Vinod Kumar Choyi

Multi-factor Authentication as a Service

An architecture for providing multi-factor authentication as a service is proposed, resting on the principle of a loose coupling and separation of duties between network entities and end user devices. The multi-factor authentication architecture leverages Identity Federation and Single-Sign-On technologies, such as the OpenID framework, in order to provide for a modular integration of various factors of authentication. The architecture is robust and scalable enabling service providers to define risk-based authentication policies by way of assurance level requirements, which map to concrete authentication factor capabilities on user devices.

Network slice selection, assignment and routing within 5G Networks

5G Networks are anticipated to provide a diverse set of services over Network Slices (NS) using Network Function Virtualization (NFV) technologies. We propose solutions to enable NS selection and routing of traffic routing through a NS. A framework for enabling negotiation, selection and assignment of NSs for requesting applications in 5G networks is presented. A definition for service description has been developed, which is then leveraged for negotiation between an application/user equipment and the serving network. Virtualized networks or slices of virtualized networks are selected and assigned based on QCI and security requirements associated with a requested service. We also describe static and dynamic mechanisms for packet routing within NSs.

Seamless authentication and mobility across heterogeneous networks using federated identity systems

With the increasing demand for mobile data services and increased availability of multimode devices with multiple wireless interfaces, seamless mobility and service continuity across heterogeneous networks has become a differentiating service for Operators to offer users an enhanced mobile experience. In recent years, the Federated Identity Management (IdM) standards and technologies have rapidly evolved to address security, user experience, and privacy needs from an application layer perspective or as seen from the end user. As a result of these Federated IdM activities, a Single Sign-On (SSO) concept has been created in which a user may use a single set of authentication credentials to gain access to multiple independent Application Services. This paper provides an overview of the various layers of security in a communications protocol stack and then presents an approach to achieve seamless mobility across heterogeneous networks based on Federated Identity systems. By leveraging a pre-established application layer security association, access layer authentication and setup of a secure channel in an on-demand, automated and seamless manner may be carried out whilst roaming across disparate networks.

Seamless authentication across heterogeneous networks using Generic Bootstrapping systems

With the increasing demand for mobile data services and increased availability of multimode devices with multiple wireless interfaces, seamless mobility and service continuity across heterogeneous networks has become a differentiating service for Operators to offer users an enhanced mobile experience. In recent years, the Federated Identity Management (IdM) standards and technologies have rapidly evolved to address security, user experience, and privacy needs from an application layer perspective or as seen from the end user. As a result of these Federated IdM activities, a Single Sign-On (SSO) concept has been created in which a user may use a single set of authentication credentials to gain access to multiple independent Application Services. This paper provides an overview of the various layers of security in a communications protocol stack and then presents an approach to achieve seamless mobility across heterogeneous networks based on Federated Identity systems. By leveraging a pre-established application layer security association, access layer authentication credentials may be generated using a bootstrapping mechanism to enable authentication and setup of a secure channel in an on-demand, automated and seamless manner may be carried out whilst roaming across disparate networks. A comparison of the proposed scheme and state-of-the-art techniques is included.