Patents by Inventor Vesa Petteri Lehtovirta

Vesa Petteri Lehtovirta has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10356619
    Abstract: A user equipment receives an Extensible Authentication Protocol Authentication and Key Agreement Prime (EAP AKA?) message, from an authentication server related to the user equipment, in an authentication procedure being part of setting up a connection from the user equipment through an access network. The user equipment sets up an IP Security tunnel between the user equipment and an evolved Packet Data Gateway responsive to the EAP AKA? message indicating that the access network is untrusted.
    Type: Grant
    Filed: March 13, 2018
    Date of Patent: July 16, 2019
    Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
    Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
  • Publication number: 20180206118
    Abstract: A user equipment receives an Extensible Authentication Protocol Authentication and Key Agreement Prime (EAP AKA?) message, from an authentication server related to the user equipment, in an authentication procedure being part of setting up a connection from the user equipment through an access network. The user equipment sets up an IP Security tunnel between the user equipment and an evolved Packet Data Gateway responsive to the EAP AKA? message indicating that the access network is untrusted.
    Type: Application
    Filed: March 13, 2018
    Publication date: July 19, 2018
    Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
  • Patent number: 9949118
    Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.
    Type: Grant
    Filed: August 6, 2015
    Date of Patent: April 17, 2018
    Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
    Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
  • Patent number: 9338173
    Abstract: Methods and apparatuses in a client terminal and a web server for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.
    Type: Grant
    Filed: November 4, 2014
    Date of Patent: May 10, 2016
    Assignee: Telefonaktiebolaget L M Ericsson (publ)
    Inventors: Karl Norman, John Mattsson, Vesa Petteri Lehtovirta, Oscar Ohlsson
  • Publication number: 20150341788
    Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.
    Type: Application
    Filed: August 6, 2015
    Publication date: November 26, 2015
    Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
  • Patent number: 9137231
    Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.
    Type: Grant
    Filed: November 26, 2013
    Date of Patent: September 15, 2015
    Assignee: Telefonaktiebolaget L M Ericsson (publ)
    Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
  • Publication number: 20150058980
    Abstract: Methods and apparatuses in a client terminal and a web server for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.
    Type: Application
    Filed: November 4, 2014
    Publication date: February 26, 2015
    Inventors: Karl Norrman, John Mattsson, Vesa Petteri Lehtovirta, Oscar Ohlsson
  • Patent number: 8903095
    Abstract: Methods and apparatuses in a client terminal (400) and a web server (402) for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.
    Type: Grant
    Filed: July 6, 2011
    Date of Patent: December 2, 2014
    Assignee: Telefonaktiebolaget L M Ericsson (publ)
    Inventors: Karl Norrman, John Mattsson, Vesa Petteri Lehtovirta, Okcar Ohlsson
  • Publication number: 20140096193
    Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.
    Type: Application
    Filed: November 26, 2013
    Publication date: April 3, 2014
    Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL)
    Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
  • Patent number: 8621200
    Abstract: In order to facilitate access to encrypted broadcast or multicast data an encrypted service key is sent from an access server of the communication network to the user terminal, passing the encrypted service key to a secure module of the user terminal. The secure module has access to a decryption key for decrypting the encrypted service key but this decryption key is inaccessible to other functions of the user terminal. Acknowledgement of receipt of the service key at said secure module, and sending the acknowledgement from the user equipment to the access server; authenticating the receipt at the access server and sending a return acknowledgement from the access server to the user terminal, and passing the return acknowledgement to the secure module; and authenticating the return acknowledgement at the secure module, and subsequently making the decrypted service key available to the user terminal, the service key making possible directly or indirectly the decryption of broadcast and/or multicast data.
    Type: Grant
    Filed: December 16, 2005
    Date of Patent: December 31, 2013
    Assignee: Telefonaktiebolaget LM Ericsson (Publ)
    Inventors: Vesa Petteri Lehtovirta, Karl Norrman Norrman
  • Patent number: 8553883
    Abstract: According to the teachings presented herein, a wireless communication device reverts from subscription credentials to temporary access credentials, in response to detecting an access failure. The device uses its temporary access credentials to gain temporary network access, either through a preferred network (e.g., home network) or through any one of one or more non-preferred networks (e.g., visited networks). After gaining temporary access, the device determines whether it needs new subscription credentials and, if so, uses the temporary access to obtain them. Correspondingly, in one or more embodiments, a registration server is configured to support such operations, such as by providing determination of credential validity and/or by redirecting the device to a new home operator for obtaining new subscription credentials.
    Type: Grant
    Filed: June 17, 2008
    Date of Patent: October 8, 2013
    Assignee: Telefonaktiebolaget L M Ericsson (publ)
    Inventors: Patrik Mikael Salmela, Vesa Petteri Lehtovirta, Kristian Slavov
  • Patent number: 8555345
    Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.
    Type: Grant
    Filed: January 28, 2005
    Date of Patent: October 8, 2013
    Assignee: Telefonaktiebolaget LM Ericsson (publ)
    Inventors: Vesa Matti Torvinen, Vesa Petteri Lehtovirta, Monica Wifvesson
  • Patent number: 8516133
    Abstract: Methods and systems taught herein allow communication device manufacturers to preconfigure communication devices to use preliminary access credentials to gain temporary network access for downloading subscription credentials, and particularly allow the network operator issuing the subscription credentials to verify that individual devices requesting credentials are trusted. In one or more embodiments, a credentialing server is owned or controlled by the network operator, and is used by the network operator to verify that subscription credentials are issued only to trusted communication devices, even though such devices may be referred to the credentialing server by an external registration server and may be provisioned by an external provisioning server. Particularly, the credentialing server interrogates requesting devices for their device certificates and submits these device certificates to an external authorization server, e.g., an independent OCSP server, for verification.
    Type: Grant
    Filed: October 23, 2008
    Date of Patent: August 20, 2013
    Assignee: Telefonaktiebolaget LM Ericsson (publ)
    Inventors: Bernard Smeets, Luis Barriga, Mattias Eld, Vesa Petteri Lehtovirta, Krister Sällberg
  • Publication number: 20120254997
    Abstract: Methods and apparatuses in a client terminal (400) and a web server (402) for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.
    Type: Application
    Filed: July 6, 2011
    Publication date: October 4, 2012
    Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
    Inventors: Karl Norrman, John Mattsson, Vesa Petteri Lehtovirta, Oscar Ohlsson
  • Patent number: 7725709
    Abstract: Methods for cryptographic synchronization of data packets. A roll-over counter (ROC) value is periodically appended to and transmitted with a data packet when a function of the packet sequence number equals a predetermined value. The ROC effectively synchronizes the cryptographic transformation of the data packets. Although the disclosed methods are generally applicable to many transmission protocols, they are particularly adaptable for use in systems wherein the data packets are transmitted to a receiver using the Secure Real-Time Transport Protocol (SRTP) as defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3711.
    Type: Grant
    Filed: September 6, 2006
    Date of Patent: May 25, 2010
    Assignee: Telefonaktiebolaget L M Ericsson (publ)
    Inventors: Mats Naslund, Karl Norrman, Vesa Petteri Lehtovirta, Alex Krister Raith
  • Publication number: 20090217038
    Abstract: Methods and apparatus for locating and accessing a data server in a wireless network are disclosed. The disclosed techniques may be used to allow a wireless device provided with temporary credentials to access a wireless network and obtain a network address for a data server for downloading subscription credentials. An exemplary wireless device comprises a processing unit configured to send an access authentication request to a wireless network, and to receive an authentication challenge value from the wireless network in response. The processing unit is further configured to generate a cryptographic response from the authentication challenge value and to send the cryptographic response to the wireless network, and to also derive a data server address from the authentication challenge value. Thus, the authentication challenge value serves two purposes—as a challenge key for use in a network access authentication procedure, and as a carrier for data server address information.
    Type: Application
    Filed: June 16, 2008
    Publication date: August 27, 2009
    Inventors: Vesa Petteri Lehtovirta, Patrik Mikael Salmela, Kristian Slavov
  • Publication number: 20090217364
    Abstract: According to the teachings presented herein, a wireless communication device reverts from subscription credentials to temporary access credentials, in response to detecting an access failure. The device uses its temporary access credentials to gain temporary network access, either through a preferred network (e.g., home network) or through any one of one or more non-preferred networks (e.g., visited networks). After gaining temporary access, the device determines whether it needs new subscription credentials and, if so, uses the temporary access to obtain them. Correspondingly, in one or more embodiments, a registration server is configured to support such operations, such as by providing determination of credential validity and/or by redirecting the device to a new home operator for obtaining new subscription credentials.
    Type: Application
    Filed: June 17, 2008
    Publication date: August 27, 2009
    Inventors: Patrik Mikael Salmela, Vesa Petteri Lehtovirta, Kristian Slavov
  • Publication number: 20090205028
    Abstract: Methods and systems taught herein allow communication device manufacturers to preconfigure communication devices to use preliminary access credentials to gain temporary network access for downloading subscription credentials, and particularly allow the network operator issuing the subscription credentials to verify that individual devices requesting credentials are trusted. In one or more embodiments, a credentialing server is owned or controlled by the network operator, and is used by the network operator to verify that subscription credentials are issued only to trusted communication devices, even though such devices may be referred to the credentialing server by an external registration server and may be provisioned by an external provisioning server. Particularly, the credentialing server interrogates requesting devices for their device certificates and submits these device certificates to an external authorization server, e.g., an independent OCSP server, for verification.
    Type: Application
    Filed: October 23, 2008
    Publication date: August 13, 2009
    Inventors: Bernard Smeets, Luis Barriga, Mattias Johansson, Vesa Petteri Lehtovirta, Krister Sallberg
  • Publication number: 20090013381
    Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.
    Type: Application
    Filed: January 28, 2005
    Publication date: January 8, 2009
    Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)
    Inventors: Vesa Matti Torvinen, Vesa Petteri Lehtovirta, Monica Wifvesson
  • Publication number: 20080114978
    Abstract: In order to facilitate access to encrypted broadcast or multicast data an encrypted service key is sent from an access server of the communication network to the user terminal, passing the encrypted service key to a secure module of the user terminal. The secure module has access to a decryption key for decrypting the encrypted service key but this decryption key is inaccessible to other functions of the user terminal. Acknowledgement of receipt of the service key at said secure module, and sending the acknowledgement from the user equipment to the access server; authenticating the receipt at the access server and sending a return acknowledgement from the access server to the user terminal, and passing the return acknowledgement to the secure module; and authenticating the return acknowledgement at the secure module, and subsequently making the decrypted service key available to the user terminal, the service key making possible directly or indirectly the decryption of broadcast and/or multicast data.
    Type: Application
    Filed: December 16, 2005
    Publication date: May 15, 2008
    Inventors: Vesa Petteri Lehtovirta, Karl Norrman