a radio interface. This can be, for example, a so-called Bluetooth interface, the functionality of which is based on the technology of radio transmission with a short range and the exact functionality can be found at http://www.bluetooth.com/. The communication between the PSC and the terminal can, however, be based on any transmission technology; the prerequisite that must be met is a low complexity of the infrastructure that ensures the functionality of the transmission. The complexity of the protocols used is a characteristic feature of the invention, because they are decisive for the size of the devices involved in the communication, which must be kept as minimal as possible.

EED98099-MAZ 1999-06-15

The various security algorithms, such as the authentication process, are carried out in a control unit. This has a necessary logical unit and integrated software with which the algorithms are implemented. The structure of the control unit corresponds to the structure of the control unit already present in the end devices, in which the necessary algorithms are currently carried out. The invention provides for a shift of this functionality to the PSC.

The presented solution is an optional variant for the implementation of encryption, which can also be taken over by the communication unit, in particular when using a Bluetooth interface as a transmission unit.

In addition to authenticating a participant, it is intended to encrypt the information to be transmitted and decrypt the encrypted information received in the control unit. For this purpose, different security keys are required. The most commonly used method for authenticating a participant and encrypting messages is the so-called asymmetric encryption method. The implementation of this method requires the provision of two different security keys, the so-called private security key and the so-called public security key. The exact application of these keys and the detailed description of the implementation of the security algorithms is not covered by

EED98099-MAZ 1999-06-15

&igr; . *·· &tgr;* &igr;* &igr;

Significance for the present invention, so it will not be discussed in detail here. However, the decisive factor for the invention is the provision of these keys for the implementation of the algorithms in the control unit.

The provision of both the security key and other user-specific data such as an individual user profile is implemented by means of a management unit 5. The task of this unit is to manage the user-specific data. Various forms of technical implementation can be highlighted here. For example, this unit can be permanently integrated in a PSC according to claim 7, in which the implementation is carried out, for example, by means of an EPROM (Erasable Programmable Read Only Memory). This solution ensures a minimum required memory requirement and thus a minimum requirement in terms of the size of the PSC.

According to claim 8, the user-specific data can be stored on an external card. This data is accessed using a card reader integrated into the PSC. The advantage of this solution is that it is universal. A user is allowed to insert any type of card from which a network reads information, in order to increase the information content. The cards currently being considered are, for example, SIM cards or

EED98099-MAZ 1999-06-15

Credit cards. Inserting a credit card requires the provision of a PSC of the appropriate size. This solution is particularly advantageous for users who use different services. With this solution, it is no longer necessary to have different end devices or external card readers that authorize the user to use a service. This is ensured by exchanging cards in a PSC. This is particularly advantageous when using e-commerce services over a mobile network, where the use of different user cards is crucial.

According to claim 12, it is possible to choose a hybrid solution in which part of the data, for example a user profile, is firmly integrated in a PSC and another part of the data that is specifically intended for the use of a service, e.g. the credit card information, is stored in a separate unit, e.g. in a credit card.

In the following, the invention is explained in more detail using an embodiment and with reference to Figure 2.

The embodiment provides access to a GSM network via a mobile phone. The network architecture, in particular the terminal devices involved, are shown in Figure 2. User A has a PSC with which a connection is established via a transmission unit, for example Bluetooth, to a mobile phone B. From the mobile

EED98099-MAZ 1999-06-15

a· a

Yes a"

The connection from the telephone is via an air interface C to a base station D, from which the information is distributed to the corresponding units in a mobile radio network. The individual units will not be discussed in detail here.

In this scenario, a user uses a PSC as a device that allows access to a mobile radio network. This way, the terminal, in this case the mobile phone, does not have to have a built-in interface for inserting a SIM card and reading it. This is provided by the PSC. The necessary thing that must be fulfilled in the implementation is the provision of protocols, both in a PSC and in a terminal, that cause the redirection of information to the transmission unit, for example a Bluetooth connection.

Another possible embodiment of the invention is disclosed in Figure 3. In this case, a user communicates with a laptop F by means of a PSC via a Bluetooth connection. This is connected to a W-LAN G, via which the user is allowed access to another network I. The other network can be, for example, a packet-oriented network, for example a GPRS or a UMTS network.

EED98099-MAZ

1999-06-15

·

&iacgr;&iacgr;

*· * · &iacgr;; J.« ill*

According to Figure 4, access to a WLAN can be implemented in a different way, in which the PSC is understood as a logical component, i.e. the functionality of PSC is integrated in a terminal device J. In addition to its own components, the terminal device has the logical units of PSC, in particular the communication unit with which communication with a WLAN adapter is ensured via a transmission medium, for example Bluetooth.

The invention relates to any application in which a user must identify himself to a network operator via a terminal using an identifying card, or in which the network operator must identify himself to a terminal using an identifying card.

requested service must obtain information from a user card. In particular, this means that the invention is intended for any network that has external terminals with associated card readers, whether integrated or separately arranged.

EED98099-MAZ 1999-06-15

Claims (20)

1. Device (1) for realising access to a network via a terminal (6) while ensuring secure management of user-specific data, with - a communication unit (2) for sending, receiving and processing data to the terminal, and - a transmission means (3) for transmitting the processed data between the device and the terminal via an air interface, and - an administration unit (5) for managing user-specific data, and - a control unit (4) for controlling the application of the user-specific data. 2. Device according to claim 1, wherein the control unit (4) controls the execution of security algorithms. 3. Device according to claim 2, wherein the security algorithms use the security keys to authenticate a participant and encrypt the data. 4. Device according to one of claims 1 to 3, wherein the encryption is implemented in the communication unit. 5. Device according to one of claims 1 to 3, wherein the security keys for encrypting the data and a user profile belong to the user-specific data. 6. Device according to claim 5, wherein the user profile contains an application profile. 7. Device according to claim 1, wherein the management unit is integrated in the device. 8. The device of claim 1, wherein the management unit is a separate unit that is inserted into the device and accessed by means of a card reader integrated in the device. 9. Device according to claim 8, wherein the separate unit is a SIM card or a credit card. 10. Device according to claim 1, 8 or 9, in which an input unit and/or an output unit are integrated in the device, by means of which an identification of the introduced separate unit is realized. 11. Device according to claim 10, wherein the input unit is a keyboard or a fingerprint reader and the output unit is a display. 12. Device according to one of claims 1 to 11, wherein the management unit is a hybrid solution consisting of an integrated part and a separate unit. 13. Device according to claim 1, wherein the processing of the data is carried out by means of a protocol stack. 14. Apparatus according to claim 1, wherein the transmission means is a short-range radio transmission. 15. Device according to claim 14, wherein the short-range radio transmission is a Bluetooth connection. 16. Device according to claim one of the preceding claims, in which the signaling messages received from the network are forwarded to the device and the signaling messages generated in the device are sent to the network via the terminal. 17. Device according to one of claims 1 to 16, wherein the device is a separately arranged unit. 18. Device according to one of claims 1 to 16, wherein the device is integrated in a terminal. 19. Apparatus according to claim 1 and 16, wherein the network is a circuit-oriented or a packet-oriented network. 20. Device according to claim 19, wherein the circuit-oriented network is a GSM network and the packet-oriented network is a GPRS, UMTS, W-LAN or W-ATM.