WO1999059375A2 - Service provider access method and apparatus - Google Patents
Service provider access method and apparatus Download PDFInfo
- Publication number
- WO1999059375A2 WO1999059375A2 PCT/EP1999/003085 EP9903085W WO9959375A2 WO 1999059375 A2 WO1999059375 A2 WO 1999059375A2 EP 9903085 W EP9903085 W EP 9903085W WO 9959375 A2 WO9959375 A2 WO 9959375A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- network
- authentication
- data
- service provider
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000013475 authorization Methods 0.000 claims abstract description 13
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 6
- 238000012790 confirmation Methods 0.000 description 4
- 230000001413 cellular effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005267 amalgamation Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000010348 incorporation Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1403—Architecture for metering, charging or billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1428—Invoice generation, e.g. customization, lay-out, database processing, algorithms for calculating the bill or formatting invoices as WWW pages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1442—Charging, metering or billing arrangements for data wireline or wireless communications at network operator level
- H04L12/1446—Charging, metering or billing arrangements for data wireline or wireless communications at network operator level inter-operator billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1453—Methods or systems for payment or settlement of the charges for data transmission involving significant interaction with the data transmission network
- H04L12/1482—Methods or systems for payment or settlement of the charges for data transmission involving significant interaction with the data transmission network involving use of telephony infrastructure for billing for the transport of data, e.g. call detail record [CDR] or intelligent network infrastructure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- the present invention relates to a service provider access method and apparatus and in particular, though not necessarily, to the collection of charge data for accessing an Internet service provider via the Internet.
- the conventional way for a home user of a personal computer (PC) to access the Internet is to set up a telephone call, via his telephone operator provided with a modem pool, to an Internet service provider.
- the service provider allocates an Internet address to the PC ("subscriber terminal") for the duration of a session and acts as a router and protocol converter for data transmitted between the Internet and the subscriber terminal .
- Exchanges provided with this facility are accessed by subscribers dialing a predefined access number.
- the exchanges contain intelligence (sometimes described as an "intelligent network") which enables them to recognise that a call received to this number is an Internet access request.
- the exchange provides a connection between the subscriber terminal (or rather “line") and the Internet via one of a number of so-called Internet Access Servers (IASs) - alternatively known as Network Access Servers (NASs) .
- IASs Internet Access Servers
- NASs Network Access Servers
- An IAS acts as a multiplexer/demultiplexer between a number of low capacity subscriber lines and a high capacity trunk line connecting to the Internet .
- the IAS also acts as a protocol converter, converting the circuit switched protocol of the telephone network into a packet Internet protocol and vice versa .
- an IAS may be accessed from a mobile terminal using a special signaling protocol to set up a data channel between the IAS and the mobile terminal.
- ISP Internet Service Provider
- a method of providing access for a subscriber to services of a service provider through a data network comprising the steps of: connecting a subscriber terminal to said data network; transmitting a log-on request for the subscriber terminal from the terminal to a node in the data network, said node having a data network address and comprising a database containing authentication data relating to subscribers of the home interface network which controls said node; authenticating the subscriber terminal using the data contained in said database and returning authentication data to the subscriber terminal; transmitting at least part of the authentication data from the subscriber terminal to the service provider; transmitting an authentication request from the service provider to the authentication node, and returning an authorisation to the service provider; and in response to receipt of authorisation from the authentication node, allowing the subscriber terminal to access services of the service provider via the data network.
- the node As the node comprising the authentication database is controlled by the home network, the node can be trusted to provide secure authentication data to the interrogating service provider.
- Embodiments of the present invention enable the authentication of a subscriber terminal connected to the data network and hence the confirmation of the right of the service provider to charge the subscriber terminal for the right to access its services. Charging information may then be repatriated to the subscriber terminal ' s home network where it may be incorporated into a single charging system maintained by the home network.
- the data network is the Internet and said node is an Internet node having an Internet Protocol (IP) address, e.g. a Universal Resource Locator (URL) address.
- IP Internet Protocol
- the home network comprises a telecommunication network, such as a Public Switched Telephone Network (PSTN) having an Internet access server or a modem pool.
- PSTN Public Switched Telephone Network
- the telecommunication network may be a cellular radio telephone network having a direct access gateway.
- the subscriber terminal may be connected to the data network via a visitor network comprising a PSTN and an access server or modem pool, similar to the home network.
- connection to the data network may be through a local area network and an Internet access server.
- the database of the authentication node may contain the home number of the subscriber (A-number) , together with a Username and a password. Said log-on request then contains the Username and password which are verified by the node, together with a network address allocated to the subscriber terminal in the data network.
- the authentication data returned to the subscriber terminal preferably comprises an access computer program and a user identification (UID) .
- This computer program may be in the form of an applet which causes the subscriber terminal to transmit, at regular intervals, a confirmation message to the authentication node. At least the UID is then transmitted from the subscriber terminal to the service provider. The service provider polls the network node, using the terminal's network address and UID to confirm the continued authorisation of the terminal .
- the home network has control of a second node in the data network, which node also has an address in that network and acts as a collector of charging information for the service provider. More preferably, the authentication node records charging data for the subscriber terminal and subsequently transfers this to the charging node.
- the service provider has permission to access a second authentication node controlled by said visitor network or another "foreign" network.
- the method comprises the further step of transmitting an authentication request on behalf of the subscriber terminal to the second authentication node.
- the second authentication node communicates with the home authentication node, to both authenticate the subscriber terminal and to receive subscriber identity data, e.g. the subscriber's telephone number (A-number) .
- subscriber identity data e.g. the subscriber's telephone number (A-number)
- the second authentication node then transfers charging data to a charging node of the service provider.
- the charging node of the service provider can then forward charging information to the charging node of the home network.
- Individual charging requests may be made from the charging node of the service provider to the authentication node of the home network. These requests may then be referred by the authentication node of the home network to the subscriber terminal for approval or rejection. The decision of the subscriber terminal is then transferred back to the service provider's charging node via the home network's authentication node.
- apparatus for providing access for a subscriber to services of a service provider through a data network, the subscriber being a subscriber of a home interface network
- the apparatus comprising: connection means for connecting a subscriber terminal to a data network; a data network node having a data network address and comprising a database containing authentication data relating to subscribers of the home interface network which controls said node; first transmission means for transmitting a log-on request for the subscriber terminal from the terminal to said node; means for authenticating the subscriber terminal using the data contained in said database and for returning authentication data to the subscriber terminal; second transmission means for transmitting at least part of the authentication data from the subscriber terminal to the service provider; third transmission means for transmitting an authentication request from the service provider to the authentication node, and returning an authorisation to the service provider; and processing means arranged, in response to receipt of authorisation from the authentication node, to allow the subscriber terminal to access services of the service provider via the data network.
- FIG 1 shows schematically an Internet access network
- Figure 2 is a flow diagram illustrating the method of operation of the network of Figure 1;
- Figure 3 shows schematically a first modification to the network of Figure 1.
- FIG. 1 there is illustrated an Internet access network in which the Internet is identified by the reference numeral 1.
- Point-to-point connections i.e. logical connections
- a terminal e.g. personal computer
- PSTN public switched telephone network
- This PSTN 3 is referred to hereinafter as the "home" network of the subscriber terminal 2.
- IAS Internet access server
- the IAS 5 provides appropriate protocol conversion (i.e. between circuit-switched and packet-switched data transmission) for data transfer between the Internet 1 and the subscriber terminal 2.
- the home network As Internet communications for the subscriber terminal 2 are handled by the home network ' s own IAS 5 , the home network is able to combine charges made for the Internet access, with normal telephone charges. The operator is therefore able to issue the subscriber with a single bill covering both services. Furthermore, if the subscriber terminal 2 accesses a remote Internet Service Provider (ISP) 6 which levies a charge for the service provided, charging information may be returned to the home network 3 for incorporation into this same bill.
- ISP Internet Service Provider
- the DUSDB 9 is provided with a database 11 containing the following tables (further explanation of the table fields is given below) : -
- Subscriber telephone numbers in the home network (A-number), a username, and a user password. This information is used for subscriber authentication.
- Connection start time connection disconnect time, disconnect method, username, random part of UID, originating IP address .
- This table is used to store log data from subscriber login and logout sessions .
- Connection start time username, UID, originating IP address, latest verification time.
- This table is used to enhance system performance. It is used to store information after login and before logout. Upon logout, the information is transferred to table 2 and missing fields are inserted there.
- the latest verification time is the time that the most recent verification was received from the user applet .
- ISP IP address, request time, UID This table contains information on every query made by an ISP to the DUSDB.
- the DUSDB 9 and the IBC 10 are both under the control of the home network 3 and can therefore be considered as secure .
- communications between the ISP 6, the DUSDB 9, and the IBC 10 require that the identity of the transmitting and receiving identity be confirmed. This is achieved using an authentication protocol such as Radius. Communications made using this protocol are indicated in Figure 1 by the symbol ⁇ . Other communications over the Internet can be made using the https protocol, indicated in Figure 1 by the symbol ⁇ .
- IP Internet protocol
- the user first enters the URL of the DUSDB 9 and then sends to the DUSDB 9 the terminal ' s username and (changing) password.
- the DUSDB 9 sends an applet to the subscriber terminal 8, together with a user identification (UID) .
- the applet is installed in the subscriber terminal 8 and causes the terminal to send a confirmation message to the DUSDB 9 at regular intervals, e.g.
- the DUSDB logs off the subscriber terminal 8, and sends a message to this effect to the ISP 6 which terminates the subscriber terminal's access.
- FIG. 3 A network for achieving this solution is illustrated schematically in Figure 3, where elements already discussed with reference to Figure 1 are identified with like reference numerals (the subscriber's home network is omitted in the interest of simplicity) .
- the network makes use of communication between the DUSDB 9 controlled by the home network and a second DUSDB 12.
- the second DUSDB 12 is under the control of a foreign network, with the ISP 6 having a suitable agreement with that network such that the ISP 6 has permission to connect to and use the services of the DUSDB 12.
- the subscriber 8 starts by logging on to the DUSDB 9 of the home network using his Username and password, and receives therefrom an applet and UID.
- the ISP 6 communicates with its own trusted DUSDB 12 and recognises that the subscriber 8 does not have an account with the ISP 6 and moreover that the ISP 6 does not have an appropriate service agreement with the home network 3.
- the ISP DUSDB 12 then contacts the home
- DUSDB 9 receives thereform all data necessary for billing the subscriber 8, including the subscriber's home telephone number (A-number) .
- the foreign network has its own IBC node 13, which receives the necessary billing information from the network's DUSDB 12.
- the IBC 13 sends an Internet Charging Data Record (CDR) to the foreign network's billing system (not shown) which in turn forwards a note of the charges to the home network's billing system.
- CDR Internet Charging Data Record
- the network may include means for providing the subscriber with the opportunity to accept or reject individual charging requests made by the ISP 6.
- the IBC 13 requests authorisation from the home network's DUSDB 9.
- the DUSDB 9 directs this request to the subscriber terminal 8 using the previously transferred applet. If the subscriber accepts the request, then an OK message is sent via the DUSDB 9 and the IBC 13 to the ISP 6.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Telephonic Communication Services (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method of providing access for a subscriber terminal (8) to services of an Internet Service Provider (ISP, 6) through the Internet (1). The terminal (8) is connected to the Internet (1) via an Internet Access Server (IAS, 7) and transmits a log-on request to a node (9) in the Internet (1). The node (9) comprises a database (11) containing authentication data relating to subscribers of a home network which controls the node (9). The terminal (8) is authenticated using the database (11) and authentication data is returned to the terminal (8). Part of the authentication data is then transmitted from the terminal (8) to the ISP (6), which in turn transmits an authentication request to the authentication node (9). The node (9) returns an authorisation to the ISP (6) and, in response, the ISP (6) allows the subscriber terminal (8) to access its services.
Description
SERVICE PROVIDER ACCESS METHOD AND APPARATUS
Field of the Invention
The present invention relates to a service provider access method and apparatus and in particular, though not necessarily, to the collection of charge data for accessing an Internet service provider via the Internet.
Background to the Invention
The conventional way for a home user of a personal computer (PC) to access the Internet is to set up a telephone call, via his telephone operator provided with a modem pool, to an Internet service provider. The service provider allocates an Internet address to the PC ("subscriber terminal") for the duration of a session and acts as a router and protocol converter for data transmitted between the Internet and the subscriber terminal .
More recently, it has been proposed to combine the functionality of the Internet service provider into certain exchanges of the telephone network. An advantage of this is that the subscriber need only receive a single bill for both telephone calls and Internet access.
Exchanges provided with this facility are accessed by subscribers dialing a predefined access number. The exchanges contain intelligence (sometimes described as an "intelligent network") which enables them to recognise that a call received to this number is an Internet access request. In response, the exchange provides a connection between the subscriber terminal (or rather "line") and the Internet via one of a number
of so-called Internet Access Servers (IASs) - alternatively known as Network Access Servers (NASs) . An IAS acts as a multiplexer/demultiplexer between a number of low capacity subscriber lines and a high capacity trunk line connecting to the Internet . The IAS also acts as a protocol converter, converting the circuit switched protocol of the telephone network into a packet Internet protocol and vice versa . In the case of digital cellular telephone networks (e.g. the Global System for Mobile Communications) , an IAS may be accessed from a mobile terminal using a special signaling protocol to set up a data channel between the IAS and the mobile terminal.
It is often the case that a subscriber connects, via the Internet, to some remote Internet Service Provider (ISP) - sometimes referred to as a "content provider" - who offers chargeable services to the subscriber, or with whom orders for products may be placed. In this case, it is possible to transmit charging information from the ISP to the IAS and through that to the billing coordinator of the access network.
This solution to the problem of providing a subscriber with a single bill covering both telephone and Internet services works satisfactorily providing that the subscriber only wishes to access the Internet via his own or "home" telephone network. More and more however, subscribers are demanding service mobility - the ability to access the Internet from various geographical locations not covered by the home network but instead where Internet access is available via some other means (e.g. the telephone network of some "foreign" operator or a local area network) . This is particularly true in the case of mobile cellular telephone subscribers who
may be able to roam across national borders with a single piece of communication hardware.
In order to meet this demand for mobility and for the amalgamation of charges into a single bill, it is necessary to provide firstly for the authentication of subscribers attempting to access the ISP via a visitor telephone network, and secondly for the repatriation of charging information to the subscribers' home telephone networks .
Summary of the Invention
It is an object of the invention to overcome or at least mitigate the disadvantages of known Internet charging systems vis-a -vis the combining of telephone and
Internet charging data whilst providing for subscriber mobility.
According to a first aspect of the present invention there is provided a method of providing access for a subscriber to services of a service provider through a data network, the subscriber being a subscriber of a home interface network, the method comprising the steps of: connecting a subscriber terminal to said data network; transmitting a log-on request for the subscriber terminal from the terminal to a node in the data network, said node having a data network address and comprising a database containing authentication data relating to subscribers of the home interface network which controls said node; authenticating the subscriber terminal using the data contained in said database and returning authentication data to the subscriber terminal;
transmitting at least part of the authentication data from the subscriber terminal to the service provider; transmitting an authentication request from the service provider to the authentication node, and returning an authorisation to the service provider; and in response to receipt of authorisation from the authentication node, allowing the subscriber terminal to access services of the service provider via the data network.
As the node comprising the authentication database is controlled by the home network, the node can be trusted to provide secure authentication data to the interrogating service provider.
Embodiments of the present invention enable the authentication of a subscriber terminal connected to the data network and hence the confirmation of the right of the service provider to charge the subscriber terminal for the right to access its services. Charging information may then be repatriated to the subscriber terminal ' s home network where it may be incorporated into a single charging system maintained by the home network.
Preferably, the data network is the Internet and said node is an Internet node having an Internet Protocol (IP) address, e.g. a Universal Resource Locator (URL) address. More preferably, the home network comprises a telecommunication network, such as a Public Switched Telephone Network (PSTN) having an Internet access server or a modem pool. Alternatively, the telecommunication network may be a cellular radio telephone network having a direct access gateway.
The subscriber terminal may be connected to the data network via a visitor network comprising a PSTN and an access server or modem pool, similar to the home network. Alternatively, connection to the data network may be through a local area network and an Internet access server.
The database of the authentication node may contain the home number of the subscriber (A-number) , together with a Username and a password. Said log-on request then contains the Username and password which are verified by the node, together with a network address allocated to the subscriber terminal in the data network.
The authentication data returned to the subscriber terminal preferably comprises an access computer program and a user identification (UID) . This computer program may be in the form of an applet which causes the subscriber terminal to transmit, at regular intervals, a confirmation message to the authentication node. At least the UID is then transmitted from the subscriber terminal to the service provider. The service provider polls the network node, using the terminal's network address and UID to confirm the continued authorisation of the terminal .
In an embodiment of the invention, the home network has control of a second node in the data network, which node also has an address in that network and acts as a collector of charging information for the service provider. More preferably, the authentication node records charging data for the subscriber terminal and subsequently transfers this to the charging node.
In an alternative embodiment of the invention, the service provider has permission to access a second authentication node controlled by said visitor network
or another "foreign" network. The method comprises the further step of transmitting an authentication request on behalf of the subscriber terminal to the second authentication node. When the "home" node has verified that the terminal is a subscriber of said home network, the second authentication node communicates with the home authentication node, to both authenticate the subscriber terminal and to receive subscriber identity data, e.g. the subscriber's telephone number (A-number) . The second authentication node then transfers charging data to a charging node of the service provider. The charging node of the service provider can then forward charging information to the charging node of the home network.
Individual charging requests may be made from the charging node of the service provider to the authentication node of the home network. These requests may then be referred by the authentication node of the home network to the subscriber terminal for approval or rejection. The decision of the subscriber terminal is then transferred back to the service provider's charging node via the home network's authentication node.
According to a second aspect of the present invention there is provided apparatus for providing access for a subscriber to services of a service provider through a data network, the subscriber being a subscriber of a home interface network, the apparatus comprising: connection means for connecting a subscriber terminal to a data network; a data network node having a data network address and comprising a database containing authentication data relating to subscribers of the home interface network which controls said node;
first transmission means for transmitting a log-on request for the subscriber terminal from the terminal to said node; means for authenticating the subscriber terminal using the data contained in said database and for returning authentication data to the subscriber terminal; second transmission means for transmitting at least part of the authentication data from the subscriber terminal to the service provider; third transmission means for transmitting an authentication request from the service provider to the authentication node, and returning an authorisation to the service provider; and processing means arranged, in response to receipt of authorisation from the authentication node, to allow the subscriber terminal to access services of the service provider via the data network.
Brief Description of the Drawings
For a better understanding of the present invention and in order to show how the same may be carried into effect reference will now be made, by way of example, to the accompanying drawings, in which:
Figure 1 shows schematically an Internet access network;
Figure 2 is a flow diagram illustrating the method of operation of the network of Figure 1; and
Figure 3 shows schematically a first modification to the network of Figure 1.
Detailed Description of Embodiments
With reference to Figure 1, there is illustrated an Internet access network in which the Internet is
identified by the reference numeral 1. Point-to-point connections (i.e. logical connections) made via the Internet 1 are identified by dashed lines whilst physical connections are identified by solid lines. A terminal (e.g. personal computer) 2 is a subscriber of a public switched telephone network (PSTN) 3 and is connected thereto by a modem (not shown) and a subscriber line . This PSTN 3 is referred to hereinafter as the "home" network of the subscriber terminal 2. By calling a predefined access number (3- number) the subscriber terminal 2 is able to gain access to the Internet 1 through an Internet access server (IAS) 5 operated by the operator of the PSTN 3. The IAS 5 provides appropriate protocol conversion (i.e. between circuit-switched and packet-switched data transmission) for data transfer between the Internet 1 and the subscriber terminal 2.
As Internet communications for the subscriber terminal 2 are handled by the home network ' s own IAS 5 , the home network is able to combine charges made for the Internet access, with normal telephone charges. The operator is therefore able to issue the subscriber with a single bill covering both services. Furthermore, if the subscriber terminal 2 accesses a remote Internet Service Provider (ISP) 6 which levies a charge for the service provided, charging information may be returned to the home network 3 for incorporation into this same bill.
Consider now the situation where the subscriber connects to the Internet via an IAS 7 of a local area network (LAN - not shown in Figure 1) and not through his home network. This situation is illustrated in Figure 1 where the subscriber terminal is indicated by the reference numeral 8. Before the subscriber terminal can gain access to the ISP 6, an authentication and
authorisation procedure must be completed. This makes use of a first Internet node 9, termed a Datanet User Service DataBase (DUSDB) , and a second Internet node 10, termed an Internet Billing Coordinator (IBC) . Both of these nodes 9,10 have assigned thereto respective IP addresses such that they represent end-points for data packets tunneled via the Internet. The IP address of the DUSDB 9 is in the form of a Universal Resource Locator (URL) address.
The DUSDB 9 is provided with a database 11 containing the following tables (further explanation of the table fields is given below) : -
1. Subscriber telephone numbers in the home network (A-number), a username, and a user password. This information is used for subscriber authentication.
2. Connection start time, connection disconnect time, disconnect method, username, random part of UID, originating IP address . This table is used to store log data from subscriber login and logout sessions .
3. Connection start time, username, UID, originating IP address, latest verification time. This table is used to enhance system performance. It is used to store information after login and before logout. Upon logout, the information is transferred to table 2 and missing fields are inserted there. The latest verification time is the time that the most recent verification was received from the user applet .
4. ISP IP address, request time, UID. This table contains information on every query made by an ISP to the DUSDB.
The DUSDB 9 and the IBC 10 are both under the control of the home network 3 and can therefore be considered as secure .
In the procedure to be described below, communications between the ISP 6, the DUSDB 9, and the IBC 10, require that the identity of the transmitting and receiving identity be confirmed. This is achieved using an authentication protocol such as Radius. Communications made using this protocol are indicated in Figure 1 by the symbol Δ. Other communications over the Internet can be made using the https protocol, indicated in Figure 1 by the symbol Φ.
The first stage in granting the subscriber terminal 8 access to the ISP 6, involves the subscriber terminal 8 logging on to the DUSDB 9. This requires the subscriber terminal to request from the IAS 7 an Internet protocol (IP) address. Logging on is achieved in a similar manner to that used for gaining Internet access to bank services . The user first enters the URL of the DUSDB 9 and then sends to the DUSDB 9 the terminal ' s username and (changing) password. When the DUSDB 9 has confirmed the identity of the subscriber, the DUSDB 9 sends an applet to the subscriber terminal 8, together with a user identification (UID) . The applet is installed in the subscriber terminal 8 and causes the terminal to send a confirmation message to the DUSDB 9 at regular intervals, e.g. every one minute. If this message is not received by the DUSDB 9 within a certain time frame, the user is logged off from the DUSDB 9. For a general introduction to applets, see for example "Java in a Nutshell", David Flanagan, 2nd Ed, Chapter 6 (ISBN 1- 56592-262-X) .
When the subscriber terminal 8 has successfully logged on to the DUSDB 9, the terminal makes an https connection to the ISP 6. The ISP 6 then contacts the DUSDB 9, using the terminal's IP address and UID, to confirm whether or not the subscriber terminal 8 is logged on to the DUSDB 9. A confirmation message is returned to the ISP 6 by the DUSDB 9, and the ISP grants access to the terminal 8.
In the event that the applet generated message is not sent to the DUSDB 9 within the required time frame, the DUSDB logs off the subscriber terminal 8, and sends a message to this effect to the ISP 6 which terminates the subscriber terminal's access.
The operation of the network of Figure 1 is illustrated by the flow chart of Figure 2.
The solution to providing a single bill for telephone and ISP access of Figure 1 works satisfactorily providing that the ISP 6 has an appropriate agreement with the subscriber's home network 3. If this is not the case, then means must be provided for enabling the operator of the ISP 6 to collect charging information, including subscriber identity information, so that the operator can bill the home network 3 for services used. The home network 3 may then pass on the charges to the subscriber using its own charging system.
A network for achieving this solution is illustrated schematically in Figure 3, where elements already discussed with reference to Figure 1 are identified with like reference numerals (the subscriber's home network is omitted in the interest of simplicity) . The network makes use of communication between the DUSDB 9 controlled by the home network and a second DUSDB 12.
The second DUSDB 12 is under the control of a foreign network, with the ISP 6 having a suitable agreement with that network such that the ISP 6 has permission to connect to and use the services of the DUSDB 12.
As described with reference to Figures 1 and 2, the subscriber 8 starts by logging on to the DUSDB 9 of the home network using his Username and password, and receives therefrom an applet and UID. When the subscriber 8 subsequently requests access to the ISP 6, the ISP 6 communicates with its own trusted DUSDB 12 and recognises that the subscriber 8 does not have an account with the ISP 6 and moreover that the ISP 6 does not have an appropriate service agreement with the home network 3. The ISP DUSDB 12 then contacts the home
DUSDB 9 and receives thereform all data necessary for billing the subscriber 8, including the subscriber's home telephone number (A-number) .
The foreign network has its own IBC node 13, which receives the necessary billing information from the network's DUSDB 12. When the subscriber's connection is terminated, the IBC 13 sends an Internet Charging Data Record (CDR) to the foreign network's billing system (not shown) which in turn forwards a note of the charges to the home network's billing system.
It will be appreciated by the person of skill in the art that modifications may be made to the above described embodiments without departing from the scope of the present invention. For example, the network may include means for providing the subscriber with the opportunity to accept or reject individual charging requests made by the ISP 6. For each CDR generated by the IBC 13 in response to one or more charging information packets received by it from the ISP 6, the IBC 13 requests authorisation from the home network's DUSDB 9. The
DUSDB 9 directs this request to the subscriber terminal 8 using the previously transferred applet. If the subscriber accepts the request, then an OK message is sent via the DUSDB 9 and the IBC 13 to the ISP 6.
Claims
1. A method of providing access for a subscriber to services of a service provider through a data network, the subscriber being a subscriber of a home interface network, the method comprising the steps of: connecting a subscriber terminal to said data network; transmitting a log-on request for the subscriber terminal from the terminal to a node in the data network, said node having a data network address and comprising a database containing authentication data relating to subscribers of the home interface network which controls said node; authenticating the subscriber terminal using the data contained in said database and returning authentication data to the subscriber terminal; transmitting at least part of the authentication data from the subscriber terminal to the service provider; transmitting an authentication request from the service provider to the authentication node, and returning an authorisation to the service provider; and in response to receipt of authorisation from the authentication node, allowing the subscriber terminal to access services of the service provider via the data network .
2. A method according to claim 1, wherein the data network is the Internet and said node is an Internet node having a Universal Resource Locator (URL) address .
3. A method according to claim 2, wherein the home network comprises a telecommunication network, such as a Public Switched Telephone Network (PSTN) having an Internet access server or a modem pool .
4. A method according to any one of the preceding claims and comprising connecting the subscriber terminal to the data network via a visitor network comprising a PSTN and an access server or modem pool .
5. A method according to any one of claims 1 to 3 and comprising connecting the subscriber terminal to the data network via a local area network and an Internet access server.
6. A method according to any one of the preceding claims, wherein said database of the authentication node contains the address of the subscriber in the home network, together with a Username and a password, and said log-on request contains the Username and password which are verified by the node, together with a network address allocated to the subscriber terminal in the data network.
7. A method according to any one of the preceding claims, wherein the authentication data returned to the subscriber terminal comprises an access computer program and a user identification (UID) , and at least the UID is then transmitted from the subscriber terminal to the service provider.
8. A method according to claim 7, wherein the service provider polls the network node, using the terminal's network address and UID to confirm the continued authorisation of the terminal.
9. A method according to any one of the preceding claims, wherein the home network has control of a second node in the data network, which node also has an address in that network and acts as a collector of charging information for the service provider.
10. A method according to claim 9 and comprising recording at the authentication node charging data for the subscriber terminal, and subsequently transferring this data to the charging node.
11. A method according to any one of claims 1 to 8 , wherein the service provider has permission to use the services of a second authentication node controlled by a foreign network, and the method comprises the steps of: transmitting an authentication request on behalf of the subscriber terminal to the second authentication node ; when the second node has verified that the terminal is a subscriber of said home network, communicating between the second authentication node and the authentication node of the home network, to both authenticate the subscriber terminal and to receive subscriber identity data; transferring charging data to a charging node accessible to the service provider from the second authentication node; and forward charging information to the charging node of the home network from the charging node of the service provider.
12. A method according to claim 11 and comprising: forwarding individual charging requests from the charging node of the service provider to the authentication node of the home network; referring these requests to the subscriber terminal for approval or rejection; and transmitting the decision of the subscriber terminal back to the service provider's charging node via the home network's authentication node.
13. Apparatus for providing access for a subscriber to services of a service provider through a data network, the subscriber being a subscriber of a home interface network, the apparatus comprising: connection means for connecting a subscriber terminal to a data network; a data network node having a data network address and comprising a database containing authentication data relating to subscribers of the home interface network which controls said node; first transmission means for transmitting a log-on request for the subscriber terminal from the terminal to said node; means for authenticating the subscriber terminal using the data contained in said database and for returning authentication data to the subscriber terminal; second transmission means for transmitting at least part of the authentication data from the subscriber terminal to the service provider; third transmission means for transmitting an authentication request from the service provider to the authentication node, and returning an authorisation to the service provider; and processing means arranged, in response to receipt of authorisation from the authentication node, to allow the subscriber terminal to access services of the service provider via the data network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU39320/99A AU3932099A (en) | 1998-05-08 | 1999-05-05 | Service provider access method and apparatus |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FI981028 | 1998-05-08 | ||
| FI981028A FI981028L (en) | 1998-05-08 | 1998-05-08 | Service provider access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| WO1999059375A2 true WO1999059375A2 (en) | 1999-11-18 |
| WO1999059375A3 WO1999059375A3 (en) | 1999-12-29 |
Family
ID=8551684
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/EP1999/003085 WO1999059375A2 (en) | 1998-05-08 | 1999-05-05 | Service provider access method and apparatus |
Country Status (3)
| Country | Link |
|---|---|
| AU (1) | AU3932099A (en) |
| FI (1) | FI981028L (en) |
| WO (1) | WO1999059375A2 (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000068862A1 (en) * | 1999-05-06 | 2000-11-16 | Sharinga Networks Inc. | A communications network access method and system |
| WO2002035788A1 (en) * | 2000-10-25 | 2002-05-02 | Nokia Corporation | Logical access server comprising access cards which enable service providers to supervise communication operators equipment |
| WO2003030464A1 (en) * | 2001-09-29 | 2003-04-10 | Huawei Technologies Co., Ltd. | A method for pc client security authentication |
| AU768416B2 (en) * | 1999-05-06 | 2003-12-11 | Customer Management Strategies And Systems Pty Ltd | A communications network access method and system |
| EP1379982A1 (en) * | 2001-03-02 | 2004-01-14 | Billtobill Limited | Internet billing system |
| EP1383277A1 (en) * | 2002-07-19 | 2004-01-21 | Koninklijke KPN N.V. | Method and system for controlled online access from a terminal user to a content service |
| DE102004038588A1 (en) * | 2004-08-06 | 2006-03-16 | Deutsche Telekom Ag | A method for providing services of different service providers and a central, computer-based platform for carrying out such a method |
| EP1655888A1 (en) * | 2004-11-06 | 2006-05-10 | TECON Technologies AG | Method and system for identification of a subscriber and of the subscriber line for VoIP connections |
| CN1313929C (en) * | 2003-07-31 | 2007-05-02 | 国际商业机器公司 | Method and apparatus for affirming and arranging in order the resource mapping to geology |
| US8359289B1 (en) | 1999-05-12 | 2013-01-22 | Sydney Gordon Low | Message processing system |
| US8560666B2 (en) | 2001-07-23 | 2013-10-15 | Hitwise Pty Ltd. | Link usage |
| US9767309B1 (en) | 2015-11-23 | 2017-09-19 | Experian Information Solutions, Inc. | Access control system for implementing access restrictions of regulated database records while identifying and providing indicators of regulated database records matching validation criteria |
| US10678894B2 (en) | 2016-08-24 | 2020-06-09 | Experian Information Solutions, Inc. | Disambiguation and authentication of device users |
| US10810605B2 (en) | 2004-06-30 | 2020-10-20 | Experian Marketing Solutions, Llc | System, method, software and data structure for independent prediction of attitudinal and message responsiveness, and preferences for communication media, channel, timing, frequency, and sequences of communications, using an integrated data repository |
| US11257117B1 (en) | 2014-06-25 | 2022-02-22 | Experian Information Solutions, Inc. | Mobile device sighting location analytics and profiling system |
| US11682041B1 (en) | 2020-01-13 | 2023-06-20 | Experian Marketing Solutions, Llc | Systems and methods of a tracking analytics platform |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8639920B2 (en) | 2009-05-11 | 2014-01-28 | Experian Marketing Solutions, Inc. | Systems and methods for providing anonymized user profile data |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0695985A1 (en) * | 1994-07-18 | 1996-02-07 | Microsoft Corporation | Logon certificates |
| WO1996042041A2 (en) * | 1995-06-07 | 1996-12-27 | Open Market, Inc. | Internet server access control and monitoring systems |
-
1998
- 1998-05-08 FI FI981028A patent/FI981028L/en unknown
-
1999
- 1999-05-05 WO PCT/EP1999/003085 patent/WO1999059375A2/en active Application Filing
- 1999-05-05 AU AU39320/99A patent/AU3932099A/en not_active Abandoned
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0695985A1 (en) * | 1994-07-18 | 1996-02-07 | Microsoft Corporation | Logon certificates |
| WO1996042041A2 (en) * | 1995-06-07 | 1996-12-27 | Open Market, Inc. | Internet server access control and monitoring systems |
Non-Patent Citations (1)
| Title |
|---|
| STAINOV R: "DATENSICHERHEIT IM INTERNET: PRINZIPIEN, MOEGLICHKEITEN UND GRENZEN" NTZ NACHRICHTENTECHNISCHE ZEITSCHRIFT, vol. 49, no. 8, 1 January 1996 (1996-01-01), pages 32-34, 36 - 38,, XP000623476 ISSN: 0027-707X * |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU768416B2 (en) * | 1999-05-06 | 2003-12-11 | Customer Management Strategies And Systems Pty Ltd | A communications network access method and system |
| WO2000068862A1 (en) * | 1999-05-06 | 2000-11-16 | Sharinga Networks Inc. | A communications network access method and system |
| US9407588B2 (en) | 1999-05-12 | 2016-08-02 | Iii Holdings 1, Llc | Message processing system |
| US9124542B2 (en) | 1999-05-12 | 2015-09-01 | Iii Holdings 1, Llc | Message processing system |
| US8359289B1 (en) | 1999-05-12 | 2013-01-22 | Sydney Gordon Low | Message processing system |
| WO2002035788A1 (en) * | 2000-10-25 | 2002-05-02 | Nokia Corporation | Logical access server comprising access cards which enable service providers to supervise communication operators equipment |
| EP1379982A1 (en) * | 2001-03-02 | 2004-01-14 | Billtobill Limited | Internet billing system |
| EP1379982A4 (en) * | 2001-03-02 | 2004-08-25 | Billtobill Ltd | Internet billing system |
| US8560666B2 (en) | 2001-07-23 | 2013-10-15 | Hitwise Pty Ltd. | Link usage |
| US9331918B2 (en) | 2001-07-23 | 2016-05-03 | Connexity, Inc. | Link usage |
| US7418727B2 (en) | 2001-09-29 | 2008-08-26 | Huawei Technologies Co., Ltd | Method for PC client security authentication |
| WO2003030464A1 (en) * | 2001-09-29 | 2003-04-10 | Huawei Technologies Co., Ltd. | A method for pc client security authentication |
| EP1383277A1 (en) * | 2002-07-19 | 2004-01-21 | Koninklijke KPN N.V. | Method and system for controlled online access from a terminal user to a content service |
| CN1313929C (en) * | 2003-07-31 | 2007-05-02 | 国际商业机器公司 | Method and apparatus for affirming and arranging in order the resource mapping to geology |
| US10810605B2 (en) | 2004-06-30 | 2020-10-20 | Experian Marketing Solutions, Llc | System, method, software and data structure for independent prediction of attitudinal and message responsiveness, and preferences for communication media, channel, timing, frequency, and sequences of communications, using an integrated data repository |
| US11657411B1 (en) | 2004-06-30 | 2023-05-23 | Experian Marketing Solutions, Llc | System, method, software and data structure for independent prediction of attitudinal and message responsiveness, and preferences for communication media, channel, timing, frequency, and sequences of communications, using an integrated data repository |
| DE102004038588A1 (en) * | 2004-08-06 | 2006-03-16 | Deutsche Telekom Ag | A method for providing services of different service providers and a central, computer-based platform for carrying out such a method |
| WO2006048317A2 (en) * | 2004-11-06 | 2006-05-11 | Tecon Technologies Ag | Method and system for identifying a subscriber and a connection used for voip connection |
| EP1655888A1 (en) * | 2004-11-06 | 2006-05-10 | TECON Technologies AG | Method and system for identification of a subscriber and of the subscriber line for VoIP connections |
| WO2006048317A3 (en) * | 2004-11-06 | 2006-07-13 | Tecon Technologies Ag | Method and system for identifying a subscriber and a connection used for voip connection |
| US11257117B1 (en) | 2014-06-25 | 2022-02-22 | Experian Information Solutions, Inc. | Mobile device sighting location analytics and profiling system |
| US11620677B1 (en) | 2014-06-25 | 2023-04-04 | Experian Information Solutions, Inc. | Mobile device sighting location analytics and profiling system |
| US10685133B1 (en) | 2015-11-23 | 2020-06-16 | Experian Information Solutions, Inc. | Access control system for implementing access restrictions of regulated database records while identifying and providing indicators of regulated database records matching validation criteria |
| US10019593B1 (en) | 2015-11-23 | 2018-07-10 | Experian Information Solutions, Inc. | Access control system for implementing access restrictions of regulated database records while identifying and providing indicators of regulated database records matching validation criteria |
| US9767309B1 (en) | 2015-11-23 | 2017-09-19 | Experian Information Solutions, Inc. | Access control system for implementing access restrictions of regulated database records while identifying and providing indicators of regulated database records matching validation criteria |
| US11748503B1 (en) | 2015-11-23 | 2023-09-05 | Experian Information Solutions, Inc. | Access control system for implementing access restrictions of regulated database records while identifying and providing indicators of regulated database records matching validation criteria |
| US10678894B2 (en) | 2016-08-24 | 2020-06-09 | Experian Information Solutions, Inc. | Disambiguation and authentication of device users |
| US11550886B2 (en) | 2016-08-24 | 2023-01-10 | Experian Information Solutions, Inc. | Disambiguation and authentication of device users |
| US11682041B1 (en) | 2020-01-13 | 2023-06-20 | Experian Marketing Solutions, Llc | Systems and methods of a tracking analytics platform |
| US12175496B1 (en) | 2020-01-13 | 2024-12-24 | Experian Marketing Solutions, Llc | Systems and methods of a tracking analytics platform |
Also Published As
| Publication number | Publication date |
|---|---|
| WO1999059375A3 (en) | 1999-12-29 |
| FI981028L (en) | 1999-11-09 |
| FI981028A0 (en) | 1998-05-08 |
| AU3932099A (en) | 1999-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1492296B1 (en) | Apparatus and method for a single a sign-on authentication through a non-trusted access network | |
| WO1999059375A2 (en) | Service provider access method and apparatus | |
| US6553022B2 (en) | Method and apparatus for providing a connection to a data network | |
| EP2039110B1 (en) | Method and system for controlling access to networks | |
| US7624429B2 (en) | Method, a network access server, an authentication-authorization-and-accounting server, and a computer software product for proxying user authentication-authorization-and-accounting messages via a network access server | |
| US20040248547A1 (en) | Integration of billing between cellular and wlan networks | |
| CN1607768A (en) | Pay-per-connection scheme for wireless access to internet | |
| CN104662873A (en) | Reducing core network traffic caused by migrant | |
| CN100574498C (en) | Call processing method in the personal communication system and equipment | |
| WO2007072121A1 (en) | Facilitating integrated web and telecommunication services with collaborating web and telecommunication clients | |
| US6662005B1 (en) | Data access in a telephone system | |
| DK1825648T3 (en) | Procedure for Accessing a WLAN Network for IP Mobile Phone with CPR Authentication | |
| WO2009122915A1 (en) | Communication system and communication method | |
| WO2000044130A1 (en) | A method, system and arrangement for providing services on the internet | |
| US7409704B1 (en) | System and method for local policy enforcement for internet service providers | |
| EP1961149B1 (en) | Method for securely associating data with http and https sessions | |
| US20060111087A1 (en) | Generation of service agreements for the use of network internal functions in telecommnication networks | |
| EP1084556B1 (en) | Data network access | |
| JP2001237892A (en) | Internet access system and method using access server | |
| JP2004193735A (en) | Communication system using gateway registration server, server, gateway, communication method, program, and recording medium | |
| Janevski et al. | Design of Wireless LAN Applicative Solution for Internetworking with Public Land Mobile Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW |
|
| AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
| AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW |
|
| AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
| DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
| REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
| NENP | Non-entry into the national phase |
Ref country code: KR |
|
| 122 | Ep: pct application non-entry in european phase | ||
| NENP | Non-entry into the national phase |
Ref country code: CA |