Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

US 20030005280A1
Filed: 05/17/2002
Published: 01/02/2003
Est. Priority Date: 06/14/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions to perform steps by a Session Initiation Protocol (SIP) proxy to authenticate a user of a SIP client, the steps comprising:

receiving a first request message from the SIP client;

determining that the first request message does not contain authentication data for authenticating the user of the SIP client;

sending a challenge message containing a code indicating that authentication is required;

receiving a second request message from the SIP client, the second request message including a proxy-authorization header containing authentication data for authenticating the user of the SIP client according to a selected authentication protocol;

authenticating the user of the SIP client using the authentication data in the proxy-authorization header of the second request message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided to integrate the Kerberos security mechanism into the message flow of the signaling operation under the Session Initiation Protocol to allow a SIP client and a SIP proxy to authenticate each other. When the SIP proxy receives an request message, such an INVITE request, from the SIP client, it responds with a challenge message indicating that authentication based on Kerberos is required. In response, the SIP client sends a second request message with a proxy authorization header containing authentication data, including a Kerberos server ticket for the Proxy, to allow the proxy to authenticate the client'"'"'s user.

179 Citations

28 Claims

1. A computer-readable medium having computer-executable instructions to perform steps by a Session Initiation Protocol (SIP) proxy to authenticate a user of a SIP client, the steps comprising:
- receiving a first request message from the SIP client;
  
  determining that the first request message does not contain authentication data for authenticating the user of the SIP client;
  
  sending a challenge message containing a code indicating that authentication is required;
  
  receiving a second request message from the SIP client, the second request message including a proxy-authorization header containing authentication data for authenticating the user of the SIP client according to a selected authentication protocol;
  
  authenticating the user of the SIP client using the authentication data in the proxy-authorization header of the second request message.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A computer-readable medium as in claim 1, wherein the first and second request messages are SIP INVITE requests.
  - 3. A computer-readable medium as in claim 1, having further computer-executable instructions for performing the step of:
    - after successfully authenticating the user of the SIP client, forwarding the second request message to a SIP signaling path leading to an intended callee identified in the request message.
  - 4. A computer-readable medium as in claim 1, wherein the selected authentication protocol is the Kerberos protocol, and wherein the authentication data in the proxy-authorization header includes data representing a Kerberos server ticket for accessing the SIP proxy.
  - 5. A computer-readable medium as in claim 4, wherein the step of authenticating includes calling a Kerberos module to check validity of the Kerberos server ticket and extracting from the Kerberos server ticket a session key for use in communicating with the SIP client.
  - 6. A computer-readable medium as in claim 1, wherein the authentication data in the proxy-authorization header includes data requesting mutual authentication between the SIP client and the SIP proxy, and wherein the computer-readable medium has further computer-executable instructions for performing the step of returning to the SIP client a message having a proxy-authentication information header containing authentication data of the SIP proxy for use by the SIP client to authenticate the SIP proxy.
  - 7. A computer-readable medium as in claim 1, wherein the selected authentication protocol is the NTLM protocol.

8. A computer-readable medium having computer-executable instructions for a Session Initiation Protocol (SIP) client to perform steps for authenticating a user of the SIP client to a SIP proxy in connection with initiating a session through the SIP proxy, the steps comprising:
- sending a first request message for an intended callee to the SIP proxy;
  
  receiving a challenge message sent by the SIP proxy in response to the first request message indicating that authentication is required;
  
  constructing a proxy-authorization header containing authentication data for authenticating the user according to a selected authentication protocol;
  
  sending a second request message for the intended callee, the second request message including the constructed proxy-authorization header.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 17, 18, 20, 21, 22, 24, 26, 27, 28)
- - 9. A computer-readable medium as in claim 8, wherein the first and second request messages are SIP INVITE requests.
  - 10. A computer-readable medium as in claim 8, wherein the selected authentication protocol is the Kerberos protocol, and wherein the authentication data in the proxy-authorization header include data representing a Kerberos server ticket for accessing the SIP proxy.
  - 11. A computer-readable medium as in claim 8, wherein the step of constructing the proxy-authorization header includes obtaining the Kerberos server ticket from a Kerberos Key Distribution Center.
  - 12. A computer-readable medium as in claim 11, wherein the proxy-authorization header includes data representing a request for mutual authentication between the SIP client and the SIP proxy, and wherein the computer-readable medium includes further computer-executable instructions for performing the steps of:
    - receiving a response message from the SIP proxy in response to the second request message;
      
      extracting from a proxy-authentication information header contained in the response message authentication data for the SIP proxy; and
      
      authenticating the SIP proxy based on the authentication data for the SIP proxy extracted from the proxy-authentication information header.
  - 13. A computer-readable medium as in claim 8, having further computer-executable instructions for the SIP client to perform the steps of:
    - obtaining user authentication data for authenticating the user of the SIP client according to the selected authentication protocol; and
      
      transmitting a REGISTER message to the SIP proxy for registration with the SIP proxy, the REGISTER message having a proxy-authorization header containing the authentication data for authenticating the user.
  - 14. A computer-readable medium as in claim 13, wherein the selected authentication protocol is the Kerberos protocol, and wherein the authentication data for the user include data representing a Kerberos server ticket obtained from a Kerberos Key Distribution Center for accessing the SIP proxy.
  - 15. A computer-readable medium as in claim 8, wherein the selected authentication protocol is the NTLM protocol.
  - 17. A method as in claim 16, wherein the first and second request messages are SIP INVITE requests.
  - 18. A method as in claim 16, wherein the authentication data in the proxy-authorization header in the second request message include data requesting mutual authentication between the SIP client and the SIP proxy, and wherein the method further includes the step of returning to the SIP client a message having a proxy-authentication information header containing authentication data for use by the SIP client to authenticate the SIP proxy.
  - 20. A method as in claim 19, wherein the step of constructing the proxy-authorization header includes obtaining the Kerberos server ticket from a Kerberos Key Distribution Center.
  - 21. A method as in claim 19, wherein the step of constructing the proxy-authorization header includes inserting a request in the proxy-authorization header for mutual authentication between the SIP client and the SIP proxy, and wherein the method further includes the steps of:
    - receiving a response message from the SIP proxy in response to the second request message;
      
      extracting from a proxy-authentication information header contained in the response message authentication data for the SIP proxy; and
      
      authenticating the SIP proxy based on the authentication data for the SIP proxy extracted from the proxy-authentication information header.
  - 22. A method as in claim 21, wherein the first and second request messages are SIP INVITE requests.
  - 24. A method as in claim 23, wherein the proxy-authorization header includes a request for mutual authentication with the SIP server, and wherein the method further includes the steps of receiving a response message from the SIP proxy in response to the REGISTER message;
    - extracting from a proxy-authentication information header contained in the response message authentication data for the SIP proxy; and
      
      authenticating the SIP proxy based on the authentication data for the SIP proxy extracted from the proxy-authentication information header.
  - 26. A computer-readable medium as in claim 25, wherein the proxy-authorization header has a second data field having a signature generated by signing a portion of the SIP request message using a session key associated with the Kerberos server ticket.
  - 27. A computer-readable medium as in claim 25, wherein the SIP request message is a SIP INVITE request.
  - 28. A computer-readable medium as in claim 25, wherein the SIP request message is a SIP REGISTER request.

16. A method for a Session Initiation Protocol (SIP) proxy to authenticate a user of a SIP client during a session initiation operation, comprising the steps of:
- receiving a first request message from the SIP client;
  
  determining that the first request message does not contain authentication data for authenticating the user of the SIP client;
  
  sending a message containing a “
  
  407 Proxy Authentication Required”
  
  status code to the SIP client to indicate that authentication is required;
  
  receiving a second request message from the SIP client, the second request message including a proxy-authorization header containing user authentication data for authenticating the user of the SIP client, the user authentication data including data representing a Kerberos server ticket for accessing the SIP proxy;
  
  authenticating the user of the SIP client using the Kerberos server ticket and extracting a session key from the Kerberos server ticket for encrypting communications with the SIP client; and
  
  forwarding the second request message to a SIP signaling path leading to an intended callee identified in the INVITE message.

19. A method for a Session Initiation Protocol (SIP) client to authenticate a user of the SIP client to a SIP proxy in connection with initiating a session through the SIP proxy, the steps comprising:
- sending a first request message for an intended callee to the SIP proxy;
  
  receiving a challenge message sent by the SIP proxy in response to the first request message indicating that authentication is required;
  
  constructing a proxy-authorization header containing user authentication data for authenticating the user, the user authentication data including data representing a Kerberos server ticket for accessing the SIP proxy;
  
  sending a second request message for the intended callee, the second request message including the constructed proxy-authorization header.

23. A method for a Session Initiation Protocol (SIP) client to perform authentication with a SIP proxy, comprising the steps of:
- obtaining authentication data for authenticating the SIP client according to the Kerberos authentication protocol, the authentication data including a server ticket for accessing the SIP proxy;
  
  transmitting a REGISTER message to the SIP proxy for registration with the SIP proxy, the REGISTER message having a proxy-authorization header containing the authentication data.

25. A computer-readable medium having stored thereon a data structure representing a Session Initiation Protocol (SIP) request message, comprising:
- a plurality of SIP headers including a proxy-authorization header having a data field containing data representing a Kerberos server ticket for accessing a SIP proxy; and
  
  a message body.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bobde, Nikhil P., Han, Mu, Demirtjis, Ann

Granted Patent

US 7,243,370 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0869   for achieving mutual authen...

H04L 63/123   received data contents, e.g...

H04L 63/205   involving negotiation or de...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

179 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links