(19)
(11) EP 1 411 475 A1

(12) EUROPEAN PATENT APPLICATION

(43) Date of publication:
21.04.2004 Bulletin 2004/17

(21) Application number: 02257257.2

(22) Date of filing: 18.10.2002
(51) International Patent Classification (IPC)7G07C 9/00
(84) Designated Contracting States:
AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SK TR
Designated Extension States:
AL LT LV MK RO SI

(71) Applicant: Hitachi, Ltd.
Chiyoda-ku, Tokyo 101-8010 (JP)

(72) Inventor:
  • Okochi, Toshio
    Union Lane, Cambridge CB4 1PZ (GB)

(74) Representative: Derry, Paul Stefan et al
Venner, Shipley & Co, 20 Little Britain
London EC1A 7DH
London EC1A 7DH (GB)

   


(54) System and method of communication including first and second access point


(57) A system 10 arranges for authentication of a mobile device 11 before the holder thereof reaches a ticket gate 14 at, for example, a railway station. The mobile device firstly establishes communication with a ticketing server 15 via a wireless LAN access point 12. The mobile device 11 is authenticated by reference to an authentication server 16, and a ticketing transaction is then performed. The ticketing server 15 subsequently sends a secret transaction identification signal to the mobile device 11 via the WLAN access point 12, and to the ticket gate 14.
When the mobile device 11 arrives at the gate 14, it sends the secret transaction identification signal to it via a contactless smartcard reader 13. The ticket gate 14 compares the signal received from the mobile device with the signal received from the ticketing server, and grants access to the holder of the mobile device 11 without further recourse to the authentication server 16.



Description


[0001] This invention relates to a method of communicating, and to a system including first and second access points.

[0002] It is relatively new for smartcard systems to be used in railway ticketing systems and the like. In most smartcard retail systems, there is sufficient time to arrange for authentication of the smartcard before the transaction is complete, with the authentication process being carried out electronically in a similar manner to that used with credit cards having magnetic data carriers. In railway ticketing systems, however, it is usual for the smartcard reader to be included at a ticket gate or barrier, which makes it inconvenient to perform full authentication of a smartcard before allowing its holder through the gate or barrier. It is an aim of the invention to alleviate this problem.

[0003] In accordance with a first aspect of the invention, there is provided a method of communicating, the method comprising maintaining a connection between a mobile device and at least one network of one or more networks via a first access point, sending from the mobile device to a network server via the first access point a request for connection to another access point, at the network server, obtaining approval for connection request, and sending a connection grant signal to the mobile device via an access point forming part of the same network as the first access point, sending from the mobile device a message comprising the connection grant signal or a signal derived therefrom to a second access point of the one or more networks, and allowing communication between the mobile device and the second access point if the message sent therebetween is determined to be the same as an expected message.

[0004] Using this method, it becomes possible to authenticate the mobile device with the second access point with a minimum amount of communication between these devices, the communication required for authentication instead being made with the first access point. Numerous advantages may ensue. For example, given that the mobile device is already in communication with the first access point, access to the second access point can be made quickly and with a relatively small amount of signalling. Reducing the amount of signalling between the mobile device and the second access point can have advantages where bandwidth is limited and/or expensive, or where the range or reliability of service could be insufficient.

[0005] In one embodiment, the second access point is associated with a ticket gate, in which case, the 'allowing communication' step involves granting access to the gate, using 'ticket grant' and 'gate open request' signals for example.

[0006] Normally, the 'connection grant signal' would be sent to the mobile device via the first access point, but the sending of this signal via another access point forming part of the same network as the first access point is not precluded.

[0007] One of the access points might include a smartcard reader, in which case a smartcard included with the mobile device could be authenticated using a challenge and response procedure.

[0008] Providing the approval for the connection request with a timeout period, after expiry of which the sending of the message from the mobile device to the second access point would not result in the allowing step, has administrative advantages.

[0009] Preferably the connection grant signal includes a cryptographic key. Here, at least part of the message sent from the mobile device to the second access point could be encrypted using the cryptographic key. Such can provide an efficient and effective way of making communications between the mobile device and the access points secure, and provides a means by which the sender of a signal can be verified. Digitally signing the connection grant signal provides a means by which the sender can be authenticated and by which it can verified that the message has not been changed in any way since transmission by the sender. Corresponding advantages ensue if the message sent from the mobile device to the second access point is digitally signed.

[0010] In accordance with a second aspect of the invention, there is provided a system comprising a mobile device, first and second access points to one or more networks, and a network server connected to each of the one or more networks, the mobile device being arranged to maintain a connection with one of the networks via the first access point, to send via the first access point a request for connection to another access point, the network server being arranged, in response to the request for connection, to obtain approval for the connection request and to send a connection grant signal to the mobile device via an access point forming part of the network as the first access point, the mobile device being arranged to send a message comprising the connection grant signal or a signal derived therefrom to the second access point, and the system being arranged to allow the mobile device access to the second access point if the message is determined to be the same as an expected message.

[0011] Preferably the network server is arranged for associating a timeout period with the connection request approval, and the system is arranged for disallowing the mobile device access to the second access point if access is not allowed prior to expiry of the timeout period. This can prevent the system being negatively affected by the support of requests which are not followed through.

[0012] In a preferred embodiment, the second access point is associated with a ticket gate, which is controlled to be opened if the message is determined to be the same as the expected message. Here, the system may comprise a ticketing server responsive to the request for connection to another access point for initiating a ticketing transaction, and for providing approval for the connection request, which in the embodiment is made as a gate open request.

[0013] The ticketing server could be responsive to the mobile device being allowed access to the second access point, which in the embodiment is by way of causing a gate to be opened, for completing the ticketing transaction. This has the advantage that the ticketing transaction is only completed if the 'ticket' is actually used by the holder of the mobile device. Such could prevent ticket transactions being made by accident. Also, this feature allows a system to ticket automatically - i.e. to commence a ticketing transaction when a holder of a mobile device is detected entering a railway station, for example, and to complete the transaction when the mobile device passes through the gates, either at the source or the destination station, potentially without any input from the holder of the mobile device via a user interface.

[0014] The network server could be arranged to include a cryptographic key with the connection grant signal, in which case the mobile device preferably is arranged to encrypt the message sent to the second access point with the cryptographic key. This has security advantages.

[0015] Preferably the connection grant signal is digitally signed, and preferably the message sent from the mobile device to the second access point is digitally signed. Digital signing has advantages in that the sender can be authenticated and it can be verified that no change to the transmitted message has been made.

[0016] Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, of which:

Figure 1 is a schematic diagram of a system according to one aspect of the invention;

Figure 2 is a schematic diagram of a mobile device forming part of the Figure 1 system;

Figures 3 and 4 are flow diagrams illustrating operation of the Figure 1 system;

Figure 5 is a schematic diagram of an alternative system according to one aspect of the invention; and

Figure 6 is a schematic diagram of a mobile device forming part of the Figure 5 system.



[0017] Referring firstly to Figure 1, a system 10 is shown comprising generally a mobile device 11, which in this embodiment is a mobile telephone handset, a first access point 12 which is a wireless local area network (WLAN) to a first network and a contactless smartcard reader/writer 13, which is connected to a ticket gate 14. The first access point 12 and the smartcard reader 13 both are connected by respective wired and encrypted lines to a ticket server 15, which in turn is connected to an authentication server 16, which may be local or remote to the ticketing server 15. The mobile device 11 is shown in more detail in Figure 2.

[0018] Referring to Figure 2, the mobile device includes a central processing unit (CPU) 20, which is connected via respective buses 21, 22 to each of a smartcard reader/writer interface 23 and a WLAN interface 24. The smartcard 25 is removable from the mobile device 11, and preferably exists in the form of a subscriber identity module (SIM) card. The smartcard 25 has stored thereon a unique ID and a unique secret key. The smartcard 25 is removably connected via a wired port thereof to the smartcard interface 23. The smartcard 25 also includes a wireless port, using which it can communicate with the smartcard reader/writer 13 of the ticket gate 14 and with other smartcard reader/writers. The WLAN interface 24 is connectable in a wireless fashion to the WLAN access point 12, and to other access points. Operation will now be described with reference to Figure 3, which shows signalling between the mobile device 11, the ticketing server 15 and the ticket gate 14.

[0019] Referring to Figure 3, operation of the ticket gate 14 by the mobile device 11 starts at step 30 by authenticating the smartcard 25 of the mobile device 11. In this section, references to the mobile device 11 may be references to the smartcard 25.
A communication path between the mobile device 11 and the ticketing server 102 is firstly set-up, unless one is already set-up, via the WLAN access point 12. If necessary, the mobile device 11 is authenticated as being genuine in any convenient manner, such as by using the authentication process of Figure 5 described below, with reference to the authentication server 16 and maybe also to a remote, backend server (not shown). Once the mobile device 11 is authenticated, it may remain connected to the WLAN via the access point 12.

[0020] Subsequently, the mobile device 11 signals to the ticketing server 15 that access to the gate 14 is required. This results in the setting up of a session key at step 31 using the Diffie-Hellman key exchange algorithm, for example. At step 32, a ticketing transaction then occurs. The exact nature of the ticketing transaction step 32 is not important to this invention. It may be carried out in any suitable manner, such as in the manner described in European Patent Application No. 01305772.4. Each of the steps 30 to 32 involves communication between the mobile device 11 and the ticketing server, and any other servers, only via the WLAN access point 12. Preferably, the transaction is made without commitment at this stage, for example by calculating the payment required but without making the payment. This makes rollback or payment refund unnecessary should the ticket not be used

[0021] The ticketing transaction at step 32 produces a secret transaction ID signal, or 'ticket ID' signal which links the mobile device 11 to the ticket for which purchase was arranged. This secret transaction ID is sent from the ticketing server 15 to the mobile device 11 as part of a 'ticket grant' signal at step 33 via the WLAN access point 12. The same secret transaction ID is sent to the ticket gate 14 by the ticketing server 15 as part of a 'ticket notice' signal at step 34. At this point, the mobile device 11 may still be a significant distance from the ticket gate 14. Already, though, the ticketing transaction is mostly complete.

[0022] On arrival at the ticket gate 14, the mobile device 11 is placed within range of the smartcard reader/writer 13. Following detecting that communication between the mobile device 11 and the smartcard reader/writer is possible, the mobile device sends a 'gate open request' signal at step 35 to the smartcard reader/writer, which includes a request to open the gate and includes a copy of the secret transaction ID. This signal is received at the ticket gate 14, where it is compared with the secret transaction ID received at step 34. Once the secret transaction IDs are determined to be the same, the ticket gate 14 sends at step 36 a signal to the ticketing server 15 that the transaction is complete, in response to which the ticketing server completes the transaction. The ticket gate 14 also sends to the mobile device 11 a confirmation signal indicating that the transaction is complete, as well as opening the gate to allow the holder of the mobile device through.

[0023] A timeout period is associated with the generation by the authentication server 16 of the secret transaction ID. If the timeout period is exceeded without the mobile device 11 reaching the ticket gate 14, the validity of the secret transaction ID expires and the transaction is not completed.

[0024] Figure 4 shows the information included in the 'ticket gate', 'gate open request' and 'ticket notice' signals. Referring to Figure 4, the ticket grant signal is shown comprising message type, ticket ID (secret transaction ID), Ktg, Kt, lifetime and message authentication code fields. The message authentication code ensures the authenticity of the ticket grant signal and ensures the identity of the ticketing server. The lifetime field identifies the timeout period. Ktg is subsequently used for encryption. Kt is used to generate the message authentication code. Any convenient method, such as DES or AES, could be used for encryption. For generating the message authentication codes, any suitable method, such as MD-5 or SHA-1, could be used.

[0025] The gate open request signal includes message type , ticket ID and message authentication code fields, from which the ticket gate can ensure that the signal is from the correct mobile device. The message authentication code is generated using Kt, received as part of the ticket grant signal. The gate open request signal is encrypted using Ktg.

[0026] The ticket notice signal includes the same fields as the ticket grant signal, although the message authentication code field can be omitted if the security of the communication path is guaranteed in another way.

[0027] It will be appreciated that authentication of the mobile device 11 and that most of the ticketing transaction was completed before the mobile device became within range of the smartcard reader/writer 13 at the ticket gate 14. This is advantageous since it allows a user through the ticket gate 14 with only a relatively short time period spent obtaining authentication at the gate itself, in spite of complete authorisation of the mobile device 11 being carried out. This might be considered to constitute an instantaneous or rapid transaction at the ticket gate.

[0028] Also, the signalling and encryption scheme used allows the mobile device 11 to ensure the identity of the ticketing server and to authenticate the message sent thereby. Furthermore, and maybe more importantly, the gate open request signal can be authenticated by the ticket gate as having originated from the mobile device and as uniquely identifying the ticket ID signal.

[0029] Reference is now made to Figure 5, which shows in detail the authentication step 30 of Figure 3. The operation 30 starts at step 301, then at step 302 the mobile device 11 establishes a link layer wireless connection with the access point 12 of the WLAN. At step 303, the mobile device 11 requests authentication of its smartcard 25, so that it can make a ticketing transaction and subsequently gain access through the ticket gate 14. This involves the sending of a signal to the ticketing server 15, via the access point 12, and the forwarding of this to the authentication server 16. The mobile device 11 then, at step 34, waits to receive a 'challenge' signal, proceeding to step 305 only once a challenge signal has been received from the authentication server 16 via the ticketing server 15. The ticketing server 15 also at this time receives an expected response signal from the authentication server 16.
On receipt of the challenge signal, the mobile device sends at step 305 an encryption request to the smartcard 25, which then starts at step 306. The mobile device 11 sends the challenge signal to the smartcard 25 at step 307, where it is received at step 308. Here, the challenge signal is encrypted at step 309 using a secret key unique to the smartcard 25, and the encrypted challenge signal is sent from the smartcard 25 to the mobile device 11 at step 310, when it is read into the mobile device at step 311.

[0030] The encrypted challenge signal is then forwarded to the ticketing server 15 at step 312, where it is checked that it is the same as an expected response (encrypted challenge signal) before an acknowledgement is set to the mobile device 11. The ticketing server 12, by sending the acknowledgement signal, grants the mobile device 11 permission to start the ticketing transaction 32.

[0031] Some examples of the type of transactions which might occur follow.

[0032] In one example, the holder of the mobile device 11 is the holder of a season ticket, which enables him or her to travel at any time of day and any number of times on a predetermined route and between certain dates. Here, the season ticket is stored as a unique identification number on the mobile device 11. When the mobile device 11 moves within range of the WLAN access point 12, authentication occurs using the ticketing server 15 and the authentication server 16. Then, the mobile device 11 automatically (i.e. without any user input) sends a request to the ticketing server 15 for access, and includes with the request the unique identification number of the season ticket. The ticketing server 15 determines that the season ticket is within its valid date range and determines that geographical restrictions and any other restrictions are not exceeded, then grants authority by sending a secret transaction signal to the mobile device 11 and to the ticket gate 14.

[0033] In another example, the ticketing transaction step 32 includes the running of a software program on the mobile device 11 which allows the user thereof to select a destination and a ticket type. The mobile device 11 then sends information about the required ticket to the ticketing server 15, which arranges for payment to be made, such as by deducting the credit card of the user, as appropriate. Once payment has been made, the mobile device 11 and the ticket gate 14 are sent the secret transaction ID signal.

[0034] In a further example, the ticketing transaction step 32 includes the mere clearance of the holder of the mobile device 11 to enter the ticket gate 14. Here, the ticket transaction is completed only when it is detected that the user is leaving the railway network, when the start and end stations is known. Preferably, access to an exit gate of a destination station is dependent on an appropriate payment being made.

[0035] A second embodiment is shown in Figures 6 and 7. Referring firstly to Figure 6, a system 10 is shown comprising generally a mobile device 41, a WLAN access point 42 forming part of a WLAN network, a Bluetooth access point 43, a network access server (NAS) 44, and an authentication server 45. Each of the WLAN and Bluetooth access points 42, 43 are connected by respective wired connections 46, 47 to the NAS 44. The authentication server 45 is connected to the NAS 44 by a further wired connection 48 which is appropriate to the distance between the two servers (they may be local to each other or they may be remote). Optionally, one or more other networks are connected to the wired connection 48. The NAS 44 manages data traffic between the mobile device 41 and any of the networks connected to the NAS. From Figure 6, it can be seen that the mobile device 41 includes a CPU 49, which is connected to a Bluetooth interface via a first connector 51, and is connected to a WLAN interface 52 via a second connector 53. In an alternative embodiment (not shown), the mobile device is provided with a multimodal wireless network interface, which is controlled using a software radio system.

[0036] Operation of the system 40 is as follows. When the mobile device 41 moves within range of the WLAN access point 42, communication with the WLAN can begin. Once communication does begin, authentication of the mobile device 41 on the WLAN takes place in any convenient manner, such as by using an operation similar to that described above with reference to Figure 5.

[0037] To commence communication via the Bluetooth access point 43, the mobile device 41 uses its already established connection with the WLAN access point 42. Here, the mobile device 41 sends a connection request via its WLAN interface 52 to the WLAN access point 42, which forwards the connection request to the NAS 44. The NAS 44 then makes a decision as to whether or not the mobile device 41 is to be granted access to the Bluetooth access point 43. This decision is made either on the basis of a policy set by the NAS 44 itself, or on the basis of a policy set by the authentication server 45 and communicated to the NAS at the time that the mobile device was authenticated onto the WLAN. If access is granted, the NAS 44 sends a grant message, preferably using a temporal session key, to the mobile device 41 via the WLAN access point 42.

[0038] Once the mobile device 41 moves within range of the Bluetooth access point 43, communication with it can begin. To gain access, the mobile device 41 transmits the grant message that it received via the WLAN access point 42 to the Bluetooth access point 43, from where it is forwarded to the NAS 44. Then, the NAS 44 determines whether the device requesting access to the Bluetooth access point 43 is the mobile device 41 with which the NAS is in contact via the WLAN, and refuses or grants access as appropriate, without reference to the authentication server 45.

[0039] Figure 8 shows in detail the signalling used to effect the operation described above. Referring to Figure 8, the mobile device 41 commences in communication with the WLAN access point 42. MAC (medium access control) layer connectivity with the bluetooth access point 43 is then detected at 60. The mobile device 41 then determines whether initiation of handover to the bluetooth access point 43 is required. This decision may be made on the basis of a policy set within the mobile device 41, or according to a network administration policy set by the network.
Once a decision to handover has been made, a handover request is sent at 61 to the WLAN access point 42 using the already established connection. This handover request is then forwarded at 62 to the NAS 44, which determines from network policy whether handover is to be allowed. If handover is permitted, the NAS sends a grant handover signal at 63a to the WLAN access point 42, which forwards it onto the mobile device 41 at 63b. The handover grant message is shown in Figure 9, including message ID, session ID, Ktg, Kt and message authentication code fields. These fields contain data which is used in a corresponding way to the data ticket grant signal of Figure 4. The NAS 44 also sends to the bluetooth access point 43 at 64a a notify handover message including the same message authentication code as that included in the handover grant message. The notify handover message (shown in Figure 9) instructs the bluetooth access point 43 to accept any connection request from the mobile device 41. The message authentication code in the notify handover message can be omitted if security is guaranteed by another method.

[0040] Subsequent to receiving the grant handover signal, the mobile device 41 sends at 65 a connection request message to the bluetooth access point 43. As shown in Figure 9, the connection request message includes message type, session ID, random number and message authentication fields. The connection request message is encrypted using Kt. The random number field is filled with a number generated at random within the mobile device 41. The message authentication code allows the bluetooth access point 43 to determine that the originator of the signal is indeed the mobile device 41. The random number is included so that the mobile device 41 can verify the bluetooth access point using a challenge and response operation. Mutual authentication of the mobile device 41 and the bluetooth access point 43 is carried out at 66. Following authentication, the bluetooth access point 43 forwards the connection request message received from the mobile device 41 to the NAS 44 at 67. In response, the NAS sends a connection acknowledgement signal at 68 to the bluetooth access point 43, which sends at 69 a connection acknowledgement message to the mobile device 41.

[0041] This procedure enables rapid mutual authentication of a mobile device and an access point. Authentication is seen to be critical for security when operating in wireless networks.

[0042] After establishing a link layer connection in the described manner, the NAS 44 assigns to the bluetooth interface included in the mobile device 41 an IP address the same as the IP address used in the WLAN connection. This enables higher layer communication software such as TCP (transmission control protocol) to maintain its connection during handover, i.e. the same connection is used before and after handover, allowing seamless roaming over multiple networks. Handover from the bluetooth access point 43 to the WLAN access point may occur using the same procedure, although references to the access points are reversed.

[0043] The embodiment of Figures 6 and 7 may have application in an office building, where the mobile device 41 is held by an employee. For example, a WLAN may allow the mobile device 41 access to a computer network, allowing the mobile device access to databases and/or programs associated therewith. Areas of the office building which are security sensitive may be equipped with Bluetooth access points 43, which are configured to allow access only to authorised persons. Using this invention, access to a holder of the mobile device 41 to the sensitive areas can be granted with authentication granted over the WLAN. When the mobile device 41 arrives at the relevant Bluetooth access point 43, access may be granted without the need for further recourse to the authentication server 45.

[0044] It may, in the same application, be desired to disallow access to the office building's WLAN until the holder of a mobile device 41 is within the building. In this case, a Bluetooth access point 43 may be provided at the building's entrance.

[0045] Authentication of the mobile device 41 is performed by the NAS 44 and the authentication server 45 with communication occurring via the Bluetooth access point 43. A request to access the WLAN is then transmitted via the Bluetooth access point 43, and a grant message then sent via Bluetooth to the WLAN access point 42 for verification by the NAS 44 without recourse to the authentication server 45. Thus, the mobile device 41 is granted access to the WLAN with the authentication process achieved via the Bluetooth access point 43. Here, though, a different access control policy may be applied by the NAS 44 depending on the access point 42, 43 via which the mobile device 41 first established communication with the NAS. Delegating access control to the NAS 44 can reduce network traffic, as well as the time taken to respond to access requests.

[0046] The embodiment of Figures 6 and 7 may be used in a ticketing system, such as a railway station environment with ticket gates as described in relation to Figure 1 above. Here, though, the ticket gates are each provided with a short-range Bluetooth access point, instead of a contactless smartcard reader. A mobile device for operation with such a system is shown in Figure 10.

[0047] Referring to Figure 10, the mobile device 70 includes a CPU 71 connected to each of a smartcard 72, a bluetooth interface 73 and a WLAN interface 73. Briefly, operation begins with authentication of the smartcard 72, and thus the mobile device 70, on a WLAN using the WLAN interface 74. The procedure is similar to that shown in and described with reference to Figure 3. Communication of a gate open request signal involves passing the signal from the smartcard 72 via the CPU 71 and the bluetooth interface 73 to the bluetooth access point at the ticket gate. Although the above embodiments utilise communication via Bluetooth, WLAN and smartcard connections or networks, it will be appreciated that any connections or networks are useable with the invention, such as an infra-red connection or the fixed wireless networks of GSM or UTMS, for example. Also, one of the connections could be a wired connection, for example to a LAN.

[0048] In all of the above embodiments, it will be appreciated that the 'message authentication code' fields include a digital signature, preferably prepared using a private-public key algorithm.


Claims

1. A method of communicating, the method comprising:

maintaining a connection between a mobile device and at least one network of one or more networks via a first access point;

sending from the mobile device to a network server via the first access point a request for connection to another access point;

at the network server, obtaining approval for the connection request, and

sending a connection grant signal to the mobile device via an access point forming part of the same network as the first access point;

sending from the mobile device a message comprising the connection grant signal or a signal derived therefrom to a second access point of the one or more networks; and

allowing communication between the mobile device and the second access point if the message sent therebetween is determined to be the same as an expected message.


 
2. A method as claimed in claim 1, in which one of the access points includes a smartcard reader, and a smartcard included with the mobile device is authenticated using a challenge and response procedure.
 
3. A method as claimed in either preceding claim, in which the approval for the connection request has associated therewith a timeout period, after expiry of which the sending of the message from the mobile device to the second access point will not result in the allowing step.
 
4. A method as claimed in any preceding claim, in which the connection grant signal includes a cryptographic key.
 
5. A method as claimed in claim 4, in which at least part of the message sent from the mobile device to the second access point is encrypted using the cryptographic key.
 
6. A method as claimed in any preceding claim, in which the connection grant signal is digitally signed.
 
7. A method as claimed in any preceding claim, in which the message sent from the mobile device to the second access point is digitally signed.
 
8. A system comprising:

a mobile device;

first and second access points to one or more networks; and

a network server connected to each of the one or more networks,

the mobile device being arranged for maintaining a connection with one of the networks via the first access point, and for sending via the first access point a request for connection to another access point,
the network server being arranged, in response to the request for connection, for obtaining approval for the connection request and for sending a connection grant signal to the mobile device via an access point forming part of the same network as the first access point,
the mobile device being arranged for sending a message comprising the connection grant signal or a signal derived therefrom to the second access point, and the system being arranged for allowing the mobile device access to the second access point if the message is determined to be the same as an expected message.
 
9. A system as claimed in claim 8, in which one of the access points includes a smartcard reader, and the network server is arranged for authenticating a smartcard included with the mobile device using a challenge and response procedure.
 
10. A system as claimed in claim 8 or claim 9, in which the network server is arranged for associating a timeout period with the connection request approval, and the system is arranged for disallowing the mobile device access to the second access point if access is not allowed prior to expiry of the timeout period.
 
11. A system as claimed in any of claims 8 to 10, in which the second access point is associated with a ticket gate, which is controlled to be opened if the message is determined to be the same as the expected message.
 
12. A system as claimed in claim 11, further comprising a ticketing server responsive to the request for connection to another access point for initiating a ticketing transaction, and for providing approval for the connection request.
 
13. A system as claimed in claim 12, in which the ticketing server is responsive to the mobile device being allowed access to the second access point for completing the ticketing transaction.
 
14. A system as claimed in any of claims 8 to 13, in which the network server is arranged to include a cryptographic key with the connection grant signal.
 
15. A system as claimed in claim 14, in which the mobile device is arranged to encrypt the message sent to the second access point with the cryptographic key.
 
16. A system as claimed in any of claims 8 to 15, in which the connection grant signal is digitally signed.
 
17. A system as claimed in any of claims 8 to 16, in which the message sent from the mobile device to the second access point is digitally signed.
 




Drawing






















Search report