Method and system for providing secure credential storage to support interdomain traversal

US 20070022289A1
Filed: 12/30/2005
Published: 01/25/2007
Est. Priority Date: 07/20/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of providing communication services, the method comprising:

receiving a request from a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain;

retrieving encrypted user credential information from a credentials database resident within the first domain, wherein the encrypted user credential includes a password associated with a user associated with the first endpoint; and

transmitting the encrypted user credential information to a tunneling server in response to the request, wherein the tunneling server is configured to selectively setup a tunnel to support the communication session based on the encrypted user credential information, the tunnel traversing a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach provides interdomain traversal to support packetized voice transmissions. A request is received from a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain. Encrypted user credential information is retrieved from a credentials database resident within the first domain, wherein the encrypted user credential includes a password associated with a user associated with the first endpoint. Further, the encrypted user credential information is transmitted to a tunneling server in response to the request, wherein the tunneling server is configured to selectively setup a tunnel to support the communication session based on the encrypted user credential information. The tunnel traverses a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint.

388 Citations

28 Claims

1. A method of providing communication services, the method comprising:
- receiving a request from a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain;
  
  retrieving encrypted user credential information from a credentials database resident within the first domain, wherein the encrypted user credential includes a password associated with a user associated with the first endpoint; and
  
  transmitting the encrypted user credential information to a tunneling server in response to the request, wherein the tunneling server is configured to selectively setup a tunnel to support the communication session based on the encrypted user credential information, the tunnel traversing a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, wherein the encrypted user credential information is encrypted according to a hash function or a public key encryption scheme.
  - 3. A method according to claim 1, wherein the tunneling server includes a database configured to store organizational level credential information that relates to an organization that controls the first domain for verifying the organization is entitled to receive the communication services.
  - 4. A method according to claim 1, wherein the tunneling server is controlled by a service provider as part of a managed communication service.
  - 5. A method according to claim 4, wherein the service provider maintains a STUN (Simple Traversal of UDP (User Datagram Protocol)) server that is configured to determine information relating to the first firewall and the first network address translator and to transmit the information to the first endpoint.
  - 6. A method according to claim 1, further comprising:
    - submitting an address request specifying a telephone number corresponding to the second endpoint to an ENUM (Electronic Number) server that is configured to convert the telephone number to a network address, wherein the ENUM server is controlled by a service provider as part of a managed communication service.
  - 7. A method according to claim 1, wherein the first endpoint and the second endpoint are configured to establish the communication session according to a Session Initiation Protocol (SIP), a SIP-type protocol, or H.323.

8. An apparatus for providing communication services, the apparatus comprising:
- a communication interface configured to receive a request from a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain;
  
  a credentials database configured to store user credential information, wherein the encrypted user credential includes a password associated with a user associated with the first endpoint; and
  
  a processor configured to retrieve the user credential information and to initiate transmission of the encrypted user credential information to a tunneling server in response to the request, wherein the tunneling server is configured to selectively setup a tunnel to support the communication session based on the encrypted user credential information, the tunnel traversing a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. An apparatus according to claim 8, wherein the encrypted user credential information is encrypted according to a hash function or a public key encryption scheme.
  - 10. An apparatus according to claim 8, wherein the tunneling server includes a database configured to store organizational level credential information that relates to an organization that controls the first domain for verifying the organization is entitled to receive the communication services.
  - 11. An apparatus according to claim 8, wherein the tunneling server is controlled by a service provider as part of a managed communication service.
  - 12. An apparatus according to claim 11, wherein the service provider maintains a STUN (Simple Traversal of UDP (User Datagram Protocol)) server that is configured to determine information relating to the first firewall and the first network address translator and to transmit the information to the first endpoint.
  - 13. An apparatus according to claim 8, wherein the processor generates an address request for transmission to an ENUM (Electronic Number) server that is configured to convert a telephone number corresponding to the second endpoint to a network address, the ENUM server being controlled by a service provider as part of a managed communication service.
  - 14. An apparatus according to claim 8, wherein the first endpoint and the second endpoint are configured to establish the communication session according to a Session Initiation Protocol (SIP), a SIP-type protocol, or H.323.

15. A method of providing communication services, the method comprising:
- receiving a request from a proxy server communicating with a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain, wherein the proxy server is configured to store encrypted user credential information including a password associated with a user associated with the first endpoint;
  
  receiving the encrypted user credential information; and
  
  establishing a tunnel to support the communication session if the encrypted user credential information is valid, the tunnel traversing a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. A method according to claim 15, wherein the encrypted user credential information is encrypted according to a hash function or a public key encryption scheme.
  - 17. A method according to claim 15, further comprising:
    - accessing a local database configured to store organizational level credential information that relates to an organization that controls the first domain for verifying the organization is entitled to receive the communication services.
  - 18. A method according to claim 15, wherein the establishing step is performed as part of a managed communication service operated by a service provider.
  - 19. A method according to claim 18, wherein the service provider maintains a STUN (Simple Traversal of UDP (User Datagram Protocol)) server that is configured to determine information relating to the first firewall and the first network address translator and to transmit the information to the first endpoint.
  - 20. A method according to claim 15, wherein the proxy server submits an address request to an ENUM (Electronic Number) server that is configured to convert a telephone number corresponding to the second endpoint to a network address, the ENUM server being controlled by a service provider as part of a managed communication service.
  - 21. A method according to claim 15, wherein the first endpoint and the second endpoint are configured to establish the communication session according to a Session Initiation Protocol (SIP), a SIP-type protocol, or H.323.

22. An apparatus for providing communication services, the apparatus comprising:
- a communications interface configured to receive a request from a proxy server communicating with a first endpoint of a first domain for establishing a communication session with a second endpoint of a second domain, wherein the proxy server is configured to store encrypted user credential information including a password associated with a user associated with the first endpoint, the communication interface receiving the encrypted user credential information; and
  
  a processor coupled to the communications interface, the processor being configured to establish a tunnel to support the communication session if the encrypted user credential information is valid, the tunnel traversing a first firewall and a first network address translator of the first domain and a second firewall and a second network address translator of the second domain to reach the second endpoint.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. An apparatus according to claim 22, wherein the encrypted user credential information is encrypted according to a hash function or a public key encryption scheme.
  - 24. An apparatus according to claim 22, further comprising:
    - a database configured to store organizational level credential information that relates to an organization that controls the first domain for verifying the organization is entitled to receive the communication services.
  - 25. An apparatus according to claim 22, wherein the tunnel is established as part of a managed communication service operated by a service provider.
  - 26. An apparatus according to claim 25, wherein the service provider maintains a STUN (Simple Traversal of UDP (User Datagram Protocol)) server that is configured to determine information relating to the first firewall and the first network address translator and to transmit the information to the first endpoint.
  - 27. An apparatus according to claim 22, wherein the proxy server submits an address request to an ENUM (Electronic Number) server that is configured to convert a telephone number corresponding to the second endpoint to a network address, the ENUM server being controlled by a service provider as part of a managed communication service.
  - 28. An apparatus according to claim 22, wherein the first endpoint and the second endpoint are configured to establish the communication session according to a Session Initiation Protocol (SIP), a SIP-type protocol, or H.323.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
MCI Incorporated (Verizon Communications Inc.)
Inventors
Bae, Kiwan, Alt, Wade

Application Number

US11/323,513
Publication Number

US 20070022289A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

H04L 9/3226   using a predetermined code,...

H04L 9/3271   using challenge-response

Method and system for providing secure credential storage to support interdomain traversal

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

388 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing secure credential storage to support interdomain traversal

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

388 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links