WO2001027709A2 - Access control of a service - Google Patents
Access control of a service Download PDFInfo
- Publication number
- WO2001027709A2 WO2001027709A2 PCT/FI2000/000875 FI0000875W WO0127709A2 WO 2001027709 A2 WO2001027709 A2 WO 2001027709A2 FI 0000875 W FI0000875 W FI 0000875W WO 0127709 A2 WO0127709 A2 WO 0127709A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- server
- user
- service
- terminal device
- telecommunication network
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Definitions
- the invention relates to telecommunication systems.
- the invention relates to a method and a system for the access control of a network service in a telecommunication system comprising a telecommunication network, a first server with a service arranged on it and which server has been connected to the telecommunication network; a terminal device by means of which the user has been connected to the telecommunication network; a directory which has been connected to the telecommunication network and which comprises information of the user's rights in the telecommunication network; and a control compo- nent which has been arranged on the first server.
- a connection is established between the terminal device and the server, and the user is identified by means of a certificate, while the terminal device is establishing a connection with the first server.
- the virtual private network (VPN, Virtual Private Network) is becoming common in solutions in which an advantageously implemented network is used that is protected from those not concerned.
- the internet may be used for transmitting information, and this enables the remote use of a protected intranet used by a company, i.e. the extranet.
- the extranet is used to mean a data network between companies which uses the internet as a means of data transfer and which enables one to combine the intranets of the companies involved.
- IPSec Internet Protocol Security
- IP IP- Sec standard
- the IPSec standard defines protection procedures in an IP based data transfer (IP, Internet Protocol) .
- IP IP based data transfer
- the IPSec enables the access control, the integrity of the information, authentication and reliability. All the services are available on IP level, in which case the protection is available for IP and/or the protocols of an upper level .
- the management of the virtual private networks hereinafter referred to as IPSec networks, has usually been centralized. In that case, a distributed management between the operator and, e.g. a provider of an extranet network has been troublesome.
- the objective of the present invention is to eliminate or at least significantly to alleviate the drawbacks presented above.
- One specific objective of the invention is to disclose a new kind of method and system that make it possible to dependably implement the access control of networks.
- the invention enables a distributed control of access.
- a new kind of control component is used in the access control of networks that makes it possible to combine the use of, e.g. the IPSec network and the directory.
- the invention relates to a method in a telecommunication system as described above in which the telecommunication network is preferably an IP based network.
- a connection is established between a terminal device and a telephone.
- the user is identified by means of a certificate, i.e. an electronic identity, while the terminal device is establishing a connection with the first server.
- the certificate used in the verification is transmitted to the control component.
- a directory inquiry is generated that finds out whether the user is authorized to use the service, and the terminal device is connected to the service, if the user has got the access permission.
- the directory is preferably in accordance with the LDAP protocol (LDAP, Lightweight Directory Access Protocol), e.g. the RFC2251.
- the access control is distributed in such a way that at first a connection is established from the terminal device to the second server connected to the telecommunication network on which the user selects the service to be used on the first server.
- the second server is preferably a WWW server (WWW, World Wide Web) .
- the connection between the terminal device and the first or second server may be established as a VPN connection, in which case the user is authenticated in accordance with the IPSec standard.
- the information about the transactions of the control component is saved to a log file.
- the information at the disposal of the control component relating to the re-negotiating of the connection may be saved to the log file.
- the log file is created at a predetermined moment, e.g. every time when starting the control component.
- the invention relates to a system for the access control of a network service in a telecommunication system as described above.
- the system comprises means for transmitting the certificate used in authentication to the control component and means for generating the directory inquiry about the user's rights to the service in response to the aforementioned certificate.
- the system comprises means for connecting the terminal device to the service, if the user's rights are sufficient.
- the present invention provides the advantage that it makes it possible to separate the access control of a device in a network and a service provided by the device. Since a directory is used in the management of access to a service, also the management may be distributed. In addition, via the aforementioned directory, the user may be given information as to how to connect to the other services available. Further, the invention en- ables the follow-up of the use of the services and more advanced measures of billing.
- FIG. 1 schematically represents one system in accordance with the invention
- Fig. 2 schematically represents one embodiment of the method in accordance with the invention.
- Fig. 3 schematically represents one example of the directory system;
- Fig. 4a - 4f illustrate, by way of example, the functions of the system in a situation where the user wishes to see the list of allowed services
- Fig. 5a - 5d illustrate, by way of example, the functions of the system in a situation where the user selects a service.
- Fig. 1 illustrates one system in accordance with the invention.
- the terminal device TE has been connected to the first server 1 by means of a VPN connection, which uses the IPSec data security.
- the IPSec module has been arranged at both ends of a VPN connec- tion between two points.
- Both the terminal device TE and the first server 1 have been connected to the telecommunication network which implements an IP based data transfer.
- the telecommunication network comprises a second server 2, which is a WWW server.
- the second server 2 comprises a graphic user interface 4 by means of which the user of the terminal device TE is given a visual feedback about the transactions and functions. The feedback is transmitted to the terminal device, e.g.
- the telecommunication network comprises a directory 3, which in the example is a LDAP directory.
- a log server 7 on the log file 6 of which, information may be saved that relates to the measures caused by the user, e.g. for the needs of billing or follow-up. Since the telecommunication network implements, e.g. an IP based data transfer, the components may be located in places physically independent of one another.
- the first server 1 there is, e.g. a company extranet system arranged.
- the first server 1 there may be some commercial server or confidential function the access to which is wished to be protected from unauthorized users.
- Fig. 2 is a flow chart illustrating one embodiment of the method of the invention.
- a connection is established from the terminal device TE to the first server 1.
- the user is identified as defined in the IPSec, step 21.
- block 22 is entered in which the certificate used in the authentication is transmitted to the control component 5.
- the terminal device TE establishes a connection first with the second server 2, e.g. based on the HTTP address.
- the user is displayed a list of allowed services.
- the effective IPSec authentication as described above may be used also in this case.
- the user is authenticated and the certificate is transmitted to the control component 5.
- it is checked whether the user is authorized to use the service, which in the exemplary case is S2.
- Based on the certificate in the possession of the control component the user is identified unambiguously.
- a direc- tory inquiry is generated by the control component 5 that is addressed to the LDAP directory 3 which contains the profile of the user's rights stored on it.
- the control component 5 returns the piece of information to the VPN software on the control component, which either permits or denies the access to the desired service S2. If the user has no right to the service in question, the terminal device TE may be sent information thereof . In case the user has the right to the service S2, the terminal device TE is connected to the service S2 , step 24.
- a follow-up of use e.g. for billing or compiling statistics.
- a follow-up of use e.g. for billing or compiling statistics.
- the control component transfers a notification of the trans- actions to the log file 6.
- the log file 6 may be a part of the first server 1, or it may belong to a separate log server 7.
- Fig. 3 schematically represents one example of the directory to be used in conjunction with the invention.
- Fig. 4a - 4f illustrate a functionality used by the system of the invention in a situation where the user wishes to see a list of allowed services.
- the user selects on his or her terminal device TE a network address which is an identifier individualizing an internet file or directory as well as the communication protocol needed when using these, e.g. http: //www. sonera. fi/loota .
- the user is authenticated and the certificate information is transmitted to the control component 5 which checks whether the user is permitted the access to the service. If the terminal device TE is allowed to use the WWW server 2, then the WWW server 2 performs a LDAP search as described in Fig. 4a. In that case, the WS1 is the individual name of the terminal device TE .
- LDAP search operations as described in Fig. 4b in order to find allowed services.
- a LDAP search may be performed for each level in order to find the common services for the subdirectory of the whole network address.
- the features of the attribute userServicesList may be traced down based on the feedback of the searches. The possible double values of userServicesList may be eliminated after this.
- LDAP searches are started in order to find out the detailed descriptions of the services allowed for the terminal device WS1.
- the aforementioned searches have been presented in figures 4c - 4e. It must be noticed that it is also possible to se- lect a wider list of service attributes.
- the values of the attributes selected are picked from the service feedback.
- Fig. 4f illustrates the feedback generated by the graphic user interface 4 of the WWW server 2 which comprises the network address and the service attributes.
- Figures 5a - 5f illustrate by way of example functions in accordance with the present invention in a situation where the user wishes to use the service S2.
- the user selects the service on the WWW server 2 at the network address http : //www. org2. fi/S2.
- the user is authenticated and the certificate is transmitted from the terminal device of the user TE to the control component 5, which for its part identifies the terminal device based on the WS1 certificate.
- the terminal device performs the connection operations to the directory 3 by simple authorization.
- the control component 5 performs also the LDAP search operations as described in figures 5a-5b in order to find out the services allowed for the terminal device WS1. Based on the search feedback it is possible to generate an attribute userServicesList.
- LDAP comparison operations are started that are used to check whether the service to be ob- tained through the control component 5 is allowed for the aforementioned terminal device WS1.
- the first comparison operation has been presented in Fig. 5c. If the search returns the value compareTrue, then there is no need for another LDAP operation. In that case, the control component returns a positive response after which the terminal device TE is connected to the service htt : //www.org2. fi/S2. If the search returns the value compareFalse, then a LDAP operation as described in Fig. 5d is performed, in which case it is checked whether there are enough rights for the service S2.
- the loop as described above is repeated until as a result the value compareTrue is received or until all the values sAllowedService have been checked.
- the control component 5 returns a negative response, if the value compareTrue is not received and all the values sAllowedServices have been checked.
- the control component 5 gets an identifier of its own SEId from the management information base (MIB, Management Information Base) in conjunction with the startup. In case some of the services connected to the control component 5 are allowed for the terminal device TE, also other services connected to the control component 5 are allowed.
- MIB Management Information Base
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU77930/00A AU7793000A (en) | 1999-10-12 | 2000-10-11 | Access control of a service |
EP00967941A EP1248971A2 (en) | 1999-10-12 | 2000-10-11 | Access control of a service |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FI19992196 | 1999-10-12 | ||
FI992196A FI108184B (en) | 1999-10-12 | 1999-10-12 | Service access control |
Publications (3)
Publication Number | Publication Date |
---|---|
WO2001027709A2 true WO2001027709A2 (en) | 2001-04-19 |
WO2001027709A3 WO2001027709A3 (en) | 2002-08-01 |
WO2001027709A8 WO2001027709A8 (en) | 2004-04-22 |
Family
ID=8555436
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FI2000/000875 WO2001027709A2 (en) | 1999-10-12 | 2000-10-11 | Access control of a service |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1248971A2 (en) |
AU (1) | AU7793000A (en) |
FI (1) | FI108184B (en) |
WO (1) | WO2001027709A2 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002086715A2 (en) * | 2001-04-18 | 2002-10-31 | Emc Corporation | Integrated procedure for partitioning network data services among multiple subscribers |
NL1018494C2 (en) * | 2001-07-09 | 2003-01-10 | Koninkl Kpn Nv | Method and system for delivering a service to a client through a service process. |
GB2400268A (en) * | 2001-04-18 | 2004-10-06 | Emc Corp | Partitioning network data services amongst multiple subscribers |
WO2007109999A1 (en) * | 2006-03-29 | 2007-10-04 | Huawei Technologies Co., Ltd | Method, system, subscriber equipment and multi-media server for digital copyright protection |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0813327A2 (en) * | 1996-06-14 | 1997-12-17 | Canon Kabushiki Kaisha | Access control system and method |
EP0862105A2 (en) * | 1997-02-28 | 1998-09-02 | Xcert Software, Inc. | Method of and apparatus for providing secure distributed directory services and public key infrastructure |
WO1998058473A2 (en) * | 1997-06-18 | 1998-12-23 | Alfred Nickles | Network security and integration method and system |
-
1999
- 1999-10-12 FI FI992196A patent/FI108184B/en active
-
2000
- 2000-10-11 EP EP00967941A patent/EP1248971A2/en not_active Ceased
- 2000-10-11 WO PCT/FI2000/000875 patent/WO2001027709A2/en not_active Application Discontinuation
- 2000-10-11 AU AU77930/00A patent/AU7793000A/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0813327A2 (en) * | 1996-06-14 | 1997-12-17 | Canon Kabushiki Kaisha | Access control system and method |
EP0862105A2 (en) * | 1997-02-28 | 1998-09-02 | Xcert Software, Inc. | Method of and apparatus for providing secure distributed directory services and public key infrastructure |
WO1998058473A2 (en) * | 1997-06-18 | 1998-12-23 | Alfred Nickles | Network security and integration method and system |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002086715A2 (en) * | 2001-04-18 | 2002-10-31 | Emc Corporation | Integrated procedure for partitioning network data services among multiple subscribers |
WO2002086715A3 (en) * | 2001-04-18 | 2003-03-20 | Cereva Networks Inc | Integrated procedure for partitioning network data services among multiple subscribers |
GB2386291A (en) * | 2001-04-18 | 2003-09-10 | Emc Corp | Integrated procedure for partitioning network data services among multiple subscribers |
GB2400268A (en) * | 2001-04-18 | 2004-10-06 | Emc Corp | Partitioning network data services amongst multiple subscribers |
GB2386291B (en) * | 2001-04-18 | 2004-11-17 | Emc Corp | Integrated procedure for partitioning network data services among multiple subscribers |
GB2400268B (en) * | 2001-04-18 | 2005-03-23 | Emc Corp | Integrated procedure for partitioning network data services among multiple subscribers |
US7277953B2 (en) | 2001-04-18 | 2007-10-02 | Emc Corporation | Integrated procedure for partitioning network data services among multiple subscribers |
NL1018494C2 (en) * | 2001-07-09 | 2003-01-10 | Koninkl Kpn Nv | Method and system for delivering a service to a client through a service process. |
WO2003007571A1 (en) * | 2001-07-09 | 2003-01-23 | Koninklijke Kpn N.V. | Method and system for a service process to provide a service to a client |
US7565554B2 (en) | 2001-07-09 | 2009-07-21 | Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno | Method and system for a service process to provide a service to a client |
WO2007109999A1 (en) * | 2006-03-29 | 2007-10-04 | Huawei Technologies Co., Ltd | Method, system, subscriber equipment and multi-media server for digital copyright protection |
US8510824B2 (en) | 2006-03-29 | 2013-08-13 | Huawei Technologies Co., Ltd. | Method, system, subscriber equipment and multi-media server for digital copyright protection |
Also Published As
Publication number | Publication date |
---|---|
FI19992196A (en) | 2001-04-13 |
WO2001027709A3 (en) | 2002-08-01 |
AU7793000A (en) | 2001-04-23 |
EP1248971A2 (en) | 2002-10-16 |
WO2001027709A8 (en) | 2004-04-22 |
FI108184B (en) | 2001-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5960177A (en) | System for performing remote operation between firewall-equipped networks or devices | |
US6662228B1 (en) | Internet server authentication client | |
CA2514004C (en) | System and method for controlling network access | |
US7856016B2 (en) | Access control method, access control system, and packet communication apparatus | |
US20020042883A1 (en) | Method and system for controlling access by clients to servers over an internet protocol network | |
WO2001011450A1 (en) | Single sign-on framework with trust-level mapping to authentication requirements | |
EP1075748B1 (en) | Method, arrangement and apparatus for authentication | |
KR20060044494A (en) | Network management system and network management server of co-operating with authentication server | |
JPH11187016A (en) | Network authenticating system | |
WO2001027709A2 (en) | Access control of a service | |
EP1530343B1 (en) | Method and system for creating authentication stacks in communication networks | |
JPH1028144A (en) | System for constituting network with access control function | |
KR20070009490A (en) | System and method for authenticating a user based on the internet protocol address | |
JPH11203248A (en) | Authentication device and recording medium for storing program for operating the device | |
Cisco | Configuring Authentication | |
Cisco | Network Access Security Commands | |
Cisco | Strategies Applying Attributes | |
Cisco | Configuring Network Security | |
JP2002084326A (en) | Device to be serviced, central unit and servicing device | |
Cisco | Configuring Authentication | |
Cisco | Strategies for Applying Attributes | |
Cisco | Configuring Network Security | |
Cisco | Configuring Network Security | |
Cisco | Configuring Network Security | |
Cisco | Configuring Network Security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ CZ DE DE DK DK DM DZ EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2000967941 Country of ref document: EP |
|
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
WWP | Wipo information: published in national office |
Ref document number: 2000967941 Country of ref document: EP |
|
CFP | Corrected version of a pamphlet front page | ||
CR1 | Correction of entry in section i |
Free format text: IN PCT GAZETTE 16/2001 DUE TO A TECHNICAL PROBLEMAT THE TIME OF INTERNATIONAL PUBLICATION, SOME INFORMATION WAS MISSING UNDER (81). THE MISSING INFORMATION NOW APPEARS IN THE CORRECTED VERSION |
|
NENP | Non-entry into the national phase in: |
Ref country code: JP |
|
WWR | Wipo information: refused in national office |
Ref document number: 2000967941 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000967941 Country of ref document: EP |