+

WO2001027709A2 - Commande d'acces a un service - Google Patents

Commande d'acces a un service Download PDF

Info

Publication number
WO2001027709A2
WO2001027709A2 PCT/FI2000/000875 FI0000875W WO0127709A2 WO 2001027709 A2 WO2001027709 A2 WO 2001027709A2 FI 0000875 W FI0000875 W FI 0000875W WO 0127709 A2 WO0127709 A2 WO 0127709A2
Authority
WO
WIPO (PCT)
Prior art keywords
server
user
service
terminal device
telecommunication network
Prior art date
Application number
PCT/FI2000/000875
Other languages
English (en)
Other versions
WO2001027709A8 (fr
WO2001027709A3 (fr
Inventor
Ismo Heikkonen
Kimmo PITKÄNEN
Original Assignee
Sonera Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sonera Oyj filed Critical Sonera Oyj
Priority to AU77930/00A priority Critical patent/AU7793000A/en
Priority to EP00967941A priority patent/EP1248971A2/fr
Publication of WO2001027709A2 publication Critical patent/WO2001027709A2/fr
Publication of WO2001027709A3 publication Critical patent/WO2001027709A3/fr
Publication of WO2001027709A8 publication Critical patent/WO2001027709A8/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the invention relates to telecommunication systems.
  • the invention relates to a method and a system for the access control of a network service in a telecommunication system comprising a telecommunication network, a first server with a service arranged on it and which server has been connected to the telecommunication network; a terminal device by means of which the user has been connected to the telecommunication network; a directory which has been connected to the telecommunication network and which comprises information of the user's rights in the telecommunication network; and a control compo- nent which has been arranged on the first server.
  • a connection is established between the terminal device and the server, and the user is identified by means of a certificate, while the terminal device is establishing a connection with the first server.
  • the virtual private network (VPN, Virtual Private Network) is becoming common in solutions in which an advantageously implemented network is used that is protected from those not concerned.
  • the internet may be used for transmitting information, and this enables the remote use of a protected intranet used by a company, i.e. the extranet.
  • the extranet is used to mean a data network between companies which uses the internet as a means of data transfer and which enables one to combine the intranets of the companies involved.
  • IPSec Internet Protocol Security
  • IP IP- Sec standard
  • the IPSec standard defines protection procedures in an IP based data transfer (IP, Internet Protocol) .
  • IP IP based data transfer
  • the IPSec enables the access control, the integrity of the information, authentication and reliability. All the services are available on IP level, in which case the protection is available for IP and/or the protocols of an upper level .
  • the management of the virtual private networks hereinafter referred to as IPSec networks, has usually been centralized. In that case, a distributed management between the operator and, e.g. a provider of an extranet network has been troublesome.
  • the objective of the present invention is to eliminate or at least significantly to alleviate the drawbacks presented above.
  • One specific objective of the invention is to disclose a new kind of method and system that make it possible to dependably implement the access control of networks.
  • the invention enables a distributed control of access.
  • a new kind of control component is used in the access control of networks that makes it possible to combine the use of, e.g. the IPSec network and the directory.
  • the invention relates to a method in a telecommunication system as described above in which the telecommunication network is preferably an IP based network.
  • a connection is established between a terminal device and a telephone.
  • the user is identified by means of a certificate, i.e. an electronic identity, while the terminal device is establishing a connection with the first server.
  • the certificate used in the verification is transmitted to the control component.
  • a directory inquiry is generated that finds out whether the user is authorized to use the service, and the terminal device is connected to the service, if the user has got the access permission.
  • the directory is preferably in accordance with the LDAP protocol (LDAP, Lightweight Directory Access Protocol), e.g. the RFC2251.
  • the access control is distributed in such a way that at first a connection is established from the terminal device to the second server connected to the telecommunication network on which the user selects the service to be used on the first server.
  • the second server is preferably a WWW server (WWW, World Wide Web) .
  • the connection between the terminal device and the first or second server may be established as a VPN connection, in which case the user is authenticated in accordance with the IPSec standard.
  • the information about the transactions of the control component is saved to a log file.
  • the information at the disposal of the control component relating to the re-negotiating of the connection may be saved to the log file.
  • the log file is created at a predetermined moment, e.g. every time when starting the control component.
  • the invention relates to a system for the access control of a network service in a telecommunication system as described above.
  • the system comprises means for transmitting the certificate used in authentication to the control component and means for generating the directory inquiry about the user's rights to the service in response to the aforementioned certificate.
  • the system comprises means for connecting the terminal device to the service, if the user's rights are sufficient.
  • the present invention provides the advantage that it makes it possible to separate the access control of a device in a network and a service provided by the device. Since a directory is used in the management of access to a service, also the management may be distributed. In addition, via the aforementioned directory, the user may be given information as to how to connect to the other services available. Further, the invention en- ables the follow-up of the use of the services and more advanced measures of billing.
  • FIG. 1 schematically represents one system in accordance with the invention
  • Fig. 2 schematically represents one embodiment of the method in accordance with the invention.
  • Fig. 3 schematically represents one example of the directory system;
  • Fig. 4a - 4f illustrate, by way of example, the functions of the system in a situation where the user wishes to see the list of allowed services
  • Fig. 5a - 5d illustrate, by way of example, the functions of the system in a situation where the user selects a service.
  • Fig. 1 illustrates one system in accordance with the invention.
  • the terminal device TE has been connected to the first server 1 by means of a VPN connection, which uses the IPSec data security.
  • the IPSec module has been arranged at both ends of a VPN connec- tion between two points.
  • Both the terminal device TE and the first server 1 have been connected to the telecommunication network which implements an IP based data transfer.
  • the telecommunication network comprises a second server 2, which is a WWW server.
  • the second server 2 comprises a graphic user interface 4 by means of which the user of the terminal device TE is given a visual feedback about the transactions and functions. The feedback is transmitted to the terminal device, e.g.
  • the telecommunication network comprises a directory 3, which in the example is a LDAP directory.
  • a log server 7 on the log file 6 of which, information may be saved that relates to the measures caused by the user, e.g. for the needs of billing or follow-up. Since the telecommunication network implements, e.g. an IP based data transfer, the components may be located in places physically independent of one another.
  • the first server 1 there is, e.g. a company extranet system arranged.
  • the first server 1 there may be some commercial server or confidential function the access to which is wished to be protected from unauthorized users.
  • Fig. 2 is a flow chart illustrating one embodiment of the method of the invention.
  • a connection is established from the terminal device TE to the first server 1.
  • the user is identified as defined in the IPSec, step 21.
  • block 22 is entered in which the certificate used in the authentication is transmitted to the control component 5.
  • the terminal device TE establishes a connection first with the second server 2, e.g. based on the HTTP address.
  • the user is displayed a list of allowed services.
  • the effective IPSec authentication as described above may be used also in this case.
  • the user is authenticated and the certificate is transmitted to the control component 5.
  • it is checked whether the user is authorized to use the service, which in the exemplary case is S2.
  • Based on the certificate in the possession of the control component the user is identified unambiguously.
  • a direc- tory inquiry is generated by the control component 5 that is addressed to the LDAP directory 3 which contains the profile of the user's rights stored on it.
  • the control component 5 returns the piece of information to the VPN software on the control component, which either permits or denies the access to the desired service S2. If the user has no right to the service in question, the terminal device TE may be sent information thereof . In case the user has the right to the service S2, the terminal device TE is connected to the service S2 , step 24.
  • a follow-up of use e.g. for billing or compiling statistics.
  • a follow-up of use e.g. for billing or compiling statistics.
  • the control component transfers a notification of the trans- actions to the log file 6.
  • the log file 6 may be a part of the first server 1, or it may belong to a separate log server 7.
  • Fig. 3 schematically represents one example of the directory to be used in conjunction with the invention.
  • Fig. 4a - 4f illustrate a functionality used by the system of the invention in a situation where the user wishes to see a list of allowed services.
  • the user selects on his or her terminal device TE a network address which is an identifier individualizing an internet file or directory as well as the communication protocol needed when using these, e.g. http: //www. sonera. fi/loota .
  • the user is authenticated and the certificate information is transmitted to the control component 5 which checks whether the user is permitted the access to the service. If the terminal device TE is allowed to use the WWW server 2, then the WWW server 2 performs a LDAP search as described in Fig. 4a. In that case, the WS1 is the individual name of the terminal device TE .
  • LDAP search operations as described in Fig. 4b in order to find allowed services.
  • a LDAP search may be performed for each level in order to find the common services for the subdirectory of the whole network address.
  • the features of the attribute userServicesList may be traced down based on the feedback of the searches. The possible double values of userServicesList may be eliminated after this.
  • LDAP searches are started in order to find out the detailed descriptions of the services allowed for the terminal device WS1.
  • the aforementioned searches have been presented in figures 4c - 4e. It must be noticed that it is also possible to se- lect a wider list of service attributes.
  • the values of the attributes selected are picked from the service feedback.
  • Fig. 4f illustrates the feedback generated by the graphic user interface 4 of the WWW server 2 which comprises the network address and the service attributes.
  • Figures 5a - 5f illustrate by way of example functions in accordance with the present invention in a situation where the user wishes to use the service S2.
  • the user selects the service on the WWW server 2 at the network address http : //www. org2. fi/S2.
  • the user is authenticated and the certificate is transmitted from the terminal device of the user TE to the control component 5, which for its part identifies the terminal device based on the WS1 certificate.
  • the terminal device performs the connection operations to the directory 3 by simple authorization.
  • the control component 5 performs also the LDAP search operations as described in figures 5a-5b in order to find out the services allowed for the terminal device WS1. Based on the search feedback it is possible to generate an attribute userServicesList.
  • LDAP comparison operations are started that are used to check whether the service to be ob- tained through the control component 5 is allowed for the aforementioned terminal device WS1.
  • the first comparison operation has been presented in Fig. 5c. If the search returns the value compareTrue, then there is no need for another LDAP operation. In that case, the control component returns a positive response after which the terminal device TE is connected to the service htt : //www.org2. fi/S2. If the search returns the value compareFalse, then a LDAP operation as described in Fig. 5d is performed, in which case it is checked whether there are enough rights for the service S2.
  • the loop as described above is repeated until as a result the value compareTrue is received or until all the values sAllowedService have been checked.
  • the control component 5 returns a negative response, if the value compareTrue is not received and all the values sAllowedServices have been checked.
  • the control component 5 gets an identifier of its own SEId from the management information base (MIB, Management Information Base) in conjunction with the startup. In case some of the services connected to the control component 5 are allowed for the terminal device TE, also other services connected to the control component 5 are allowed.
  • MIB Management Information Base

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé et un système destinés à contrôler l'accès à un service (S2) dans un système de télécommunications qui comprend un réseau de télécommunications, un premier serveur (1) sur lequel un service (S2) est mis en place et qui est connecté au réseau de télécommunications, un dispositif terminal (TE) au moyen duquel l'utilisateur est connecté au réseau de télécommunications, un répertoire (3) connecté au réseau de télécommunications et qui contient une information sur les droits utilisateur dans le réseau de télécommunications, et un composant de contrôle (5) mis en place sur le premier serveur (1). Un procédé de connexion est établi entre le dispositif terminal (TE) et le premier serveur (1) et l'utilisateur est identifié au moyen d'un certificat alors que le dispositif terminal (TE) établit une connexion avec le premier serveur (1). Dans le procédé, le certificat utilisé dans l'authentification est émis vers le composant de contrôle (5), une question répertoire à propos des droits de l'utilisateur sur le service (S2) est produite en réponse au certificat, et le dispositif terminal (TE) est connecté au service (S2), si les droits de l'utilisateur sont suffisants.
PCT/FI2000/000875 1999-10-12 2000-10-11 Commande d'acces a un service WO2001027709A2 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU77930/00A AU7793000A (en) 1999-10-12 2000-10-11 Access control of a service
EP00967941A EP1248971A2 (fr) 1999-10-12 2000-10-11 Commande d'acces a un service

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI992196A FI108184B (fi) 1999-10-12 1999-10-12 Palvelun pääsynvalvonta
FI19992196 1999-10-12

Publications (3)

Publication Number Publication Date
WO2001027709A2 true WO2001027709A2 (fr) 2001-04-19
WO2001027709A3 WO2001027709A3 (fr) 2002-08-01
WO2001027709A8 WO2001027709A8 (fr) 2004-04-22

Family

ID=8555436

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2000/000875 WO2001027709A2 (fr) 1999-10-12 2000-10-11 Commande d'acces a un service

Country Status (4)

Country Link
EP (1) EP1248971A2 (fr)
AU (1) AU7793000A (fr)
FI (1) FI108184B (fr)
WO (1) WO2001027709A2 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NL1018494C2 (nl) * 2001-07-09 2003-01-10 Koninkl Kpn Nv Methode en systeem voor het door een dienstproces aan een client leveren van een dienst.
WO2002086715A3 (fr) * 2001-04-18 2003-03-20 Cereva Networks Inc Procedure integree de subdivision de services de donnees d'un reseau parmi plusieurs abonnes
GB2400268A (en) * 2001-04-18 2004-10-06 Emc Corp Partitioning network data services amongst multiple subscribers
WO2007109999A1 (fr) * 2006-03-29 2007-10-04 Huawei Technologies Co., Ltd Procédé, système, matériel d'abonné et serveur multimédia pour la protection numérique des droits d'auteur

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3937475B2 (ja) * 1996-06-14 2007-06-27 キヤノン株式会社 アクセス制御システムおよびその方法
US5922074A (en) * 1997-02-28 1999-07-13 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
US6134591A (en) * 1997-06-18 2000-10-17 Client/Server Technologies, Inc. Network security and integration method and system

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002086715A3 (fr) * 2001-04-18 2003-03-20 Cereva Networks Inc Procedure integree de subdivision de services de donnees d'un reseau parmi plusieurs abonnes
GB2386291A (en) * 2001-04-18 2003-09-10 Emc Corp Integrated procedure for partitioning network data services among multiple subscribers
GB2400268A (en) * 2001-04-18 2004-10-06 Emc Corp Partitioning network data services amongst multiple subscribers
GB2386291B (en) * 2001-04-18 2004-11-17 Emc Corp Integrated procedure for partitioning network data services among multiple subscribers
GB2400268B (en) * 2001-04-18 2005-03-23 Emc Corp Integrated procedure for partitioning network data services among multiple subscribers
US7277953B2 (en) 2001-04-18 2007-10-02 Emc Corporation Integrated procedure for partitioning network data services among multiple subscribers
NL1018494C2 (nl) * 2001-07-09 2003-01-10 Koninkl Kpn Nv Methode en systeem voor het door een dienstproces aan een client leveren van een dienst.
WO2003007571A1 (fr) * 2001-07-09 2003-01-23 Koninklijke Kpn N.V. Procede et systeme pour permettre a un serveur de service de fournir un service a un client
US7565554B2 (en) 2001-07-09 2009-07-21 Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno Method and system for a service process to provide a service to a client
WO2007109999A1 (fr) * 2006-03-29 2007-10-04 Huawei Technologies Co., Ltd Procédé, système, matériel d'abonné et serveur multimédia pour la protection numérique des droits d'auteur
US8510824B2 (en) 2006-03-29 2013-08-13 Huawei Technologies Co., Ltd. Method, system, subscriber equipment and multi-media server for digital copyright protection

Also Published As

Publication number Publication date
FI19992196L (fi) 2001-04-13
WO2001027709A8 (fr) 2004-04-22
WO2001027709A3 (fr) 2002-08-01
EP1248971A2 (fr) 2002-10-16
FI108184B (fi) 2001-11-30
AU7793000A (en) 2001-04-23

Similar Documents

Publication Publication Date Title
US5960177A (en) System for performing remote operation between firewall-equipped networks or devices
US6662228B1 (en) Internet server authentication client
US7856016B2 (en) Access control method, access control system, and packet communication apparatus
CA2514004C (fr) Systeme et methode de controle d'acces au reseau
US20020042883A1 (en) Method and system for controlling access by clients to servers over an internet protocol network
WO2001011450A1 (fr) Structure d'entree en communication unique avec application de niveau de fiabilite a des demandes d'authentification
EP1075748B1 (fr) Procede, agencement et dispositif d'authentification
JPH11187016A (ja) ネットワーク認証システム
EP1248971A2 (fr) Commande d'acces a un service
JPH1028144A (ja) アクセス制御機能付きネットワーク構成方式
KR20070009490A (ko) 아이피 주소 기반 사용자 인증 시스템 및 방법
JPH11203248A (ja) 認証装置、および、そのプログラムを記録した記録媒体
US7631344B2 (en) Distributed authentication framework stack
Cisco Configuring Authentication
JP2002084326A (ja) 被サービス装置、センタ装置、及びサービス装置
Cisco Network Access Security Commands
Cisco Strategies Applying Attributes
Cisco Configuring Network Security
Cisco Configuring Authentication
Cisco Strategies for Applying Attributes
Cisco Configuring Network Security
Cisco Configuring Network Security
Cisco Configuring Network Security
Cisco Configuring Network Security
Cisco ACL Default Direction

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ CZ DE DE DK DK DM DZ EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2000967941

Country of ref document: EP

AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

WWP Wipo information: published in national office

Ref document number: 2000967941

Country of ref document: EP

CFP Corrected version of a pamphlet front page
CR1 Correction of entry in section i

Free format text: IN PCT GAZETTE 16/2001 DUE TO A TECHNICAL PROBLEMAT THE TIME OF INTERNATIONAL PUBLICATION, SOME INFORMATION WAS MISSING UNDER (81). THE MISSING INFORMATION NOW APPEARS IN THE CORRECTED VERSION

NENP Non-entry into the national phase

Ref country code: JP

WWR Wipo information: refused in national office

Ref document number: 2000967941

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2000967941

Country of ref document: EP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载