DEVICE AUTHENTICATION AND SECURE CHANNEL MANAGEMENT FOR PEER-TO-PEER INITIATED COMMUNICATIONS

US 20080235511A1
Filed: 12/20/2007
Published: 09/25/2008
Est. Priority Date: 12/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a secure communication channel between devices in an Internet Protocol (IP) network, comprising:

in session established in accordance with a peer-to-peer signaling protocol, providing a private key to an authenticated device; and

in a further session established in accordance with the peer-to-peer signaling protocol, providing a complimentary public key to an authenticated client requesting secure access to the device, the private key and complimentary public key permitting a key exchange between the authenticated device and the authenticated client, to establish the secure communication channel therebetween.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing secure access to a device initiating communications using a peer-to-peer signaling protocol, such as a SIP or H.323. In a device registration phase, the device contacts a secure access server, and authenticates to the secure access server by providing an identification, such as its factory ID. The secure access server then issues a device ID and private key to the authenticated device. A client can then initiate a further communication session and be authenticated by the secure access server. The secure access server returns the device identification and the device'"'"'s public key to the client. The client and device can then perform a symmetrical key exchange for their current communication session, and can communicate with appropriate encryption. The device'"'"'s private key can be set to expire after one or more uses.

349 Citations

49 Claims

1. A method of establishing a secure communication channel between devices in an Internet Protocol (IP) network, comprising:
- in session established in accordance with a peer-to-peer signaling protocol, providing a private key to an authenticated device; and
  
  in a further session established in accordance with the peer-to-peer signaling protocol, providing a complimentary public key to an authenticated client requesting secure access to the device, the private key and complimentary public key permitting a key exchange between the authenticated device and the authenticated client, to establish the secure communication channel therebetween.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the peer-to-peer signaling protocol is Session Initiation Protocol (SIP).
  - 3. The method of claim 1, wherein the peer-to-peer signaling protocol is H.323.
  - 4. The method of claim 1, further comprising generating the private key and the complimentary public key.
  - 5. The method of claim 4, wherein generating the private key and the complimentary public key comprises generating asymmetric private and public keys.
  - 6. The method of claim 1, further comprising authenticating a device to provide the authenticated device.
  - 7. The method of claim 1, further comprising authenticating a client to provide the authenticated client.
  - 8. The method of claim 1, wherein permitting the key exchange comprises permitting a symmetric key exchange between the authenticated device and the authenticated client.
  - 9. The method of claim 1, wherein permitting the key exchange comprises permitting a symmetric key exchange to establish an Advanced Encryption Standard (AES) tunnel.
  - 10. The method of claim 1, further comprising providing a new private key to the authenticated device upon expiry of the private key.
  - 11. The method of claim 10, wherein expiry of the private key occurs at the end of the further session.
  - 12. The method of claim 10, wherein expiry of the private key occurs periodically.
  - 13. The method of claim 1, wherein permitting the key exchange between the authenticated device and the authenticated client comprises permitting a key exchange between the authenticated device and the authenticated client, to establish a high-bandwidth secure communication channel therebetween.

14. A method of securely accessing a device in a communication session established according to a peer-to-peer signaling protocol, comprising:
- initiating a communication session with a secure access server in accordance with the peer-to-peer signaling protocol;
  
  authenticating to the secure access server;
  
  retrieving a public key for the device from the secure access server;
  
  initiating a further communication session with the device in accordance with a peer-to-peer signaling protocol; and
  
  performing a key exchange with the device using the public key to establish a secure communication channel with the device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14, wherein the peer-to-peer signaling protocol is SIP.
  - 16. The method of claim 14, wherein the peer-to-peer signaling protocol is H.323.
  - 17. The method of claim 14, wherein authenticating to the secure access server comprises providing an encrypted user identification and device identification to the secure access server.
  - 18. The method of claim 14, wherein providing the encrypted user identification and SIP device identification to the secure access server comprises encrypting the user identification and device identification with a public key associated to the secure access server.
  - 19. The method of claim 14, wherein performing the key exchange with the device comprises performing a symmetric key exchange.
  - 20. The method of claim 19, wherein performing the symmetric key exchange comprises establishing an AES tunnel.
  - 21. The method of claim 19, wherein performing the symmetric key exchange comprises establishing a high-bandwidth communication tunnel.
  - 22. The method of claim 14, wherein performing the key exchange comprises performing a key exchange with the device using the public key to establish a high-bandwidth secure communication channel with the device.

23. A method for providing authentication of, and secure communication between, devices communicating over an IP network according to a peer-to-peer signaling protocol, comprising:
- authenticating a device agent and providing it with a private key;
  
  authenticating a client agent and providing it with a public key, complimentary to the private key; and
  
  in a communication session established between the client agent and the device agent according to the peer-to-peer signaling protocol, performing an encrypted key exchange to establish a secure tunnel therebetween.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The method of claim 23, wherein the peer-to-peer signaling protocol is SIP.
  - 25. The method of claim 23, wherein the peer-to-peer signaling protocol is H.323.
  - 26. The method of claim 24, wherein authenticating the device agent comprises:
    - establishing a communication session between the device agent and a secure access server, in accordance with the peer-to-peer signaling protocol;
      
      performing a symmetric key exchange to provide a symmetric key to the device agent and the secure access server;
      
      authenticating the device agent on receipt of a device identification encrypted with the symmetric key; and
      
      generating private and public keys in response to successful authentication of the device agent; and
      
      providing the private key, encrypted in accordance with the symmetric key, to the device agent.
  - 27. The method of claim 23, further comprising re-authenticating the device agent and providing it with a new private key upon expiry of the private key.
  - 28. The method of claim 27, wherein expiry of the private key occurs at the end of the SIP session established between the device agent and the client agent.
  - 29. The method of claim 27, wherein expiry of the private key occurs periodically.
  - 30. The method of claim 26, wherein authenticating the client agent comprises:
    - establishing, according to the peer-to-peer signaling protocol, a communication session between the client agent and a secure access server;
      
      authenticating the client agent on receipt of a user identification and a device identification encrypted with a public key associated to the secure access server; and
      
      providing the public key, encrypted with a client public key, to the client agent.
  - 31. The method of claim 23, wherein performing the encrypted key exchange comprises performing a symmetric key exchange.
  - 32. The method of claim 31, wherein performing the symmetric key exchange comprises establishing an AES tunnel.

33. A system for providing secure communication between devices initiating communication over an IP network according to a peer-to-peer signaling protocol, comprising:
- a secure access server communicating with the devices via a server connected to the IP network, the secure access server having an authenticator to authenticate the devices and a key generation module to generate complimentary asymmetric public and private keys in response to authentication of a device agent to the secure access server and to provide the private key to the device agent; and
  
  a client agent authenticated to, and provided with the public key by, the secure access server, the client agent for initiating a communication session with the device agent in accordance with the peer-to-peer signaling protocol, and, using the public key, performing a further key exchange therewith to establish a secure communication tunnel.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40)
- - 34. The system of claim 33, wherein the secure access server is encompassed within an authentication system.
  - 35. The system of claim 34, wherein the authentication system is encompassed within an authentication, authorization and accounting (AAA) server.
  - 36. The system of claim 33, wherein the further key exchange comprises a symmetric key exchange.
  - 37. The system of claim 33, wherein the secure communication tunnel is an AES tunnel.
  - 38. The system of claim 33, wherein devices are SIP-based devices and the peer-to-peer signaling protocol is SIP.
  - 39. The system of claim 33, wherein the devices are H.323-based devices and the peer-to-peer signaling protocol is H.323.
  - 40. The system of claim 33, wherein the secure communication tunnel is a high-bandwidth secure communication tunnel.

41. A system for authenticating devices and establishing a secure communication tunnel between them, comprising:
- a server in communication with a public Internet Protocol (IP) network;
  
  a secure access server in communication with the server;
  
  a device agent, in communication with the server according to a peer-to-peer signaling protocol, to authenticate itself to the secure access server and to receive a private key from the secure access server; and
  
  a client agent, in communication with the server according to the peer-to-peer signaling protocol, to authenticate itself to the secure access server, to receive a complimentary public key from the secure access server, and, using the public key, performing a further key exchange with the device agent to establish a secure communication tunnel.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49)
- - 42. The system of claim 41, wherein the secure access server is encompassed within an authentication system.
  - 43. The system of claim 42, wherein the authentication system is encompassed within an authentication, authorization and accounting (AAA) server.
  - 44. The system of claim 41, wherein the secure access server comprises an authenticator to authenticate the device agent and the client agent, and a key generation module to generate the private and public keys.
  - 45. The system of claim 41, wherein the further key exchange comprises a symmetric key exchange.
  - 46. The system of claim 45, wherein the secure communication tunnel is an AES tunnel.
  - 47. The system of claim 41, wherein the peer-to-peer signaling protocol is SIP.
  - 48. The system of claim 41, wherein the peer-to-peer signaling protocol is H.323.
  - 49. The system of claim 41, wherein the secure communication tunnel is a high-bandwidth secure communication tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BCE Incorporated
Original Assignee
BCE Incorporated
Inventors
O'Brien, William G., YEAP, Tet Hin, LOU, Dafu

Granted Patent

US 9,755,825 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 65/1069   Session establishment or de...

H04L 65/1073   Registration or de-registra...

H04L 9/0844   with user authentication or...

DEVICE AUTHENTICATION AND SECURE CHANNEL MANAGEMENT FOR PEER-TO-PEER INITIATED COMMUNICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

349 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

DEVICE AUTHENTICATION AND SECURE CHANNEL MANAGEMENT FOR PEER-TO-PEER INITIATED COMMUNICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

349 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links