Method and a device to suspend the access to a service

The present invention relates to a method and a device to suspend access to a service in particular in a wireless network environment.

The Bluetooth standard has been developed by the Bluetooth Special Interest Group. It defines several aspects of security, and among them, the authentication and the authorization procedures.

Authentication is a generic procedure between two devices for verifying the identity of one of the devices (the 'remote' device) by the other device.

If a link key already exists, the procedure consists in a challenge- response mechanism using a random number, a secret key, and the Bluetooth device address of the non-initiating device. The secret key can be the previously exchanged link key.

If a link key does not exist, the procedure comprises the pairing of devices. Pairing is a procedure that authenticates a pair of devices, based on a personal identification number, noted the PIN, and subsequently creates a common link key. The procedure consists in the creation of an initialization key, the creation and exchange of a common link key, which is an authentication key used for the pair only, and the challenge-response mechanism.

The Bluetooth specification also defines authorization. This is a procedure where a user of a Bluetooth device grants a specific remote Bluetooth device access to a specific service. Authorization implies that the identity of the remote device can be verified through the authentication procedure. The procedure may be based on user confirmation or on the existence of a trusted relationship.

The creation of a trusted relationship is a procedure where the remote device is marked as a trusted device. Trusting consists in the marking of a paired device as a trusted device. Trust marking can be done by the user or done by the device automatically after a successful pairing.

The document Bluetooth Security White Paper, version 1.00, 2004-04-19, published by the Bluetooth Special Interest Group defines a particular security architecture. The paper introduces authorization and trusted devices. Access to a Bluetooth service is only granted after an authorization procedure (for example by performing a given user interaction). After the authorization, the device becomes a trusted device and can access the services on the other device.

The Bluetooth security architecture does not allow the administrator to temporarily deny access to services to certain frequent users. For example, consider the case where a Bluetooth device is an access point, and the access point owner has a neighbor who frequently comes by and makes use of the Bluetooth services. The neighbor knows the

PIN code to access the Bluetooth access point. The access point owner would have to change the PIN code all the time to ensure that the neighbor does not access the Bluetooth access point from next door.

The present invention concerns a method in a device to suspend the access to a service to stations and a device having the advantages of the invention. It applies in particular but not solely to the field of wireless networking.

To this end, the invention relates to a method for enabling a wireless station 2 to access at least one service owned by a device 1 , comprising the following steps, at the device 1 , of:

• authenticating the wireless station 2,

• authorizing the wireless station 2 that has been authenticated to access one of the at least one service, According to the invention, the method comprises the step of suspending the station 2 to access the service, keeping authentication information of the suspended station in a memory 3, and renewing the access authorization to the service by the suspended station.

Advantageously, the step of renewing the access authorization does not require a user confirmation on the suspended station. Then, a user does not have to enter a personal identification number on the suspended station to access the service.

According to an embodiment, the step of suspending includes the steps of rejecting an attempt from the suspend ed station to access the service.

According to an embodiment, the method further comprises the step of modifying the state of the station in the memory (3) for permitting among other the step of suspending or renewing.

According to an embodiment, the steps of suspending and renewing are performed through a user interface (7) by a user.

This permits the user to control the states of the station and among other, the steps of suspending and renewing.

According to an embodiment, the wireless network is a wireless personal area network. Preferably, the wireless personal area network conforms to the Bluetooth standard.

The invention also concerns a device 1 comprising wireless communication means 5, a memory 3 and at least one service for access by

at least one station 2 also comprising wireless communication means 8, comprising:

• means for authenticating the wireless station (2), and

• means for authorizing the authenticated station to access one of the at least one service;

According to the invention, the device comprises means for:

• suspending the authorized station to access the service;

• keeping authentication information of the suspended station in the memory 3; and • renewing the access authorization to the service by the suspended station, without requiring any user interaction on the station.

According to an embodiment, the device comprises means for rejecting an attempt from the suspended station to access the service.

According to an embodiment, the memory 3 comprises means for modifying a state of the station.

According to an embodiment, the device further comprises a user interface for allowing a user to access the memory (3) and to administer the state of the station . Advantageously, the user interface comprises either a command line interface or a graphical user interface.

According to an embodiment, the wireless communication means

5 and 8 enable to connect to a wireless personal area network. Preferably, the wireless personal area network conforms to the Bluetooth standard.

The invention will be better understood and illustrated by means of the following embodiment and execution examples, in no way restrictive, with reference to the appended figures among which:

- Figure 1 is a flow diagram that illustrates the combined authentication and authorization mechanism as defined in the Bluetooth standard; - Figure 2 is a schematic diagram showing the device compliant with the invention and a wireless station;

- Figure 3 is a schematic diagram showing some functions of the device.

- Figure 4 is a flow diagram that illustrates the security architecture of the invention.

The exemplary embodiment comes within the framework of a transmission on a Bluetooth wireless link, but the invention is not limited to this particular environment and may be applied within other wireless standards where an authentication process and an authorization process are used. More information concerning Bluetooth can be found in the Bluetooth standard Core Specification version 1.2, 5 November 2003, and also in subsequent versions.

Figure 1 illustrates the combined authentication and authorization mechanism as defined in the Bluetooth standard. It represents the different states that can be held by a station in the data base of the second station that is referred hereafter as a device.

A station authenticates with a device. The first step of the authentication is the link-key creation, through a PIN code exchange. If the PIN exchange is successful, a link-key is created and the station and the device are paired. If the PIN exchange is not successful, the station remains in the 'unknown' state for to the device; no information is stored in the device for that station. The second step of the authentication is a challenge- response mechanism.

The device then authorizes the station to access and use one of the services it owns. The device owns for example the "Network Access Point Service" or "Cordless Telephony Service". This is done for example through a user action on the device user interface. The station then becomes 'trusted' as far as the device is concerned and it can use the service. The authorization requires a challenge-response mechanism implying a user confirmation on the station.

When the device cancels the authorization for a device to access a service, all authentication information is deleted from the device database. If the station wants to access a service again, it has to enter the PIN code.

Figure 2 represents a physical description of the device of the invention. The device 1 comprises a memory 3, which holds a data base comprising the identification of all the known stations and indicates the state of these stations. The device 1 comprises a microprocessor 4, wireless communication means 5 to dialog with a station 2 and a user interface 7 that permits a user to manage and control the device 1. User and control data are exchanged between modules through an internal bus 6.

As indicated on figure 3, the device 1 owns the services 12 that are accessed by the standard station 2. The user interface 7 permits the user to manage the states of the station 2; i.e. the user can diagnostic control and modify the states of the station. The station states management function 11 maintains the state of each wireless station 2, which are detailed in figure 4.

Figure 4 indicates the different states that can be held by a station 2 in the data base of the device 1.

A station that is not present in the data base 3 of the device 1 is an 'unknown' 31 station. A station that is present in the data base, i.e. any station that is not 'unknown', is identified through its 48-bit Bluetooth

address. It is then set to one of the following state: NEW 32, PAIRING FAILED 35, ALLOWED 33, DISABLED 34 and BANNED 36.

First, the station and the device authenticate as indicated in the Bluetooth standard. The station sends a PIN code to the device. If the PIN code is not correct, the station is set to the PAIRING

FAILED state. The station is identified by the device as having failed to authenticate. A PIN failure counter is created for this station. At each successive wrong PIN code, the device increments the counter for this station. When the counter reaches the maximum value, the 'banlimit' value, the station is automatically set to the BANNED state, where it can no longer authenticate. This means that further authentication tentative messages are ignored by the device for this station. The 'banlimit' value may be set to a default value, for example to three, or configurable by the user.

If the PIN code is correct, a link-key is created, the station is paired to the device and enters the NEW state. The PIN failure counter is reset. The station behaves then as a paired and untrusted station.

In each of the states NEW, ALLOWED and DISABLED, the station is paired to the device: it is authenticated by the device.

The device may set a station that is in the NEW state into the ALLOWED state. It then authorizes the station to use a service. Authorization implies that the identity of the remote device can be verified through the authentication procedure. The procedure may be based on user confirmation or on the existence of a trusted relationship. The behavior of the device towards the station is the same as for a paired and trusted standard Bluetooth station.

A station that is in the NEW or ALLOWED state can be set by the device into the DISABLED state. This is done by an action from the user on the device. The device has a user interface that allows the user to access

the data base. The user selects the station and set the station to the DISABLED state. When a station is set to the DISABLED state, nothing is changed on the station itself. In the DISABLED state, the station cannot use any service of the device, but it remains paired to the device. The behavior of the device towards the station is the same as for a paired and untrusted standard Bluetooth station. The device rejects all the attempts from the station to access the services. The authentication information is kept in the memory, so that the device can renew the access to the service by the station without requiring the station to re-enter a PIN code.

The device may set a station that has been set in the DISABLED state into the ALLOWED state. This is initiated by an action from a user on the user interface of the device. This still requires an authentication implying a challenge -response mechanism between the device and the station. Anyway, this does not require a user confirmation on the station, as is done for the authorization process. The user does not have to enter the PIN code again on the station.

For enhanced security, when a station enters the NEW state, a timer starts. When the timer reaches a limit value, 'newlimit ¹ , then the station is automatically removed from the data base and considered as unknown. The 'newlimit' may be set for example to a one hour value.

The device can also directly set a paired station into the BANNED state. This is done by an action from the user on the user interface of the device.

The device may also delete a paired station from the data base. This is done by an action from the user on the user interface of the device. The station is then unknown. The device may delete a station that has been in the BANNED state from the data base. This is done by an action from the user on the user

interface of the device. This station is then an unknown station, and it is then allowed to authenticate again with the device.

The device may delete a station that has been in the PAIRING FAILED state from the data base. This is done by an action from the user on the user interface of the device. This station is then a station in the 'unknown' state, and it is then allowed to authenticate again with the device.

The device may comprise a display, or may be accessible with a HTTP GUI (Graphical User Interface) or Telnet CLI (Command Line Interface). This allows a user to consult and modify the data base; by changing the state of a station in the list or removing a station from the list. In particular the user may be allowed to carry out some or all of the following actions:

• move a station from the NEW state to DISABLED or ALLOWED states;

• move a station from the DISABLED sate to the ALLOWED state and vice-versa;

• set a paired device to the banned state;

• set a station, paired or banned, into an unknown state.