System for negotiating security association on application layer

US 20040210766A1
Filed: 09/03/2002
Published: 10/21/2004
Est. Priority Date: 09/03/2001
Status: Active Grant

First Claim

Patent Images

1. A method for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, comprising:

transmitting a list of possible security associations between the first computer and the second computer from the first computer to the second computer in a message according to a protocol of the application layer, a security parameter index being included for and assigned to each security association in the list, each security parameter index identifying a corresponding security association in the list, respectively determining cryptographic parameters for a cryptographically protected communication link in a network layer to be set up using the security association, selecting a security association by the second computer, and transmitting to the first computer at least one of the security association selected by the second computer and an indication of the security association selected by the second computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first computer sends a list of possible security associations to a second computer in a message according to a protocol of an application layer, a security parameter index being contained in the message for each security association. The second computer selects a security association and transmits it or an indication of the security association selected by it to the first computer.

50 Citations

View as Search Results

26 Claims

1. A method for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, comprising:
- transmitting a list of possible security associations between the first computer and the second computer from the first computer to the second computer in a message according to a protocol of the application layer, a security parameter index being included for and assigned to each security association in the list, each security parameter index identifying a corresponding security association in the list, respectively determining cryptographic parameters for a cryptographically protected communication link in a network layer to be set up using the security association, selecting a security association by the second computer, and transmitting to the first computer at least one of the security association selected by the second computer and an indication of the security association selected by the second computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method as claimed in claim 1, wherein the first computer is a mobile communication terminal and the second computer is a mobile radio network computer.
  - 3. The method as claimed in claim 1, wherein the first computer is a mobile radio network computer and the second computer is a mobile communication terminal.
  - 4. The method as claimed in claim 1, wherein the telecommunication network is a mobile radio telecommunication network connecting a mobile communication terminal and a mobile radio network computer.
  - 5. The method as claimed in claim 4, wherein the mobile communication terminal transmits a registration message according to the protocol of the application layer to the mobile radio network computer, and wherein the mobile radio network computer transmits an authentication message according to the protocol of the application layer to the mobile communication terminal.
  - 6. The method as claimed in claim 1, further comprising transmitting an acknowledgement message from the first computer to the second computer to confirm the security association selected by the second computer for a future communication link.
  - 7. The method as claimed in claim 6, wherein the acknowledgement message contains the selected security association in a form cryptographically protected according to the selected security association.
  - 8. The method as claimed in claim 7, wherein the selected security association is protected in the acknowledgement message according to an integrity protection method determined in the selected security association.
  - 9. The method as claimed in claim 8, further comprising:
    - verifying the acknowledgement message by the second computer, and setting up a communication using the selected security association only if said verifying is successful.
  - 10. The method as claimed in claim 9, further comprising carrying out reciprocal authentication between the first computer and the second computer prior to transmitting the list of possible security associations.
  - 11. The method as claimed in claim 10, wherein said carrying out reciprocal authentication includes exchanging a session key between the first computer and the second computer,.
  - 12. The method as claimed in claim 11, further comprising deriving a further key from the session key for use within the security association selected by the second computer.
  - 13. The method as claimed in claim 12, further comprising coding the security associations according to an Internet Key Exchange protocol.
  - 14. The method as claimed in claim 13, further comprising protecting a communication relationship according to IPsec using the security associations.
  - 15. The method as claimed in claim 14, further comprising transporting user data using Encapsulating Security Payload protocol in the network layer.
  - 16. The method as claimed in claim 15, wherein the application layer has a protocol format according to one of Session Initiation Protocol, and Hypertext Transfer Protocol.
  - 17. The method as claimed in claim 16, wherein said transmitting of the security parameter index is performed in a signaling part of a respective message according to the protocol format of the application layer.
  - 18. The method as claimed in claim 17, wherein the security association determines the cryptographic parameters to be used in the network layer for a unidirectional communication link.

19. A system for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, comprising:
- a processor in each of the first computer and the second computer programmed to transmit from the first computer to the second computer a list of possible security associations between the first computer and the second computer in a message according to a protocol of the application layer, including a security parameter index assigned to and identifying each security association in the list, the security association respectively determining cryptographic parameters used for a cryptographically protected communication link in a network layer to be set up using the security association, to select a security association by the second computer, and to transmit from the second computer to the first computer at least one of the security association selected by the second computer and an indication of the security association selected by the second computer.

20. A computer, coupled to a remote computer via a telecommunication network, for negotiating a security association on an application layer between said computer and the remote computer, comprising:
- a processor programmed to transmit to the remote computer a list of possible security associations between the computer and the remote computer in a message according to a protocol of the application layer, including a security parameter index assigned to and identifying each security association in the list, the security association respectively determining cryptographic parameters used for a cryptographically protected communication link in a network layer to be set up using the security association, and to receive from the remote computer at least one of a selected security association and an indication of the selected security association selected by the remote computer from the list of security associations.
- View Dependent Claims (21, 22)
- - 21. The computer as claimed in claim 20, wherein the computer is a mobile radio network computer.
  - 22. The computer as claimed in claim 20, wherein the computer is a mobile communication terminal.

23. A computer, coupled to a remote computer via a telecommunication network, for negotiating a security association on an application layer between the remote computer and said computer, comprising:
- a processor programmed to receive a message according to a protocol of the application layer, the message including a list of possible security associations between the remote computer and the computer and a security parameter index assigned to and identifying each security association, the security association being used for respectively determining cryptographic parameters used for a cryptographically protected communication link in a network layer, to be set up using the security association, to select a security association, and to transmit to the remote computer at least one of the security association and an indication of the security association.
- View Dependent Claims (24, 25)
- - 24. The computer as claimed in claim 23, wherein said computer is a mobile radio network computer.
  - 25. The computer as claimed in claim 23, wherein said computer is a mobile communication terminal.

26. At least one computer readable medium storing at least one program to control at least one processor to perform a method for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, said method comprising:
- transmitting a list of possible security associations between the first computer and the second computer from the first computer to the second computer in a message according to a protocol of the application layer, a security parameter index being included for and assigned to each security association in the list, each security parameter index identifying a corresponding security association in the list, respectively determining cryptographic parameters for a cryptographically protected communication link in a network layer to be set up using the security association, selecting a security association by the second computer, and transmitting to the first computer at least one of the security association selected by the second computer and an indication of the security association selected by the second computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Kroselberg, Dirk

Granted Patent

US 8,028,161 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/164   at the network layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

System for negotiating security association on application layer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System for negotiating security association on application layer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links