Method of operating a network

By generating a hidden network identifier and requesting a connection after identifying a hidden WLAN, the problem of cumbersome management of secure access to wireless LANs and the vulnerability of "zero-contact connections" to attacks is solved, thereby improving the security and reliability of WLAN connections.

CN117044250BActive Publication Date: 2026-06-05BRITISH TELECOM PLC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BRITISH TELECOM PLC
Filing Date
2022-02-21
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

The existing wireless local area network (WLAN) security access management is cumbersome, and the "zero-contact connection" method is vulnerable to attack, which can cause UEs to connect to malicious WLANs or overload legitimate WLANs, affecting network operation.

Method used

A hidden network identifier is generated using cryptographic functions. After the UE identifies the hidden WLAN, it requests a connection, ensuring the security and authenticity of the access credentials and preventing connection to an unauthorized WLAN.

Benefits of technology

It improves the security of WLAN connections, prevents UEs from being misled to malicious WLANs, reduces the overload risk of legitimate WLANs, and enhances the reliability of network operations.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117044250B_ABST
    Figure CN117044250B_ABST
Patent Text Reader

Abstract

A method 200 of operating a telecommunications network (100) comprising: a user equipment (UE) (110); a first wireless local area network (WLAN) (130) identifiable by a first network identity; a hidden WLAN (130); and a target WLAN (130); and the method comprising the steps of: configuring the hidden WLAN to have a hidden network identity (240) derived cryptographically from the first network identity; by the UE: retrieving the first network identity from the first WLAN (230); cryptographically processing the retrieved first network identity to derive the hidden network identity (240); searching for a WLAN using the derived hidden network identity (250); and requesting a connection to or via the target WLAN only after the hidden WLAN is discovered (270). There is also provided a method of operating a user equipment (UE), a method of operating a set of wireless access points (120), and a user equipment, a set of wireless access points, and a telecommunications system therefor.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to methods and systems for operating telecommunications networks, particularly wireless local area networks (WLANs), and components for such systems. Background Technology

[0002] Wireless access points (WAPs) facilitate data connections between wide area networks (such as fixed access broadband networks) and wireless communication devices (also referred to herein as “user equipment”, UEs).

[0003] WAP provides a wireless local area network (WLAN) that operates on radio frequency spectrum with low transmit power, typically offering a range of a few meters. For example, WLAN can be used with IEEE... RTM The 802.11 family of standards (commonly known as Wi-Fi) RTM Any one of the following. The UE can be used to connect to a WLAN provided by WAP.

[0004] In order to connect to a WLAN, the UE must first identify the WAP providing the WLAN, as well as the WLAN itself. After identifying the WLAN and the WAP, the UE can typically (and as generally recommended) first be authenticated to connect to the WLAN; this is usually done by the user providing the WAP with access credentials (such as a password) associated with the WLAN.

[0005] With the increasing number of WAP, WLAN and UE, managing secure access to WLAN can be a cumbersome task for UE users, requiring manual identification of WLAN and input of access credentials.

[0006] To help reduce this burden, methods have been proposed for automatically generating access credentials for WLAN and then using these generated access credentials to connect to the WLAN; such methods can be called “zero-touch connection” processing because no user input is required each time the UE connects to a new WLAN.

[0007] To facilitate "zero-touch connectivity," access credentials can be encoded within the broadcast network identifier (e.g., Service Set Identifier (SSID)) used for WLAN, and the UE can decode the network identifier to derive the access credentials. The UE then attempts to connect to the WLAN associated with those access credentials.

[0008] However, more sophisticated methods are being developed to compromise the secure operation of WLANs. Since the UE may be unable to verify the authenticity of a "zero-touch connection" system, impersonating the network identifier configured for "zero-touch connection" could cause the UE to attempt (and re-attempt) to connect to a malicious WLAN or to a legitimate WLAN using incorrect access credentials; in both cases, the UE would be prevented from establishing a connection to the legitimate WLAN (e.g., as a result of being misled into a malicious WLAN or blacklisted by the legitimate WLAN). Furthermore, this form of attack could overload the legitimate WLAN with access requests, adversely affecting its operation. The effect could be similar to a denial-of-service attack (against the UE and / or the WLAN).

[0009] The purpose of this invention is to at least alleviate some of the problems mentioned above. Summary of the Invention

[0010] According to a first aspect of the present invention, a method for operating a telecommunications network is provided, the telecommunications network comprising: a user equipment (UE); a first wireless local area network (WLAN), the first WLAN being identifiable by a first network identifier; a hidden WLAN; and a target WLAN; and the method comprising the steps of: configuring the hidden WLAN to have a hidden network identifier cryptographically derived from the first network identifier; the UE: obtaining the first network identifier from the first WLAN; cryptographically processing the obtained first network identifier to derive the hidden network identifier; using the derived hidden network identifier to search for WLANs; and requesting a connection to or via the target WLAN only after discovering the hidden WLAN.

[0011] As used herein, the term "hidden" in relation to "WLAN" and / or "network identifier" preferably means undiscoverable to the UE and preferably not publicly broadcast. Preferably, obtaining the first network identifier is performed by the UE searching for (or probing) the WLAN and subsequently detecting it. Optionally, the UE is configured to favor, be forced to, prioritize, and more preferably most prioritize attempting to connect to the target WLAN. Optionally, the first WLAN, the hidden WLAN, and / or the target WLAN are insecure (public or unencrypted) and therefore may not require access credentials for the UE to connect to the WLAN. Optionally, the first WLAN, the hidden WLAN, and / or the target WLAN are secure (private or encrypted) and therefore require access credentials for the UE to connect to the WLAN. Preferably, the first network identifier is cryptographically processed in response to the UE recognizing a predefined string in the first network identifier.

[0012] Preferably, the cryptographic processing of the first network identifier is performed only on a portion of the first network identifier, which can be identified by the UE through a predefined string in the first network identifier. Optionally, the target WLAN is also hidden (wherein the target WLAN and the first WLAN are different). Preferably, the UE is simultaneously within range of the first WLAN, the hidden WLAN, and / or the target WLAN. As used herein, "cryptographically derived" and / or "cryptographically processed" preferably means generated as a result of performing a cryptographic function, which may include encryption, decryption, encoding, decoding, hashing, and / or salting.

[0013] Preferably, the method further includes the step of: preventing the UE from requesting a connection to the target WLAN in response to the hidden WLAN remaining hidden from the UE. Preferably, the prevention is continuously executed such that the target WLAN can be blocked or blacklisted. Preferably, the hidden WLAN remains hidden from the UE after the UE performs a search for a predetermined period of time and fails to identify the WLAN using the obtained hidden network identifier within that period of time.

[0014] Preferably, the method further includes the following steps: configuring the target WLAN to be accessible only by the UE using access credentials; providing the first network identifier, including the output of an encryption function performed on the access credentials; having the UE decode the first network identifier in response to obtaining the first network identifier, thereby outputting the access credentials; and wherein the request for a connection to the target WLAN is performed using the output access credentials. Preferably, a decryption function corresponding to the encryption function is provided to the UE, thereby allowing the UE to output the access credentials. Optionally, the first network identifier is generated based on the access credentials. Optionally, the access credentials are generated based on the first network identifier. Preferably, the access credentials include: a username, a password, and / or a token. Preferably, the encryption function is performed by: generating a wireless access point (WAP) for the first WLAN; or a server remote relative to and accessible to the WAP. Optionally, the decoding of the first network identifier is performed only on a portion of the first network identifier, which can be identified by the UE through a predefined string in the first network identifier.

[0015] Preferably, the target WLAN is connected to a wide area network (WAN), and wherein a connection request via the target WLAN is executed to connect the UE to the WAN. Preferably, the method further includes the steps of: configuring the WAN to be accessible only by the UE via the target WLAN using access credentials; providing a first network identifier, including the output of an encryption function performed on the access credentials; having the UE decode the first network identifier in response to obtaining the first network identifier, thereby outputting the access credentials; and wherein the connection request via the target WLAN to the WAN is executed using the access credentials. Preferably, the WAN can only be accessed by the UE through a captive portal.

[0016] Preferably, the target WLAN can be identified by a target network identifier, wherein the first network identifier is provided to include the target network identifier; and wherein the target network identifier is derived by the UE based on the obtained first network identifier and used by the UE to request the connection to the target WLAN. Alternatively, the UE may preload the target network identifier, and the UE may also be configured to attempt to connect to the target WLAN by default. Preferably, the "network identifier" (e.g., "first," "hidden," and / or "target") is a Service Set Identifier (SSID).

[0017] Preferably, the first network identifier is provided, further comprising the output of a cryptographic function performed on the target network identifier; and wherein the target network identifier is obtained by the UE performing the cryptographic function on the first network identifier. Preferably, to generate the first network identifier, the cryptographic function is performed by a WAP or a server remotely accessible to the WAP. Optionally, the first network identifier is (only) the output of the cryptographic function and / or encryption function. Optionally, the target WLAN and the first WLAN are the same. Optionally, the target WLAN and the hidden WLAN are the same.

[0018] Preferably, the method further includes the steps of: obtaining a network device identifier associated with a wireless access point (WAP), the WAP providing a first WLAN; and providing a first network identifier to include the output of the encryption function or (another) encryption function performed on the network device identifier. Preferably, the network device identifier is a Basic Service Set Identifier (BSSID) of the WAP. Optionally, the first WLAN is provided by a first wireless access point (WAP), the hidden WLAN is provided by a second WAP, and the target WLAN is provided by a third WAP. Optionally, the first WAP is the same as the second WAP and / or the third WAP. Alternatively, the second WAP may be the same as the third WAP.

[0019] Preferably, the method further includes the step of changing the network device identifier after a connection between the UE and the target WLAN has been established. Preferably, the network device identifier is changed when the connection is terminated. Alternatively, the network device identifier may be changed after each communication between the UE and the target WLAN.

[0020] According to another aspect of the present invention, a method for operating a user equipment (UE) is provided, the UE forming part of a telecommunications network, the telecommunications network comprising: a first wireless local area network (WLAN), the first WLAN being identifiable by a first network identifier; a hidden WLAN having a hidden network identifier cryptographically derived from the first network identifier; and a target WLAN; and the method comprising the steps of: obtaining the first network identifier from the first WLAN; cryptographically processing the obtained first network identifier to derive the hidden network identifier; using the derived hidden network identifier to search for WLANs; and requesting a connection to or via the target WLAN only after the hidden WLAN has been discovered.

[0021] According to another aspect of the invention, a method is provided for operating a set of wireless access points (WAPs), the set of WAPs forming part of a telecommunications network including user equipment (UEs) available for connection to the WAPs in the set of WAPs. The method includes the steps of: providing a first WLAN, the first WLAN being identifiable by a first network identifier; providing a hidden WLAN having a hidden network identifier, the hidden network identifier being cryptographically derived based on the first network identifier; and providing a target WLAN in response to the UE identifying the hidden WLAN, the UE being available for connection to or via the target WLAN. Optionally, the set includes a single WAP. Optionally, the UE can only be used to connect to the target WLAN after confirming that it has identified the hidden WLAN to the set of WAPs, particularly to the WAP providing the target WLAN.

[0022] According to another aspect of the present invention, a computer-readable carrier medium is provided, the computer-readable carrier medium comprising a computer program that, when executed by a computer, causes the computer program to perform the steps of any of the methods described above.

[0023] According to another aspect of the present invention, a user equipment (UE) configured to access a telecommunications network is provided, the telecommunications network comprising: a first wireless local area network (WLAN) identifiable by a first network identifier; a hidden WLAN having a hidden network identifier cryptographically derived from the first network identifier; and a target WLAN; and the UE comprising: a processor configured to cause the UE to: obtain the first network identifier from the first WLAN; cryptographically process the obtained first network identifier to derive the hidden network identifier; and use the derived hidden network identifier to search for WLANs; and a controller configured to cause the UE to request a connection to or via the target WLAN only after the hidden WLAN is discovered.

[0024] According to another aspect of the invention, a set of wireless access points (WAPs) is provided, the set of WAPs forming part of a telecommunications network, the telecommunications network including user equipment (UEs) available for connection to the WAPs in the set of WAPs, the set of WAPs including: a first controller configured to provide a first WLAN, the first WLAN being identifiable by a first network identifier; a second controller configured to provide a hidden WLAN having a hidden network identifier cryptographically derived from the first network identifier; and a third controller configured to provide a target WLAN in response to the UE identifying the hidden WLAN, the UE being available for connection to or via the target WLAN.

[0025] According to another aspect of the present invention, a telecommunications system is provided, comprising: a user equipment (UE) as described above; and a set of wireless access points (WAPs) as described above.

[0026] This invention includes any novel aspects described and / or illustrated herein. The invention also extends to methods and / or apparatuses substantially as described herein and / or illustrated with reference to the accompanying drawings. The invention is also provided as computer programs and / or computer program products for performing any of the methods described herein and / or for implementing any of the apparatus features described herein, and computer-readable media storing programs for performing any of the methods described herein and / or for implementing any of the apparatus features described herein. Features described as being implemented in hardware are alternatively implemented in software, and vice versa.

[0027] The present invention also provides a method for transmitting signals, and a computer product having an operating system that supports computer programs for performing any of the methods described herein and / or for implementing any of the device features described herein.

[0028] Any device feature can also be provided as a corresponding step of the method, or vice versa. As used herein, device plus functional features can alternatively be represented according to their respective structures, such as a suitably programmed processor.

[0029] Any feature in one aspect of the invention may be applied to other aspects of the invention in any suitable combination. Any, some, and / or all features in one aspect may be applied to any, some, and / or all features in any other aspect in any suitable combination. Specific combinations of the various features described and defined in any aspect of the invention may be implemented and / or provided and / or used independently.

[0030] As used throughout the text, the word “or” may be interpreted in an exclusive and / or inclusive sense, unless otherwise specified.

[0031] This invention extends to a method of operating a telecommunications network, a method of operating a user equipment, a method of operating a set of wireless access points, a user equipment, a set of wireless access points, and further to telecommunications systems as described herein and / or substantially as illustrated with reference to the accompanying drawings. The invention will now be described by way of example only with reference to the accompanying drawings, in which:

[0032] Figure 1 This is a schematic diagram of an exemplary telecommunications network; and

[0033] Figure 2 The process for operating a telecommunications network is illustrated. Detailed Implementation

[0034] Figure 1 An exemplary telecommunications network 100 is shown, which includes: a wireless communication device or user equipment (UE) 110, a wireless access point (WAP) 120, and a wide area network 130.

[0035] In one example, the WAP is a wireless router, extender, and / or repeater. The UE can take the form of any device that includes a WLAN interface, and in particular: personal computers (laptops or desktops), mobile telecommunications devices, Internet of Things (IoT) devices, wireless repeaters, and / or wireless extenders.

[0036] WAP 120 is configured to generate a wireless local area network (WLAN) 130, and UE 110 can be used to connect to WLAN 130. In this example, the WLAN can be used to connect to IEEE 120. RTMAny one of the 802.11 standard families.

[0037] WAP 120 can be used to provide multiple WLANs, and Figure 2 In the example, WAP provides two separate WLANs: the first WLAN 130-1 and the second WLAN 130-2.

[0038] WAP 120 connects (e.g., via Ethernet) to WAN 130 (e.g., in the form of a fixed access broadband network). As a result, UE 110 can be used to connect to WAN 130 via WLAN 130 provided by WAP 120, and then connect to, for example, the Internet.

[0039] WAP 120 is configured to broadcast to UE 110 the network device identifier of the WAP; this network device identifier has the form of a Basic Service Set Identifier (BSSID). By convention, the BSSID is the data link layer network address of the WAP (and specifically the WAP's network interface controller (NIC)) or derived from it, such as a Media Access Control (MAC) address. Therefore, the WAP is recognizable to UEs using the BSSID.

[0040] WAP 120 is also configured to broadcast a network identifier for a specific WLAN to UE 110; this network identifier has the form of a Service Set Identifier (SSID). Each WLAN can be individually identified by the UE by using different SSIDs (which are typically easy to configure) for the first WLAN 130-1 and the second WLAN 130-2.

[0041] The UE 110 is positioned close enough to the WAP 120 to be within the WAP's wireless range, thus enabling it to communicate with the WAP 120.

[0042] WAP 120 and UE 110 are configured for “zero-contact connectivity”, in which the following processes can be performed without user intervention: the UE identifies the WLAN, obtains new access credentials for the WLAN, uses the new access credentials to authenticate the UE to the WLAN, and then connects to the WLAN.

[0043] To securely facilitate this "zero-touch connection," the WAP 120 is equipped with cryptographic routines that include encryption and cryptographic functions. Correspondingly, the UE 110 is equipped with corresponding cryptographic routines that include decryption and cryptographic functions, the decryption function being configured to decrypt the ciphertext generated by the encryption function. The cryptographic routines also include instructions for indicating when, how, and on what data the encryption, decryption, and cryptographic functions are performed. For example, the encryption functions include symmetric or asymmetric algorithms, and specifically, those based on the Advanced Encryption Standard (AES).

[0044] As described in more detail below, telecommunications network 100 is configured such that UE 110, which has been secretly transmitted with access credentials for a new WLAN, only requests a new WLAN connection after authenticating the access credentials.

[0045] Figure 2 An exemplary process 200 is shown for authenticating “zero-touch connection” processing to automatically establish a WLAN connection with UE 110.

[0046] In the first step 210, WAP generates a first WLAN 130-1, which can be identified by the first SSID created as described below.

[0047] The first WLAN 130-1 is a secure WLAN; as a result, in order for the UE to connect to the first WLAN, the WAP requires access credentials (including at least a password) from the UE 110.

[0048] According to cryptographic routines, an encryption function (performed by WAP in this example) is executed on the access credential associated with the first WLAN 130-1 to generate ciphertext, which is used to form part of the first SSID. As a result, the access credential of the first WLAN is encoded in the first SSID.

[0049] For example, the access credentials for the first WLAN include a cipher in the form of the text string "ZTCSSIDONE" (i.e., plaintext cipher), and the encryption function includes a shift (or "Caesar") cipher configured to apply a single forward shift using English letters. In this example, the ciphertext is therefore "AUDTTJEPOF"; this ciphertext is used as the first SSID.

[0050] The first WLAN is made to be publicly visible, so the WAP broadcasts the first SSID (e.g., “AUDTTJEPOF”) and the BSSID of WAP 120 (e.g., “11111111111111111111111111111”).

[0051] In the next step 220, WAP 120 generates a second WLAN 130-2.

[0052] According to the cryptographic routine, a cryptographic function is executed on both the first SSID and BSSID of WAP 120 (in this case, executed by WAP), thereby producing a cryptographic output. The cryptographic output is then assigned to form a portion of the SSID of the second WLAN (i.e., the second SSID), and the second WLAN is generated based on this.

[0053] For example, the cryptographic function is a hash function applied to the concatenation of the first SSID and then the BSSID. Consistent with the specific example provided above, the cryptographic function is the MD2 hash applied to "AUDTTJEPOF 1111111111111111111111111111111"; and therefore, the cryptographic output and the second SSID are "3dd7240572c594ae2e510259c872557d".

[0054] The second WLAN 130-2 is configured as a hidden WLAN (therefore the second WLAN can also be referred to as a "hidden WLAN"). Therefore, the second SSID is not publicly broadcast by WAP, and is therefore unrecognizable to UEs (including UE 110 (at least up to step 220)) that do not have prior knowledge about the second WLAN.

[0055] In the next step 230, UE 110 begins searching for available WLANs. Therefore, the UE detects the first WLAN 130-1, and as part of this, the UE obtains the first SSID and BSSID of WAP 120. Since the second WLAN 130-2 is hidden, and because the UE has no prior knowledge about the second WLAN, the UE cannot recognize the second WLAN (even though it is within range).

[0056] The UE is instructed to connect to the first WLAN 130-1 (therefore, the first WLAN may also be referred to as the "target WLAN"); however, before attempting such a connection, in the next step 240, in response to obtaining the first SSID and BSSID, the UE 110 executes a cryptographic routine such that the UE:

[0057] 1. Perform a decryption function on the first SSID (or only on the portion encoded with the encrypted access credentials) to obtain the access credentials for the first WLAN 130-1; and

[0058] 2. Execute cryptographic functions on the first SSID and BSSID to output cryptographic output, and thus output the second SSID.

[0059] Next, 250, the UE searches for WLAN based on the output generated from UE 110 in the previous step 240.

[0060] Therefore, UE 110 sends a probe request to a WLAN with an SSID that matches the output of the cryptographic function applied to the first SSID and BSSID (i.e., the second SSID).

[0061] Then, the UE monitors whether there is a response from a WLAN with this matching SSID, and thus monitors whether a second WLAN exists.

[0062] If such a WLAN exists, in response to a probe request from the UE, the second WLAN 130-2 identifies itself to the UE, and the UE discovers the existence of the second WLAN. Thus, due to the existence of the expected hidden information (i.e., the second WLAN with a cryptographically derived second SSID), the UE is able to verify that the entity (i.e., the first WLAN) is genuine and trustworthy (or cryptographically the same party), and the first WLAN is therefore unlikely to be an adversary of the UE, the entity from which the UE derives secret information (i.e., access credentials) that will be used to influence the UE's operation (i.e., attempting to connect to the first WLAN).

[0063] In the next step 270, after the existence of the second WLAN 130-2 is confirmed based on cryptographically derived information, the UE 110 attempts to connect to the first WLAN 130-1. Since the first WLAN is a private WLAN, the WAP requests access credentials from the UE, and the UE accordingly submits the access credentials derived by the UE in step 240. Therefore, the UE can be used to connect to the first WLAN 130-1.

[0064] Therefore, UE 110 is prevented from being forced to attempt to connect to the first WLAN 130-1 until the authenticity of the first WLAN is verified.

[0065] It should be understood that the UE can only effectively derive the access credentials for the first WLAN and the cryptographic output that forms part of the second SSID, because the UE and WAP are applying the corresponding cryptographic routines.

[0066] Therefore, if in step 260, the UE does not detect the existence of a WLAN with an SSID that matches the output of the cryptographic function performed by the UE on the first SSID and BSSID, the UE prevents itself 280 from requesting a connection to the first WLAN 130-1, or more generally, prevents itself 280 from requesting a connection to WAP 120. This may occur if the UE 110 detects a malicious WAP impersonating (copying) the first WLAN instead of WAP 120. Since the malicious WAP is adversary and is not configured to generate a hidden (or that) second WLAN, the UE cannot verify the malicious WAP and thus prevents the UE from attempting to connect to the impersonated WLAN, or more generally, to the malicious WAP.

[0067] In one example, for enhanced security, after step 270 (and particularly after the termination of the connection between UE 110 or all UEs and the first WLAN 130-1), the WAP is configured to generate a new first SSID and / or BSSID different from the SSID and / or BSSID used by the WAP in processing 200 (or any) previous steps (including any previous iterations). Specifically, the BSSID can be changed as frequently as with each message between the UE and the WAP. The UE is configured to block any attempts to connect to the previously used first SSID and / or BSSID (thus also preventing access to step 280).

[0068] Alternative options and modifications

[0069] In the foregoing, the second SSID includes the cryptographic output generated by performing cryptographic functions on both the first SSID and the BSSID; using these two identifiers helps improve system security. However, in one example, for simplicity, a cryptographic function is performed on either the first SSID or the BSSID to generate the second SSID by UE 110 and WAP 120. Alternatively, cryptographic functions can be performed on other identifiers besides the first SSID and the BSSID.

[0070] In an alternative example, for enhanced security, the second WLAN is also a private WLAN, requiring access credentials from the UE to connect to it, and the UE proceeds to step 270 only after it has already connected to (and then disconnected from) the second WLAN. In one example, the access credentials used for the second WLAN are: a WAP and a static password known in advance by the UE; or a password derived by the UE using the encryption function or another encryption function based on the first SSID and / or BSSID.

[0071] In one example, the access credentials for the first WLAN 130-1 (and / or the second WLAN 130-2) are generated by a server accessible via WAN 130, including the cryptographic routine, rather than at the WAP 120. Therefore, the WAP communicates with this server to receive the access credentials. In one example, the server takes the form of a cloud-based management system for the WAP 120.

[0072] In another alternative, the access credentials instead allow access to a third WLAN (instead of the first WLAN 130-1), and the UE is configured to connect to the third WLAN using access credentials derived from the processing corresponding to the above-described processing. The third WLAN may be provided by a WAP or another WAP (in the latter case, both WAPs are in communication to share the access credentials for the third WLAN).

[0073] In yet another example, the first, second, and / or third WLANs are public, so the UE does not need access credentials to establish a connection with them. However, forward connections from the UE to the WAN require UE authentication, so access credentials are instead used to access the WAN, for example, via a mandatory portal. In this example, the UE is configured to request a connection to the WAN only when the presence of the second WLAN is recognized.

[0074] In another alternative, the first WLAN 130-1 and the second WLAN 130-2 are each provided by two WAPs, each of which is UE-accessible, connected to the wide area network 130, and communicates with the other WAP. Accordingly, in the presence of a third WLAN, the third WLAN can be provided by either WAP or by yet another WAP with a similar configuration.

[0075] In one example, the UE is instructed to connect to a first WLAN based on pre-configured instructions provided to the UE, such as by default attempting to connect to the first WLAN, or attempting to connect to any WLAN from which the UE obtains its SSID and BSSID.

[0076] Alternatively, the UE is instructed to pass the identity (i.e., SSID) of the target WLAN it is connected to via the SSID; the target WLAN can be a first WLAN, a second WLAN, or a third WLAN. In this way, the access credentials encoded in the first SSID are associated with the target WLAN. For example, the SSID of the target WLAN is also provided as part of the first SSID, and in one example it is provided in plaintext, while in another example it is provided in ciphertext (also encoded using the same encryption function or another encryption function). The UE is then configured to decode the first WLAN to derive (and distinguish) both the target WLAN and the access credentials.

[0077] It should be understood that the above method can be applied to other forms of WLAN and / or wireless personal area networks, such as Bluetooth-based ones. RTM Zigbee RTM and WiMAX RTM .

[0078] In an alternative example, the UE executes a cryptographic function (i.e., step 240) only in response to recognizing a first SSID and / or BSSID in a predefined format. For example, the predefined format means that the SSID and / or BSSID begins and / or ends with a predefined character set.

[0079] In an alternative example, the UE performs encryption and / or cryptographic functions only on a portion of the first SSID and / or BSSID, wherein the portion may be identified by the UE through a predefined prefix and / or suffix.

[0080] It should be understood that the second WLAN does not need to carry user service flows, and the first WLAN does not need to carry user service flows if the third WLAN to which the UE ultimately connects is provided.

[0081] Each feature disclosed herein and (where appropriate) forms part of the claims and drawings may be provided independently or in any suitable combination.

[0082] Any reference numerals appearing in the claims are for illustrative purposes only and should not limit the scope of the claims.

Claims

1. A method of operating a telecommunications network, the telecommunications network comprising: User equipment (UE); a first wireless local area network (WLAN), which can be identified by a first network identifier; a hidden WLAN; And a target WLAN separate from the hidden WLAN; and the method includes the following steps: The hidden WLAN is configured to have a hidden network identifier cryptographically derived from the first network identifier; From the UE: Obtain the first network identifier from the first WLAN; The first network identifier obtained is processed cryptographically to derive the hidden network identifier; Use the obtained hidden network identifier to search for WLANs; and Only after the hidden WLAN is discovered will a connection be requested to or via the target WLAN.

2. The method according to claim 1, further comprising the following steps: In response to the hidden WLAN remaining hidden from the UE, the UE is prevented from requesting a connection to the target WLAN.

3. The method according to claim 1 or 2, further comprising the following step: Configure the target WLAN so that it can only be accessed by the UE using access credentials; Provide the first network identifier to include the output of an encryption function performed on the access credential; The UE decodes the first network identifier in response to obtaining the first network identifier, thereby outputting the access credential; as well as The request to connect to the target WLAN is performed using the output access credentials.

4. The method according to claim 1 or 2, wherein, The target WLAN is connected to a wide area network, and a request for connection via the target WLAN is executed to connect the UE to the wide area network.

5. The method according to claim 4, further comprising the following step: Configure the wide area network so that it can only be accessed by the UE via the target WLAN using access credentials; Provide the first network identifier to include the output of an encryption function performed on the access credential; The UE decodes the first network identifier in response to obtaining the first network identifier, thereby outputting the access credential; as well as The request to connect to the wide area network via the target WLAN is performed using the access credentials.

6. The method according to claim 1 or 2, wherein, The target WLAN can be identified by a target network identifier, wherein the first network identifier is provided to include the target network identifier; and wherein the target network identifier is derived by the UE based on the obtained first network identifier and is used by the UE to request the connection to the target WLAN.

7. The method according to claim 6, wherein, The first network identifier is provided, further comprising the output of a cryptographic function performed on the target network identifier; and wherein the target network identifier is obtained by the UE performing the cryptographic function on the first network identifier.

8. The method according to claim 1 or 2, wherein, The target WLAN is the same as the first WLAN.

9. The method according to claim 1 or 2, further comprising the following step: Obtain the network device identifier associated with the wireless access point (WAP), wherein the WAP provides the first WLAN; The first network identifier is further provided to include the output of an encryption function performed on the network device identifier.

10. The method according to claim 9, further comprising: The step of changing the network device identifier after establishing a connection between the UE and the target WLAN.

11. A method of operating a user equipment (UE), the UE forming part of a telecommunications network, the telecommunications network comprising: A first wireless local area network (WLAN), which can be identified by a first network identifier; A hidden WLAN, wherein the hidden WLAN has a hidden network identifier cryptographically derived from the first network identifier; And a target WLAN separate from the hidden WLAN; and the method includes the following steps: Obtain the first network identifier from the first WLAN; The first network identifier obtained is processed cryptographically to derive the hidden network identifier; Use the obtained hidden network identifier to search for WLANs; and Only after the hidden WLAN is discovered will a connection be requested to or via the target WLAN.

12. A method of operating a set of wireless access points (WAPs), said set of WAPs forming part of a telecommunications network, said telecommunications network including user equipment (UE) capable of connecting to the WAPs in said set of WAPs, the method comprising the following steps: Provide a first WLAN, which can be identified by a first network identifier; Provide a hidden WLAN with a hidden network identifier, the hidden network identifier being cryptographically derived from a first network identifier; and In response to the UE identifying the hidden WLAN, a target WLAN is provided, which the UE can use to connect to or connect via the target WLAN, wherein the target WLAN is separate from the hidden WLAN.

13. A computer-readable carrier medium comprising a computer program that, when executed by a computer, causes the computer to perform the method of any one of claims 1 to 12.

14. A user equipment (UE) configured to access a telecommunications network, the telecommunications network comprising: A first wireless local area network (WLAN), which can be identified by a first network identifier; A hidden WLAN, wherein the hidden WLAN has a hidden network identifier cryptographically derived from the first network identifier; and a target WLAN separate from the hidden WLAN; and the UE includes: Processor, the processor being configured to cause the UE to: Obtain the first network identifier from the first WLAN; The first network identifier obtained is processed cryptographically to derive the hidden network identifier; Use the obtained hidden network identifier to search for WLANs; and A controller configured to cause the UE to request a connection to or via the target WLAN only after the hidden WLAN is discovered.

15. A set of wireless access points (WAPs) forming part of a telecommunications network, the telecommunications network including user equipment (UEs) capable of connecting to the WAPs in the set of WAPs, the set of WAPs comprising: A first controller is configured to provide a first WLAN, which can be identified by a first network identifier; A second controller is configured to provide a hidden WLAN with a hidden network identifier, the hidden network identifier being cryptographically derived from a first network identifier; as well as A third controller is configured to provide a target WLAN in response to the UE recognizing the hidden WLAN, the UE being able to connect to or via the target WLAN, wherein the target WLAN is separate from the hidden WLAN.

16. A telecommunications system, the telecommunications system comprising: User equipment (UE) according to claim 14; as well as The set of wireless access points (WAPs) as described in claim 15.