Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication
First Claim
1. A computer-readable medium having computer-executable instructions to perform steps by a Session Initiation Protocol (SIP) proxy to authenticate a user of a SIP client, the steps comprising:
- receiving a first request message from the SIP client;
determining that the first request message does not contain authentication data for authenticating the user of the SIP client;
sending a challenge message containing a code indicating that authentication is required;
receiving a second request message from the SIP client, the second request message including a proxy-authorization header containing authentication data for authenticating the user of the SIP client according to a selected authentication protocol;
authenticating the user of the SIP client using the authentication data in the proxy-authorization header of the second request message.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system is provided to integrate the Kerberos security mechanism into the message flow of the signaling operation under the Session Initiation Protocol to allow a SIP client and a SIP proxy to authenticate each other. When the SIP proxy receives an request message, such an INVITE request, from the SIP client, it responds with a challenge message indicating that authentication based on Kerberos is required. In response, the SIP client sends a second request message with a proxy authorization header containing authentication data, including a Kerberos server ticket for the Proxy, to allow the proxy to authenticate the client'"'"'s user.
179 Citations
28 Claims
-
1. A computer-readable medium having computer-executable instructions to perform steps by a Session Initiation Protocol (SIP) proxy to authenticate a user of a SIP client, the steps comprising:
-
receiving a first request message from the SIP client;
determining that the first request message does not contain authentication data for authenticating the user of the SIP client;
sending a challenge message containing a code indicating that authentication is required;
receiving a second request message from the SIP client, the second request message including a proxy-authorization header containing authentication data for authenticating the user of the SIP client according to a selected authentication protocol;
authenticating the user of the SIP client using the authentication data in the proxy-authorization header of the second request message. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable medium having computer-executable instructions for a Session Initiation Protocol (SIP) client to perform steps for authenticating a user of the SIP client to a SIP proxy in connection with initiating a session through the SIP proxy, the steps comprising:
-
sending a first request message for an intended callee to the SIP proxy;
receiving a challenge message sent by the SIP proxy in response to the first request message indicating that authentication is required;
constructing a proxy-authorization header containing authentication data for authenticating the user according to a selected authentication protocol;
sending a second request message for the intended callee, the second request message including the constructed proxy-authorization header. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 17, 18, 20, 21, 22, 24, 26, 27, 28)
-
-
16. A method for a Session Initiation Protocol (SIP) proxy to authenticate a user of a SIP client during a session initiation operation, comprising the steps of:
-
receiving a first request message from the SIP client;
determining that the first request message does not contain authentication data for authenticating the user of the SIP client;
sending a message containing a “
407 Proxy Authentication Required”
status code to the SIP client to indicate that authentication is required;
receiving a second request message from the SIP client, the second request message including a proxy-authorization header containing user authentication data for authenticating the user of the SIP client, the user authentication data including data representing a Kerberos server ticket for accessing the SIP proxy;
authenticating the user of the SIP client using the Kerberos server ticket and extracting a session key from the Kerberos server ticket for encrypting communications with the SIP client; and
forwarding the second request message to a SIP signaling path leading to an intended callee identified in the INVITE message.
-
-
19. A method for a Session Initiation Protocol (SIP) client to authenticate a user of the SIP client to a SIP proxy in connection with initiating a session through the SIP proxy, the steps comprising:
-
sending a first request message for an intended callee to the SIP proxy;
receiving a challenge message sent by the SIP proxy in response to the first request message indicating that authentication is required;
constructing a proxy-authorization header containing user authentication data for authenticating the user, the user authentication data including data representing a Kerberos server ticket for accessing the SIP proxy;
sending a second request message for the intended callee, the second request message including the constructed proxy-authorization header.
-
-
23. A method for a Session Initiation Protocol (SIP) client to perform authentication with a SIP proxy, comprising the steps of:
-
obtaining authentication data for authenticating the SIP client according to the Kerberos authentication protocol, the authentication data including a server ticket for accessing the SIP proxy;
transmitting a REGISTER message to the SIP proxy for registration with the SIP proxy, the REGISTER message having a proxy-authorization header containing the authentication data.
-
-
25. A computer-readable medium having stored thereon a data structure representing a Session Initiation Protocol (SIP) request message, comprising:
-
a plurality of SIP headers including a proxy-authorization header having a data field containing data representing a Kerberos server ticket for accessing a SIP proxy; and
a message body.
-
Specification