Patents by Inventor Vesa Petteri Lehtovirta
Vesa Petteri Lehtovirta has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10356619Abstract: A user equipment receives an Extensible Authentication Protocol Authentication and Key Agreement Prime (EAP AKA?) message, from an authentication server related to the user equipment, in an authentication procedure being part of setting up a connection from the user equipment through an access network. The user equipment sets up an IP Security tunnel between the user equipment and an evolved Packet Data Gateway responsive to the EAP AKA? message indicating that the access network is untrusted.Type: GrantFiled: March 13, 2018Date of Patent: July 16, 2019Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
-
Publication number: 20180206118Abstract: A user equipment receives an Extensible Authentication Protocol Authentication and Key Agreement Prime (EAP AKA?) message, from an authentication server related to the user equipment, in an authentication procedure being part of setting up a connection from the user equipment through an access network. The user equipment sets up an IP Security tunnel between the user equipment and an evolved Packet Data Gateway responsive to the EAP AKA? message indicating that the access network is untrusted.Type: ApplicationFiled: March 13, 2018Publication date: July 19, 2018Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
-
Patent number: 9949118Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.Type: GrantFiled: August 6, 2015Date of Patent: April 17, 2018Assignee: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
-
Patent number: 9338173Abstract: Methods and apparatuses in a client terminal and a web server for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.Type: GrantFiled: November 4, 2014Date of Patent: May 10, 2016Assignee: Telefonaktiebolaget L M Ericsson (publ)Inventors: Karl Norman, John Mattsson, Vesa Petteri Lehtovirta, Oscar Ohlsson
-
Publication number: 20150341788Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.Type: ApplicationFiled: August 6, 2015Publication date: November 26, 2015Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
-
Patent number: 9137231Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.Type: GrantFiled: November 26, 2013Date of Patent: September 15, 2015Assignee: Telefonaktiebolaget L M Ericsson (publ)Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
-
Publication number: 20150058980Abstract: Methods and apparatuses in a client terminal and a web server for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.Type: ApplicationFiled: November 4, 2014Publication date: February 26, 2015Inventors: Karl Norrman, John Mattsson, Vesa Petteri Lehtovirta, Oscar Ohlsson
-
Patent number: 8903095Abstract: Methods and apparatuses in a client terminal (400) and a web server (402) for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.Type: GrantFiled: July 6, 2011Date of Patent: December 2, 2014Assignee: Telefonaktiebolaget L M Ericsson (publ)Inventors: Karl Norrman, John Mattsson, Vesa Petteri Lehtovirta, Okcar Ohlsson
-
Publication number: 20140096193Abstract: When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication of at least one network property relating to a first network, e.g. the current access network (3, 3?), is sent to the UE from a node (13) in a second network such as the home network (5) of the subscriber of the UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3?) is trusted or not.Type: ApplicationFiled: November 26, 2013Publication date: April 3, 2014Applicant: TELEFONAKTIEBOLAGET L M ERICSSON (PUBL)Inventors: Mats Näslund, Jari Arkko, Rolf Blom, Vesa Petteri Lehtovirta, Karl Norrman, Stefan Rommer, Bengt Sahlin
-
Patent number: 8621200Abstract: In order to facilitate access to encrypted broadcast or multicast data an encrypted service key is sent from an access server of the communication network to the user terminal, passing the encrypted service key to a secure module of the user terminal. The secure module has access to a decryption key for decrypting the encrypted service key but this decryption key is inaccessible to other functions of the user terminal. Acknowledgement of receipt of the service key at said secure module, and sending the acknowledgement from the user equipment to the access server; authenticating the receipt at the access server and sending a return acknowledgement from the access server to the user terminal, and passing the return acknowledgement to the secure module; and authenticating the return acknowledgement at the secure module, and subsequently making the decrypted service key available to the user terminal, the service key making possible directly or indirectly the decryption of broadcast and/or multicast data.Type: GrantFiled: December 16, 2005Date of Patent: December 31, 2013Assignee: Telefonaktiebolaget LM Ericsson (Publ)Inventors: Vesa Petteri Lehtovirta, Karl Norrman Norrman
-
Patent number: 8555345Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.Type: GrantFiled: January 28, 2005Date of Patent: October 8, 2013Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Vesa Matti Torvinen, Vesa Petteri Lehtovirta, Monica Wifvesson
-
Patent number: 8553883Abstract: According to the teachings presented herein, a wireless communication device reverts from subscription credentials to temporary access credentials, in response to detecting an access failure. The device uses its temporary access credentials to gain temporary network access, either through a preferred network (e.g., home network) or through any one of one or more non-preferred networks (e.g., visited networks). After gaining temporary access, the device determines whether it needs new subscription credentials and, if so, uses the temporary access to obtain them. Correspondingly, in one or more embodiments, a registration server is configured to support such operations, such as by providing determination of credential validity and/or by redirecting the device to a new home operator for obtaining new subscription credentials.Type: GrantFiled: June 17, 2008Date of Patent: October 8, 2013Assignee: Telefonaktiebolaget L M Ericsson (publ)Inventors: Patrik Mikael Salmela, Vesa Petteri Lehtovirta, Kristian Slavov
-
Patent number: 8516133Abstract: Methods and systems taught herein allow communication device manufacturers to preconfigure communication devices to use preliminary access credentials to gain temporary network access for downloading subscription credentials, and particularly allow the network operator issuing the subscription credentials to verify that individual devices requesting credentials are trusted. In one or more embodiments, a credentialing server is owned or controlled by the network operator, and is used by the network operator to verify that subscription credentials are issued only to trusted communication devices, even though such devices may be referred to the credentialing server by an external registration server and may be provisioned by an external provisioning server. Particularly, the credentialing server interrogates requesting devices for their device certificates and submits these device certificates to an external authorization server, e.g., an independent OCSP server, for verification.Type: GrantFiled: October 23, 2008Date of Patent: August 20, 2013Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Bernard Smeets, Luis Barriga, Mattias Eld, Vesa Petteri Lehtovirta, Krister Sällberg
-
Publication number: 20120254997Abstract: Methods and apparatuses in a client terminal (400) and a web server (402) for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF?, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF?, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions.Type: ApplicationFiled: July 6, 2011Publication date: October 4, 2012Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Karl Norrman, John Mattsson, Vesa Petteri Lehtovirta, Oscar Ohlsson
-
Patent number: 7725709Abstract: Methods for cryptographic synchronization of data packets. A roll-over counter (ROC) value is periodically appended to and transmitted with a data packet when a function of the packet sequence number equals a predetermined value. The ROC effectively synchronizes the cryptographic transformation of the data packets. Although the disclosed methods are generally applicable to many transmission protocols, they are particularly adaptable for use in systems wherein the data packets are transmitted to a receiver using the Secure Real-Time Transport Protocol (SRTP) as defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3711.Type: GrantFiled: September 6, 2006Date of Patent: May 25, 2010Assignee: Telefonaktiebolaget L M Ericsson (publ)Inventors: Mats Naslund, Karl Norrman, Vesa Petteri Lehtovirta, Alex Krister Raith
-
Publication number: 20090217038Abstract: Methods and apparatus for locating and accessing a data server in a wireless network are disclosed. The disclosed techniques may be used to allow a wireless device provided with temporary credentials to access a wireless network and obtain a network address for a data server for downloading subscription credentials. An exemplary wireless device comprises a processing unit configured to send an access authentication request to a wireless network, and to receive an authentication challenge value from the wireless network in response. The processing unit is further configured to generate a cryptographic response from the authentication challenge value and to send the cryptographic response to the wireless network, and to also derive a data server address from the authentication challenge value. Thus, the authentication challenge value serves two purposes—as a challenge key for use in a network access authentication procedure, and as a carrier for data server address information.Type: ApplicationFiled: June 16, 2008Publication date: August 27, 2009Inventors: Vesa Petteri Lehtovirta, Patrik Mikael Salmela, Kristian Slavov
-
Publication number: 20090217364Abstract: According to the teachings presented herein, a wireless communication device reverts from subscription credentials to temporary access credentials, in response to detecting an access failure. The device uses its temporary access credentials to gain temporary network access, either through a preferred network (e.g., home network) or through any one of one or more non-preferred networks (e.g., visited networks). After gaining temporary access, the device determines whether it needs new subscription credentials and, if so, uses the temporary access to obtain them. Correspondingly, in one or more embodiments, a registration server is configured to support such operations, such as by providing determination of credential validity and/or by redirecting the device to a new home operator for obtaining new subscription credentials.Type: ApplicationFiled: June 17, 2008Publication date: August 27, 2009Inventors: Patrik Mikael Salmela, Vesa Petteri Lehtovirta, Kristian Slavov
-
Publication number: 20090205028Abstract: Methods and systems taught herein allow communication device manufacturers to preconfigure communication devices to use preliminary access credentials to gain temporary network access for downloading subscription credentials, and particularly allow the network operator issuing the subscription credentials to verify that individual devices requesting credentials are trusted. In one or more embodiments, a credentialing server is owned or controlled by the network operator, and is used by the network operator to verify that subscription credentials are issued only to trusted communication devices, even though such devices may be referred to the credentialing server by an external registration server and may be provisioned by an external provisioning server. Particularly, the credentialing server interrogates requesting devices for their device certificates and submits these device certificates to an external authorization server, e.g., an independent OCSP server, for verification.Type: ApplicationFiled: October 23, 2008Publication date: August 13, 2009Inventors: Bernard Smeets, Luis Barriga, Mattias Johansson, Vesa Petteri Lehtovirta, Krister Sallberg
-
Publication number: 20090013381Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.Type: ApplicationFiled: January 28, 2005Publication date: January 8, 2009Applicant: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)Inventors: Vesa Matti Torvinen, Vesa Petteri Lehtovirta, Monica Wifvesson
-
Publication number: 20080114978Abstract: In order to facilitate access to encrypted broadcast or multicast data an encrypted service key is sent from an access server of the communication network to the user terminal, passing the encrypted service key to a secure module of the user terminal. The secure module has access to a decryption key for decrypting the encrypted service key but this decryption key is inaccessible to other functions of the user terminal. Acknowledgement of receipt of the service key at said secure module, and sending the acknowledgement from the user equipment to the access server; authenticating the receipt at the access server and sending a return acknowledgement from the access server to the user terminal, and passing the return acknowledgement to the secure module; and authenticating the return acknowledgement at the secure module, and subsequently making the decrypted service key available to the user terminal, the service key making possible directly or indirectly the decryption of broadcast and/or multicast data.Type: ApplicationFiled: December 16, 2005Publication date: May 15, 2008Inventors: Vesa Petteri Lehtovirta, Karl Norrman