BACKGROUND

Field

[0001] Various features relate to communication devices, methods, and networks that inhibit illegal use of authentication parameters for the same wireless service subscriptions by different wireless terminals on different networks.

Background

[0002] Evolution-Data Optimized or Evolution-Data Only (EV-DO, EV, EVDO, etc.) is a 3G telecommunications standard for the wireless transmission of data through radio signals. It may use multiplexing techniques including code division multiple access (CDMA) as well as time division multiplexing (TDM) to maximize both individual users' throughput and the overall system throughput. EV-DO has been standardized by 3rd Generation Partnership Project 2 (3GPP2) as part of the CDMA2000 family of standards. High Rate Packet Data (HRPD) is defined by International Standard IS-856 and is commonly known as lxEV-DO. HRPD stands for "high rate packet data" and is a high-speed CDMA-based wireless data technology (e.g., cdma2000) developed by Qualcomm™.

[0003] Long Term Evolution (LTE) is a standard for wireless data communications technology and an evolution of the GSM/UMTS standards. LTE was developed to increase the capacity and speed of wireless data networks. LTE networks are IP-based and significantly reduce transfer latency compared to 3G network architectures. As operators transition to LTE, some CDMA2000 operators have sought to leverage their existing investment in 3GPP2 network infrastructure. In order to implement a gradual transition from High Rate Packet Data (HRPD) to LTE, CDMA operators have sought a migration path that enhances their existing HRPD networks, while addressing LTE deployment requirements while avoiding a full upgrade of the CDMA network to an LTE network. The choice of migration path depends on many factors including radio access strategy, network resource strategy, services enabled, timing and cost. A key goal of LTE is to enhance service provisioning while simplifying interworking with non- 3GPP mobile networks. [0004] To leverage existing CDMA2000 HRPD network deployments and technology, enhanced/evolved HRPD (eHRPD) mode has been proposed for the smooth migration from CDMA-based HRPD to LTE. eHRPD is a method that allows CDMA network operators to upgrade their existing HRPD packet core networks using elements of the LTE core network (i.e., System Architecture Evolution SAE which implements an Evolved Packet Core EPC architecture). eHRPD has the same air interface (i.e., physical to application layers) as HRPD, plus a few new subtypes and functions in the IP layer. The eHRPD Radio Access Network (RAN) accesses the 3GPP Evolved Packet Core (EPC) core network (i.e., for an LTE network) while the HRPD RAN accesses the 3GPP2 core network (i.e., for a CDMA network).

[0005] As a result of the tight air interface relationship between HRPD and eHRPD, any HRPD/eHRPD terminal (e.g., mobile device, wireless phone, etc.) can operate in a HRPD network or an eHRPD network at any one time, but not both networks simultaneously. Because of this non-overlapping network architecture design, an HRPD network at location A and hosting an HRPD session for a first terminal does not know when a second terminal has established an eHRPD session in an eHRPD network in location B using the same UICC card parameters. That is, the HRPD session for the first terminal may have been established using authentication parameters for a first subscription (e.g., wireless service subscription or user account) and those same authentication parameters for the first subscription are used by the second terminal in establishing the eHRPD session. Since the HRPD network does not initiate re- authentication on its own, the old (e.g., illegal) HRPD session is still being maintained with the first terminal even after the new eHRPD session has been established with the second terminal. Consequently, the first and second terminals may successfully open and keep HRPD and eHRPD sessions, respectively, using parameters from same UICC card (e.g., authentication parameters for the same wireless service subscription or account), but one after another. In this example, the HRPD session becomes illegal once the UICC card is removed from the first terminal or once the eHRPD session is concurrently established using the same authentication parameters (for the same subscription/account) and should be released. Since illegal HRPD sessions may exists under these circumstances, operators (e.g., mobile phone service providers) may lose revenues if the user of the legal UICC card subscribes to a service package with a monthly flat fee. [0006] Consequently, there is a need for a solution(s) that allows detecting when a UICC card (or authentication parameters and/or subscriber account information therein) is being concurrently used with sessions by terminals operating in different networks and releasing one or both sessions as a result.

SUMMARY

[0007] A method operational at network entity/device is provided for detecting concurrent use of authentication parameters from the same subscription on different networks. A first set of authentication parameters is received at the network entity from a first terminal seeking to establish a first communication session via a first network. A second set of authentication parameters is similarly received at the network entity from a second terminal seeking to establish a second communication session via a second network. The network entity may then ascertain whether the first and second sets of authentication parameters are from the same subscription. If the first and second sets of authentication parameters are determined to be from the same subscription, the network entity may cause at least one of the first communication session and/or the second communication session to be terminated.

[0008] In one example, the first network may be a code division multiple access (CDMA)-based High Rate Packet Data (HRPD) network and the second network is a CDMA-based enhanced HRPD network, or vice-versa. The HRPD network connects to a 3GPP2 core network and the eHRPD network connects to a 3GPP Evolved Packet core network.

[0009] In one instance, the first and second sets of authentication parameters are from the same subscription if at least a user identifier is the same for both sets of authentication parameters.

[0010] In one implementation, the first terminal may be authenticated using the first set of authentication parameters. Establishment of the first communication session may be approved only if authentication is successful and the first set of authentication parameters is different from sets of parameters used for existing communication sessions over the first and second networks.

[0011] In another implementation, the second terminal may be authenticated using the second set of authentication parameters. Establishment of the second communication session may be approved only if authentication is successful and the second set of authentication parameters is different from sets of parameters used for existing communication sessions over the first and second networks.

[0012] According to a first example, the network entity/device may be a Home Access Network Authentication, Authorization, and Accounting (AN-AAA) server in communication with both the first and second networks. In one instance, if the first and second sets of authentication parameters are from the same subscription, the Home AN- AAA server indicates to either an enhanced access network of the first network or an access network of the second network that at least one of the first communication session and the second communication session should be terminated. In another instance, if the first and second sets of authentication parameters are from the same subscription, the Home AN-AAA server indicates to either an HRPD Serving Gateway (HSGW) of the first network or a Packet Data Serving Node (PDSN) of the second network that at least one of the first communication session and the second communication session should be terminated.

[0013] According to a second example, the network entity/device may be an integrated 3GPP/3GPP2 Home AAA server between the first and second networks. In one instance, if the first and second sets of authentication parameters are from the same subscription, the 3GPP/3GPP2 Home AAA server indicates to either an HRPD Serving Gateway (HSGW) of the first network or a Packet Data Serving Node (PDSN) of the second network that at least one of the first communication session and the second communication session should be terminated.

[0014] According to a third example, the network entity/device may be communicatively coupled to an HRPD Serving Gateway (HSGW) of the first network and a Packet Data Serving Node (PDSN) of the second network.

[0015] According to a fourth example, network entity/device may be communicatively coupled to a 3GPP Home AAA server of the first network and a 3GPP2 Home AAA server of the second network.

DRAWINGS

[0016] Various features, nature and advantages may become apparent from the detailed description set forth below when taken in conjunction with the drawings in which like reference characters identify correspondingly throughout. [0017] FIG. 1 illustrates an exemplary network environment in which a network component may be adapted to identify when HRPD/eHRPD sessions on different networks are concurrently using the same credentials from a UICC card.

[0018] FIG. 2 is a block diagram illustrating how sessions for HRPD and eHRPD networks may be tracked to ascertain if concurrent/overlapping HRPD/eHRPD sessions are utilizing the same authentication parameters.

[0019] FIG. 3 illustrates a first exemplary approach in which a Home Access Network Authentication, Authorization, and Accounting Server (Home AN-AAA Server) in combination with the Access Network (AN) / enhance Access Network (eAN) are used to inhibit concurrent reuse of the same authentication parameters (e.g., originating at the same UICC card) by different terminals on different networks.

[0020] FIG. 4 illustrates a second exemplary approach in which a Home Access Network Authentication, Authorization, and Accounting Server (Home AN-AAA Server) in combination with the Packet Data Serving Node (PDSN) and HRPD Serving Gateway (HSGW) are used to inhibit concurrent reuse of the same authentication parameters (e.g., originating at the same UICC card and/or associated/corresponding to the same wireless service subscription) by different terminals on different networks.

[0021] FIG. 5 illustrates a third exemplary approach in which an integrated 3GPP/PP2 Home Authentication, Authorization, and Accounting Server (Home AAA Server) gets registration information from both the HRPD network and eHRPD network, and therefore can detect if multiple wireless terminals are using the same authentication parameters (e.g., identifiers belonging to the same UICC card and/or wireless service subscription).

[0022] FIG. 6 is a block diagram illustrating an exemplary Home AN-AAA Server/Device that may be adapted to perform cross-network session tracking and termination of illegal sessions.

[0023] FIG. 7 is a block diagram illustrating an exemplary Integrated 3GPP/3GPP2 Home AAA Server/Device that may be adapted to perform cross-network session tracking and termination of illegal sessions.

[0024] FIG. 8 illustrates a fourth exemplary approach in which a new UbiLocator component is connected to both the Packet Data Serving Node (PDSN) and HRPD Serving Gateway (HSGW), and is used to inhibit concurrent reuse of the same authentication parameters (e.g., identifiers belonging to the same UICC card and/or wireless service subscription). [0025] FIG. 9 illustrates a fifth exemplary approach in which a new UbiLocator component is introduced between the 3GPP2 AAA server and 3GPP HSS/H-AAA server, to record the users registration and de-registration states in the HRPD network and eHRPD network.

[0026] FIG. 10 is a block diagram illustrating an exemplary UbiLocator Component/Device that may be adapted to perform cross-network session tracking and termination of illegal sessions.

[0027] FIG. 11 is a flow diagram illustrating a method operational at network entity for detecting simultaneous use of user authentication parameters from the same subscription on different networks.

DETAILED DESCRIPTION

[0028] In the following description, specific details are given to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific detail. For example, circuits may be shown in block diagrams in order avoid obscuring the embodiments in unnecessary detail. In other instances, well-known circuits, structures and techniques may not be shown in detail in order not to obscure the embodiments.

[0029] The word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any implementation or embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. Likewise, the term "embodiments" does not require that all embodiments include the discussed feature, advantage or mode of operation.

Overview

[0030] To solve the problem of two or more terminals reusing the same authentication parameters from a UICC card in concurrent and/or overlapping HRPD/eHRPD sessions in different networks, an existing or new network component is assigned to interconnect the HRPD and eHRPD networks. In particular, this existing or new network component may be used to record, track, and/or compare whether terminals are concurrently using parameters (e.g., authentication information, subscriber account information, etc.), associated with the same UICC card, to authenticate and/or establish separate data communication sessions on different networks. If such concurrent or overlapping use is detected, then the network component may send a command to release one or both sessions. In one example, the network component may release the oldest HRPD/eHRPD session. In another example, the network component may conclude that the account information in the UICC card has been compromised and release both HRPD and eHRPD sessions and/or invalidate the account information so that it cannot be used to establish future HRPD/eHRPD sessions.

Exemplary Network Operating Environment

[0031] FIG. 1 illustrates an exemplary network environment in which a network component may be adapted to identify when HRPD/eHRPD sessions on different networks are concurrently using the same credentials from a UICC card. A first subscriber wireless network 101 may include one or more access points 106 (e.g., Access Network, base stations, etc.) coupled to a 3GPP2 core network 110 and which serve to provide wireless service to one or more wireless terminals 108 within a first region 102. Similarly, a second subscriber wireless network 103 may include one or more access points 114 (e.g., evolved Access Network, base stations, etc.) coupled to a 3GPP EPC core network 116 and which serve to provide wireless service to one or more wireless terminals 112 within a second region 104. For purposes of illustration, the first subscriber wireless network 101 may be referred to as a "HRPD network" since it supports establishment of HRPD sessions and the second subscriber wireless network 103 may be referred to as an "eHRPD network" since it supports establishment of eHRPD sessions.

[0032] The first subscriber wireless network 101 (e.g., HRPD network) and second subscriber wireless network 103 (e.g., eHRPD network) may rely on parameters (e.g., subscriber account information, authentication information, etc., associated with or corresponding to a subscription) stored in a UICC card of a wireless terminal to authenticate a subscriber (and/or the wireless terminal) and establish a communication session (e.g., HPRD session or eHPRD session). There are two types of authentications for terminals operating in HRPD and eHRPD networks: access network authentication and core network authentication.

[0033] If an eHRPD network (e.g., second subscriber wireless network 103) seeks access network authentication, the wireless terminal AT-B 112 uses an HRPD Network Access Identifier (NAI), an HRPD shared secret, and an MD5 security function from the CDMA Subscriber Identity Module (CSIM) application in the user's Universal Integrated Circuit Card (UICC) card to perform the A12 authentication (i.e., access network authentication for lxEV-DO). The wireless terminal AT-B 112 uses an evolved packet core (EPC) network access identifier (NAI), Key and Authentication and Key Agreement (AKA) security functions from a Universal Subscriber Identity Module (USEVl) application in the user's UICC card to perform EPC core network authentication.

[0034] By contrast, an HRPD network (e.g., first subscriber wireless network 101) uses a NAI and a Shared Secret (SS) from the CDMA Subscriber Identity Module (CSIM) application (e.g., in a user's UICC card of a wireless terminal) to perform access network authentication and core network authentication.

[0035] With eHRPD networks (e.g., second subscriber wireless network 103), core network authentication is more critical, while with HRPD networks (e.g., first subscriber wireless network 101) access network authentication is more critical. In network systems in which HRPD and eHRPD coexist, the same home access network authentication authorization and accounting (Home AN-AAA) entity on the network side (e.g., part of the core networks 110 ad 116) may be involved for HRPD and eHRPD access network authentication for the same subscriber. Note that access network authentication alone cannot be relied on to detect illegal use of authentication parameters for a UICC card (e.g., for the same subscription). First, access network authentication is not mandated for eHRPD, so operators may choose to disable access network authentication for eHRPD. Consequently, such authentication may not be performed in some instances. Second, even if access network authentication is enabled in the eHRPD network, a typical Home AN-AAA only knows that a new visiting AN- AAA (e.g., associated with a new AN or new eAN) is seeking to perform access network authentication for a particular service subscription or account, but has no knowledge and/or does not care whether a previous session which used the same parameters (e.g., using the same wireless service subscription) has been released. Note that the AN-AAA server used for access network authentication and the AAA servers used for core network authentication are typically different logical and physical entities. Moreover, in traditional networks different authentication authorization and accounting (AAA) entities are typically involved for HRPD and eHRPD core network authentications (e.g., 3GPP2 Home AAA for HRPD networks and 3GPP Home AAA for eHRPD networks). Thus, because such traditional HRPD/eHRPD networks perform independent core network authentications, they are unable to ascertain when the same parameters from the same UICC card (or subscriber account information therein, or corresponding to the same wireless service subscription with a network operator or service provider) are being used to establish concurrent or overlapping HRPD and eHRPD sessions on different networks.

[0036] To detect, inhibit, and/or prevent the use of subscriber/device authentication parameters (e.g., associated with a particular UICC card, wireless service subscription, and/or subscriber/device account information therein) to illegally establish concurrent and/or overlapping HRPD and eHRPD sessions on different networks, a network entity and/or function 116 is introduced. The network entity and/or function 116 may allow two or more different networks 101 and 103 to verify or cross-reference their access network authentications and/or core network authentications. If this network entity and/or function 116 finds more than one terminal using the same subscriber/authentication parameters associated with the same UICC card to access the HRPD and eHRPD networks 101 and 103 concurrently, simultaneously, contemporaneously, and/or during overlapping time periods, it causes the release of the oldest session, release of the newest session, release of both sessions, and/or invalidation of those parameters being used (e.g., authentication and/or account parameters found in an UICC card associated/corresponding to the a particular wireless service subscription).

[0037] Note that while the first and second regions 102 and 104, respectively, are illustrated as being separate geographical regions, in some implementations they may be overlapping and/or co-extensive geographical regions.

[0038] There are various ways in which wireless networks may determine if the same subscriber/device authentication parameters (e.g., associated with a particular UICC card or subscription/subscriber/device account information therein) are being concurrently and/or illegally used on other networks by different wireless terminals for concurrent/overlapping HRPD/eHRPD sessions. In one exemplary implementation, an existing network entity or component (e.g., Home AN- AAA, 3GPP/3GPP2 Home AAA, etc.) may be reused or enhanced to perform such check. In another exemplary implementation, a new network entity or component may be assigned or setup to check for concurrent/overlapping HRPD/eHRPD sessions.

[0039] FIG. 2 is a block diagram illustrating how sessions for HRPD and eHRPD networks 204 and 202 may be tracked to ascertain if concurrent/overlapping HRPD/eHRPD sessions are utilizing the same authentication parameters. The eHRPD network 202 may include an enhanced access network (eAN) 210, a HRPD Serving Gateway (HSGW) 212, an eHRPD 3GPP2 proxy AAA server 214, and a 3GPP Home Subscriber Server and Home Authentication Authorization and Accounting Server (3GPP HSS/H-AAA server) 216. The HRPD network 204 may include an access network 220, a Packet Data Serving Node (PDSN) 222, a HRPD 3GPP2 proxy AAA server 224, and a 3GPP2 Home Authentication Authorization and Accounting Server (3GPP2 H-AAA Server) 226. A home access network authentication authorization accounting server (Home AN-AAA server) 228 may be used by both the HRPD/eHRPD networks 204/202 for access network authentication. A cross-network session tracker 230 may be implemented in an existing network component or a new network component to track sessions on the HRPD/eHRPD networks 204/202.

[0040] A first wireless terminal 206 may legally/validly obtain authentication parameters 232 (e.g., from its own UICC card). Such authentication parameters may include, for example, network access identifier (NAI) and Key and Authentication and Key Agreement (AKA) security functions, among others that serve to identify a subscriber, a subscriber account and/or a device identifier (e.g., International Mobile Subscriber Identity). The first wireless terminal 206 may seek to initiate a data session via the eHRPD Network 202 by requesting an eHRPD session 234. This may involve an access network authentication request 236 with the Home AN-AAA 228 and a core network authentication request 238 with the 3GPP HSS/H-AAA 216 using one or more of the authentication parameters. If access network authentication 236 and core network authentication 238 are successful, an eHRPD session 254 is established. Upon establishment of the eHRPD session 254, the Cross-Network Session Tracker 230 may track such session based on the authentication parameter(s) and/or wireless terminal 240.

[0041] A second wireless terminal 208 may illegally obtain authentication parameters 242 or others information for a wireless service subscription/account. For instance, some of these authentication parameters may have been copied from the UICC card for the first wireless terminal 206. Another example of an illegal use situation may be when a valid UICC card in the first wireless terminal 206 is replaced by a fake UICC card to maintain the session, the valid UICC card is then used in the second wireless terminal 208. The second wireless terminal 208 may seek to initiate a data session via the HRPD Network 204 by requesting a HRPD session 244 using, at least partially, the same authentication parameters as previously used by the first wireless terminal 206 for the eHRPD session 254. This may involve an access network authentication request 246 with the Home AN-AAA 228 and a core network authentication request 248 with the 3GPP2 H-AAA 226 using one or more of the authentication parameters. Upon establishing or attempting to establish the HRPD session 256, the Cross -Network Session Tracker 230 may track such session based on the authentication parameter(s) and/or wireless terminal 240.

[0042] Prior to establishing the HRPD session 256, concurrent with the establishment of the HRPD session 256 (e.g., while access network authentication and/or core network authentication is occurring), and/or after the HRPD session 256 has been established, the Cross-Network Session Tracker 230 may monitor and/or detect usage of authentication parameters for data sessions. For instance, the Cross-Network Session Tracker 230 may detect that the same authentication parameters (Params-A) are being used by the second wireless terminal 208 for its HRPD session 256 as were used by the first wireless terminal 206 for its eHRPD session 254 which is still active. Therefore, the Cross-Network Session Tracker 230 may terminate at least one of the sessions (e.g., the oldest session is terminated, the newest session is terminated, both sessions are terminated, and/or the session started by a wireless terminal not associated with the authentication parameters).

[0043] While the example illustrated in FIG. 2 shows that the eHRPD session 254 is established first, the Cross-Network Session Tracker 230 operates the same way if the HRPD session 256 is established first. For instance, the second wireless terminal 208 may establish the HRPD session 256 first, then the first wireless terminal 206 will try to establish a concurrent or overlapping illegal eHRPD session 254 with the authentication parameters from the same subscription. The Cross-Network Session Tracker 230 may monitor and/or detect usage of authentication parameters for existing and/or newly requested data sessions (e.g., HRPD/eHRPD sessions) and acts to terminate at least one of the sessions (e.g., the oldest session is terminated, the newest session is terminated, both sessions are terminated, and/or the session started by a wireless terminal not associated with the authentication parameters).

Exemplary Reuse of Network Entity/Component to Detect Illegal HRPD/eHRPD Sessions

[0044] In various exemplary implementations, an existing network entity/component (e.g., Home AN-AAA, 3GPP/3GPP2 Home AAA, etc.) may be modified or configured to detect when concurrent/overlapping HRPD/eHRPD sessions in different networks have been established or are in the process of being established. [0045] FIG. 3 illustrates a first exemplary approach in which a Home Access Network Authentication, Authorization, and Accounting Server (Home AN- AAA Server) 316 in combination with the Access Network (AN) 328 / enhance Access Network (eAN) 314 are used to inhibit concurrent reuse of the same authentication parameters (e.g., originating at the same UICC card) by different terminals on different networks. A first CDMA-based network may be an eHRPD network 302 and a second CDMA-based network may be a HRPD network 304, or vice versa.

[0046] The eHRPD network 302 may include an evolved Access Network (eAN) 314, an HRPD Serving Gateway (HSGW) 312, a home access network authentication authorization accounting server (Home AN- AAA server) 316, an eHRPD 3GPP2 proxy AAA server 310, a Packet Data Network Gateway (PDN-GW) 318, and a 3GPP Home Subscriber Server and Home Authentication Authorization and Accounting Server (3GPP HSS/H-AAA server) 320. The eAN 314 may provide one or more access nodes (e.g., base stations, etc.) that provide wireless access and/or connectivity to a first wireless terminal 306, thereby enabling the first wireless terminal to communicate via the eHRPD Network 302. The Home AN- AAA Server 316 may be involved in access network authentication for the eHRPD and HRPD networks 302 and 304. The eHRPD 3GPP2 proxy AAA server 310 may be involved in core network authentication for the eHRPD network 302. The HSGW 312 may serve to converge mobility management between HRPD and LTE networks. The HSGW 312 may provide interworking between the HRPD access node and the Packet Data Network Gateway (PDN-GW) 318 (which is part of SAE/EPC of the LTE network). The PDN-GW 318 may be the termination point for sessions of the packet data interface towards an LTE Network 319 (e.g., Packet Data Network). The 3GPP HSS/H-AAA server 320 may perform Home Subscriber Server (HSS) functions, such as storing and updating user subscription information and generating security information from user identity key, as well as Home Authentication, Authorization, and Accounting functions, including core network authentication.

[0047] The HRPD network 304 may include an Access Network (AN) 328, a Packet Data Serving Node (PDSN) 322, the home access network authentication authorization accounting server (Home AN- AAA server) 316, a HRPD 3GPP2 proxy AAA server 324, and a 3GPP2 Home Authentication Authorization and Accounting Server (3GPP2 H-AAA Server) 326. The AN 328 may provide one or more access nodes (e.g., base stations, etc.) that provide wireless access and/or connectivity to a second wireless terminal 308, thereby enabling the second wireless terminal to communicate via the HRPD Network 304. The PDSN 322 may act as the connection point between the radio access network 328 and IP networks 323, and may be responsible for managing point- to-point protocol (PPP) sessions between the core IP network and the second wireless terminal 308. The HRPD 3GPP2 proxy AAA server 324 may be involved in core network authentication for the HRPD network 304. The 3GPP2 H-AAA server 326 may perform Home Authentication, Authorization, and Accounting functions, including core network authentication.

[0048] The first wireless terminal 306 may operate according to parameters (e.g., subscriber information, account information, authentication information, etc., for a wireless service subscription) stored in a first UICC card 307 to authenticate the subscriber and/or device with the eHRPD Network 302 and establish a session. Similarly, the second wireless terminal 308 may operate according to parameters (e.g., subscriber information, account information, authentication information, etc., for a wireless subscription) stored in a second UICC card 309 to authenticate the subscriber and/or device with the HRPD Network 304 and establish a session. Typically, different wireless devices have UICC cards with distinct authentication parameters (e.g., parameters associated or corresponding to different wireless service subscriptions for a service provider). However, in some instances, the parameters in the second UICC card 309 may have been copied from the first UICC card 307 (or wireless service subscription / account information) or the first UICC card 307 may have been moved from the first wireless terminal 306 to the second wireless terminal 308.

[0049] In the exemplary implementation of FIG. 3, both the eAN 314 (for eHRPD network 302) and the AN 328 (for HRPD network 304) communicate with the same AN-AAA 316 (the user's Home AN-AAA) for access network authentication (e.g., A12 authentication). Here it is assumed that the eHRPD network 302 has also enabled access network authentication (e.g., A12 authentication).

[0050] In one example, the eAN 314 may have authenticated the first wireless terminal 306 (e.g., access network authentication and core network authentication) and established an eHRPD session 315 for the first wireless terminal 306 with the eHRPD network 302. When the AN 328 subsequently sends an Access-Request to the Home AN-AAA 316 on behalf of the second wireless terminal 308 to perform access network authentication for the same user identifier (e.g., using the same authentication parameters found in the first UICC 307), the Home AN-AAA 316 is configured to inform the previously registered eAN 314 to release the ongoing eHRPD session 315 after the new access authentication passes. This release command may be sent out a certain time after the success of the new access authentication for the second wireless terminal 308. This is to avoid a potential ping-pong effect between the two (e)ANs 314 and 328. Note that the terminals 306 and 308 access the eAN 314 and AN 328, respectively, with the same authentication parameters(s) (e.g., HRPD Network Access Identifier NAI) of the same subscription, so that Home AN- AAA 316 can identify each wireless terminal 306 and 308 (and/or UICC card 307 and 309) by an International Mobile Subscriber Identity (IMSI) assigned for CDMA mode that may be embedded in the HRPD NAI.

[0051] Similarly, in another example, the AN 328 may have authenticated the second wireless terminal 308 (e.g., access network authentication and core network authentication) and established a HRPD session 329 with the HRPD network 304. When the eAN 314 subsequently sends an Access-Request to the Home AN-AAA 316 on behalf of the first wireless terminal 306 to perform access network authentication for the same user identifier (e.g., using the same authentication parameters found in the second UICC 309), the Home AN-AAA 316 is configured to inform the previously registered AN 328 to release/terminate the ongoing HRPD session 329 after the new access authentication passes.

[0052] FIG. 4 illustrates a second exemplary approach in which a Home Access Network Authentication, Authorization, and Accounting Server (Home AN-AAA Server) 316 in combination with the Packet Data Serving Node (PDSN) 322 and HRPD Serving Gateway (HSGW) 312 are used to inhibit concurrent reuse of the same authentication parameters (e.g., originating at the same UICC card and/or associated/corresponding to the same wireless service subscription) by different terminals on different networks. This approach in FIG. 4 is similar to that illustrated in FIG. 3 but the Home AN-AAA 316 has one or more additional interfaces to connect with different network components. The 3GPP2 AN-AAA 316 is selected by connecting to the PDSN 322 and HSGW 312. In one example, the PDSN 322 (or through the serving AAA function it integrates or connects with) sends a RADIUS/DIAMETER message (e.g. Accounting- start) to the user's home AN-AAA once a user successfully establishes PPP connection (or main A10 connection) with the user identifier. Once the user releases the PPP sessions, the PDSN (or through the serving AAA function it integrates or connects with) notifies the Home AN-AAA 316 again with another RADIUS/DIAMETER message (e.g. Accounting- stop) that the user is de-registered. In this way, the Home AN- AAA server 316 correctly records whether a user is in registered or deregistered status in the HRPD network 304. Similarly, the HSGW 312 operates similarly to help the Home AN- AAA server 316 track whether a user is in registered or de -registered states in the eHRPD network 302. Here there is no need for the eHRPD network 302 to enable A12 Authentication. But the HSGW 312 may be pre- provisioned with all the user identifiers of each UICC user card, especially the mapping between the same user's EPC-AKA' NAI and (e)HRPD Access NAI, or HSGW 312 has access to such information.

[0053] The user's Home AN- AAA 316 can thus find out if the two or more wireless terminals 306 and 308 establish multiple HRPD/eHRPD sessions with the same set of parameters belonging to the same UICC card or wireless service subscription. If the Home AN- AAA 316 finds more than one terminal is using the parameters from same UICC card or subscription in the HRPD and eHRPD networks 304 and 302, it may send a RADIUS/DIAMETER message (e.g. Disconnect, or Access-Reject) to the AN 328 / eAN 314 and/or the HSGW 312 / PDSN 322 to release the oldest session, release/block the newest session, release both sessions. Alternatively, if a record of device-to- parameters is maintained or is available to the Home AN- AAA 316 for each subscription, then the session from a wireless terminal not associated with the authentication parameters may be terminated. Wireless terminals that wish to reestablish a released session must perform authentication again, which cannot be successful for wireless terminals with an illegal or fake UICC card.

[0054] FIG. 5 illustrates a third exemplary approach in which an integrated 3GPP/PP2 Home Authentication, Authorization, and Accounting Server (Home AAA Server) 327 gets registration information from both the HRPD network 304 and eHRPD network 302, and therefore can detect if multiple wireless terminals are using the same authentication parameters (e.g., identifiers belonging to the same UICC card and/or wireless service subscription). In one example, when the PDSN 322 in the HRPD network 304 registers a user (or subscription associated with that user) through the 3GPP2 Proxy AAA Server 324, the integrated 3GPP/PP2 Home AAA Server 327 may send a message to the HSGW 312 (which has previously registered the same user/subscription on the eHRPD network 302) requiring the HSGW 312 to release the eHRPD session 315 (e.g., the PPP session or main-A10 connection) corresponding to that user (or subscription associated with that user). [0055] Similarly, in another example, when the HSGW 312 in the eHRPD network 302 registers a user (or subscription associated with that user) through the 3GPP2 Proxy AAA Server 310, the integrated 3GPP/PP2 Home AAA Server 327 may send a message to the PDSN 322 (which has previously registered the same user/subscription on the HRPD network 304) requiring/requesting the PDSN 322 to release HRPD session 329 (e.g., the PPP or main-A10 connection) corresponding to that user (or subscription associated with that user).

[0056] Note that in various alternative implementations, the integrated 3GPP/PP2 Home AAA Server 327 may elect to cancel, terminate, or deny a session according to different criteria. For instance, instead of merely terminating the oldest session, the integrated 3GPP/PP2 Home AAA Server 327 may act to block, deny, and/or terminate the newest session or both sessions. Alternatively, if a record is maintained by the wireless service provide/operator of the device (or device ID) associated with a particular wireless service subscription/account (and/or corresponding authentication parameter(s)), then the integrated 3GPP/PP2 Home AAA Server 327 may terminate the session that was started by a wireless terminal not associated with the authentication parameters and/or corresponding subscription.

[0057] To check whether the user (or subscription associated with that user) has been registered by another network, the integrated 3GPP/3GPP2 Home AAA 327 may know the parameters/identifiers/UICC card binding information in advance. There are at least two ways to get this information: pre-configured inside the Home AAA 327 or the HSGW 312 sends a message both with the (e)HRPD Access NAI (from the CSEVI application of the UICC card) and the EAP-AKA' NAI (from the USIM application of the UICC card) in one message.

[0058] FIG. 6 is a block diagram illustrating an exemplary Home AN-AAA Server/Device that may be adapted to perform cross-network session tracking and termination of illegal sessions. The Home AN-AAA server may be adapted or configured to perform one or more of the functions described with respect to FIGs. 2, 3 and/or 4 for example. The Home AN-AAA server 602 may include one or more processing circuits 606 coupled to a network communication interface/circuit 604 and/or a memory/storage device 608. The network communication interface/circuit 604 may be adapted to permit the Home AN-AAA Server 602 to communicate with, for example, a HRPD Network 601 (e.g., AN and/or PSDN) and/or an eHRPD Network 603 (e.g., eAN and/or HSGW). The processing circuit(s) 606 may include an access network authentication module/circuit/function 610, a cross-network session tracking module/circuit/function 612, an illegal session detector module/circuit/function 614, and/or a session terminator module/circuit/function 616. The access network authentication module/circuit/function 610 may be adapted to perform access network authentication for wireless terminals seeking to establish sessions over the HRDP Network 601 and/or the eHRPD Network 603. The cross-network session tracking module/circuit/function 612 may serve to track the sessions being established over the HRDP Network 601 and/or the eHRPD Network 603, including the parameters (e.g., authentication parameters, account information, NAIs, subscription, etc.) being used to establish such sessions. The illegal session detector module/circuit/function 614 may be adapted to determine if this authentication parameters being used for a new session in a first network were used by a currently active session in a second network (e.g., by different wireless devices). If so, the session terminator module/circuit/function 616 may be adapted to cause at least one of the sessions to be terminated (e.g., the oldest session is terminated, the newest session is terminated, both sessions are terminated, and/or the session started by a wireless terminal not associated with the authentication parameters). The memory/storage device 608 may, optionally, also store a record of the cross-network sessions 618 (e.g., sessions on the HRDP network 601 and/or eHRDP network 603) to assist the cross-network tracking module/circuit/function 612 and/or the illegal session detector module/circuit/function 614.

[0059] FIG. 7 is a block diagram illustrating an exemplary integrated 3GPP/3GPP2 Home AAA Server/Device 702 that may be adapted to perform cross-network session tracking and termination of illegal sessions. The Integrated 3GPP/3GPP2 Home AAA Server/Device 702 may be adapted or configured to perform one or more of the functions described with respect to FIGs. 2 and/or 5 for example. The Integrated 3GPP/3GPP2 Home AAA Server/Device 702 may include one or more processing circuits 706 coupled to a network communication interface/circuit 704 and/or a memory/storage device 708. The network communication interface/circuit 704 may be adapted to permit the Integrated 3GPP/3GPP2 Home AAA Server/Device 702 to communicate with, for example, a HRPD Network 701 (e.g., HRPD 3GPP2 Proxy AAA Server and/or PSDN) and/or an eHRPD Network 703 (e.g., eHRPD 3GPP2 Proxy AAA Server and/or HSGW). The processing circuit(s) 706 may include or implement a 3GPP2 H-AAA module/circuit/function 710, a 3GPP HSS/H-AAA module/circuit/function 712, a session registration collection module/circuit/function 714, an illegal session detector module/circuit/function 716, and/or a session terminator module/circuit/function 718. The session registration collection module/circuit/function 714 may be adapted to obtain/receive session registration information from both the HRPD network 701 and eHRPD network 703. The illegal session detector module/circuit/function 716 may be adapted to determine if the authentication parameters being used for a new session in a first network were used by a currently active session in a second network (e.g., by different wireless devices). If so, the session terminator module/circuit/function 718 may be adapted to cause at least one of the sessions to be terminated (e.g., the oldest session is terminated, the newest session is terminated, both sessions are terminated, and/or the session started by a wireless terminal not associated with the authentication parameters). The memory/storage device 708 may, optionally, also store a record of the cross-network sessions 720 (e.g., session registration information obtained by the session registration collection module/circuit/function 714) to assist the illegal session detector module/circuit/function 716 and/or the session terminator module/circuit/function 718 in performing their functions.

Exemplary Addition of New Network Entity/Component to Detect Illegal HRPD/eHRPD Sessions

[0060] In various exemplary implementations, a new network entity/component may be added to detect when concurrent/overlapping HRPD/eHRPD sessions in different networks have been established or are in the process of being established with the same parameters (e.g., authentication parameters, subscription information, service account information, etc.).

[0061] FIG. 8 illustrates a fourth exemplary approach in which a new UbiLocator component 802 is connected to both the Packet Data Serving Node (PDSN) 322 and HRPD Serving Gateway (HSGW) 312, and is used to inhibit concurrent reuse of the same authentication parameters (e.g., identifiers belonging to the same UICC card and/or wireless service subscription). Many of the components illustrated in FIG. 8 are similar to those described in FIG. 3. The UbiLocator component 802 may be adapted to record the user registrations and de-registration states in the HRPD network 304 and eHRPD network 302. The UbiLocator component 802 may have a direct interface to the PDSN 322 and HSGW 312 using RADIUS/DIAMETER messages or some new messages. The PDSN 322 and HSGW 312 may send a notification to the UbiLocator component 802 for registration once a user successfully establishes a PPP session. Thus, the UbiLocator component 802 maintains a record of existing sessions on the HRPD network 304 and eHRPD network 302. Once those PPP sessions are released, the PDSN 322 and HSGW 312 send another message (e.g., de -registration message) to UbiLocator component 802, notifying those users are in de-register status now.

[0062] This approach assumes that the UbiLocator component 802 has been preconfigured to store all the identifiers for each UICC card in advance. If the Ubiocator component 802 finds more than one wireless terminal is using parameters from the same UICC card to access the HRPD network 304 and eHRPD network 302, it sends a RADIUS message (e.g. Access-Reject, Disconnect) to release the illegal (e.g., oldest) session. Those wireless terminals hope to re-establish the released sessions must perform authentication again, which will not be successful if they use the illegal or fake UICC card.

[0063] FIG. 9 illustrates a fifth exemplary approach in which a new UbiLocator component 902 is introduced between the 3GPP2 AAA server 326 and 3GPP HSS/H- AAA server 320, to record the users registration and de-registration states in the HRPD network 304 and eHRPD network 302. Many of the components illustrated in FIG. 9 are similar to those described in FIG. 3. The UbiLocator component 902 may have a direct interface with the 3GPP2 H-AAA server 326 and the 3GPP HSS/H-AAA server 320 using RADIUS/DIAMETER messages or some new messages. The 3GPP2 H-AAA server 326 and 3GPP HSS/H-AAA server 320 may send a notification message to the UbiLocator component 902 for registration once a user successfully establishes a PPP session. Once the PPP session is released, the 3GPP2 H-AAA server 326 and 3GPP HSS/H-AAA server 320 send another message to UbiLocator component 902, notifying those users are in de-register status now.

[0064] This approach assumes that the UbiLocator component 902 has been preconfigured to store all the identifiers for each UICC card in advance. If UbiLocator component 902 finds more than one terminal is using parameters from the same UICC card, it sends a RADIUS message (e.g. Disconnect, or Access-Reject) to release the illegal session(s). If a disconnected wireless terminal wishes to re-establish its session, it must perform authentication again, which cannot be successful if it uses an illegal or fake UICC card.

[0065] FIG. 10 is a block diagram illustrating an exemplary UbiLocator Component/Device 1002 that may be adapted to perform cross-network session tracking and termination of illegal sessions. The UbiLocator Component/Device 1002 may be adapted or configured to perform one or more of the functions described with respect to FIGs. 2, 8, and/or 9 for example. The UbiLocator Component/Device 1002 may include one or more processing circuits 1006 coupled to a network communication interface/circuit 1004 and/or a memory/storage device 1008. The network communication interface/circuit 1004 may be adapted to permit the UbiLocator Component/Device 1002 to communicate with, for example, a HRPD Network 1001 (e.g., 3GPP2 H-AAA Server and/or PSDN) and/or an eHRPD Network 1003 (e.g., 3GPP HSS/H-AAA Server and/or HSGW). The processing circuit(s) 1006 may include or implement a Session Registration Collection Module/Circuit/Function 1012, an illegal session detector module/circuit/function 1014, and/or a session terminator module/circuit/function 1016. The session registration collection module/circuit/function 1012 may be adapted to obtain/receive session registration information from both the HRPD network 1001 (e.g., 3GPP2 H-AAA Server and/or PSDN) and eHRPD network 1003 (e.g., 3GPP HSS/H-AAA Server and/or HSGW). The illegal session detector module/circuit/function 1014 may be adapted to determine if the authentication parameters being used for a new session in a first network were used by a currently active session in a second network (e.g., by different wireless devices). If so, the session terminator module/circuit/function 1016 may be adapted to cause at least one of the sessions to be terminated (e.g., the oldest session is terminated, the newest session is terminated, both sessions are terminated, and/or the session started by a wireless terminal not associated with the authentication parameters). The memory/storage device 1008 may, optionally, also store a record of the cross-network sessions 1018 (e.g., session registration information obtained by the session registration collection module/circuit/function 1012) to assist the illegal session detector module/circuit/function 1014 and/or the session terminator module/circuit/function 1016 in performing their functions.

[0066] FIG. 11 is a flow diagram illustrating a method operational at network entity for detecting simultaneous use of user authentication parameters from the same subscription on different networks. According to various examples, this method may be implemented by a Home AN-AAA server (e.g., as in FIGs. 3, 4 and 6), an integrated 3GPP/3GPP2 Home AAA server (e.g., as in FIGs. 5 and 7), and/or a UbiLocator component (e.g., as in FIGs. 8, 9, and/or 10). A first set of authentication parameters may be received/obtained from a first terminal seeking to establish a first communication session via a first network 1102. Similarly, at a subsequent time, a second set of authentication parameters may be received from a second terminal seeking to establish a second communication session via a second network 1104. For example, the first communication session may be an HRPD session and the second communication session may be an eHRPD session, or vice-versa. According to various examples, these authentication parameters (e.g., Network Access Identifier NAI, etc.) may be requested from, or sent by, other network entities. The network entity may then ascertain whether the first and second sets of authentication parameters are from the same subscription 1106. For example, such subscription may be a wireless service subscription or account to which specific/unique authentication parameters are assigned so that the subscriber may be identified by the access network in order to authenticate the subscription and/or provide wireless communication service. If the first and second sets of authentication parameters are from the same subscription (e.g., the parameters were copied, or a first UICC card was moved between two terminals, etc.), then the network entity terminates the first communication session 1108. Note that, in various implementations, the first and/or second sets of authentication parameters may refer to one or more parameters used for authentication by an access network (e.g., access network authentication) and/or a core network (e.g., for core network authentication). In one example, the first and second sets of authentication parameters are from the same subscription if at least a network access identifier (NAI) is the same for both sets of authentication parameters and both of them can pass the access network authentication and/or core network authentication.

[0067] One or more of the components, steps, features and/or functions illustrated in the FIGS, may be rearranged and/or combined into a single component, step, feature or function or embodied in several components, steps, or functions. Additional elements, components, steps, and/or functions may also be added without departing from novel features disclosed herein. The apparatus, devices, and/or components illustrated in the FIGS, may be configured to perform one or more of the methods, features, or steps described in the FIGS. The novel algorithms described herein may also be efficiently implemented in software and/or embedded in hardware.

[0068] Also, it is noted that the embodiments may be described as a process that is depicted as a flowchart, a flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function.

[0069] Moreover, a storage medium may represent one or more devices for storing data, including read-only memory (ROM), random access memory (RAM), magnetic disk storage mediums, optical storage mediums, flash memory devices and/or other machine-readable mediums, processor-readable mediums, and/or computer-readable mediums for storing information. The terms "machine-readable medium", "computer- readable medium", and/or "processor-readable medium" may include, but are not limited to non-transitory mediums such as portable or fixed storage devices, optical storage devices, and various other mediums capable of storing, containing or carrying instruction(s) and/or data. Thus, the various methods described herein may be fully or partially implemented by instructions and/or data that may be stored in a "machine- readable medium", "computer-readable medium", and/or "processor-readable medium" and executed by one or more processors, machines and/or devices.

[0070] Furthermore, embodiments may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine -readable medium such as a storage medium or other storage(s). A processor may perform the necessary tasks. A code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

[0071] The various illustrative logical blocks, modules, circuits, elements, and/or components described in connection with the examples disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic component, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing components, e.g., a combination of a DSP and a microprocessor, a number of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

[0072] The methods or algorithms described in connection with the examples disclosed herein may be embodied directly in hardware, in a software module executable by a processor, or in a combination of both, in the form of processing unit, programming instructions, or other directions, and may be contained in a single device or distributed across multiple devices. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. A storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor.

[0073] Those of skill in the art would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system.

[0074] The various features of the invention described herein can be implemented in different systems without departing from the invention. It should be noted that the foregoing embodiments are merely examples and are not to be construed as limiting the invention. The description of the embodiments is intended to be illustrative, and not to limit the scope of the claims. As such, the present teachings can be readily applied to other types of apparatuses and many alternatives, modifications, and variations will be apparent to those skilled in the art.