Mobile Virtual Private Networks
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus for establishing a virtual private network with an internet protocol multimedia subsystem (IMS) device that includes a key derivation module, a tunneling protocol module, a tunnel management module, and a security policies module. The apparatus includes a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a session with the IMS address to which the host address is mapped. The session is initiated by a message that includes a body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint (e.g., an address and a port), an identifier corresponding to the tunneling protocol, and identifiers corresponding to the cryptographic suite(s) supported by the cryptographic module that may be applied together with the tunneling protocol, as determined by a query from the apparatus to the security policies module.
102 Citations
42 Claims
-
1-21. -21. (canceled)
-
22. An apparatus for an Internet Protocol Multimedia Subsystem (IMS) device, wherein the IMS device includes a key derivation module, a tunneling protocol module, a tunnel management module, a security policies module, and an IM Subscriber Identity Module (ISIM) application or a Universal Subscriber Identity Module (USIM) application;
- the key derivation module obtains cryptographic keys for encryption and/or authentication of data packets by deriving the keys from the ISIM/USIM application;
the tunneling protocol module supports at least one tunneling protocol that enables at least two private networks to exchange data packets over a public network in such a way that the private networks appear to be one single network to hosts connected to them;
the tunneling protocol module supports at least one cryptographic suite that it can apply to incoming and outgoing data packets to encrypt/decrypt and/or authenticate the packets using keys provided by another module;
the tunnel management module supports dynamic establishment and release of secure tunnels to remote devices; and
the security policies module determines the at least one cryptographic suite to be used with each tunneling protocol supported by the tunneling protocol module;
the apparatus comprising;a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a Session Initiation Protocol (SIP) session establishment by sending a SIP INVITE request to the IMS address to which the host address is mapped; wherein the INVITE request includes a Session Description Protocol (SDP) body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint, an identifier corresponding to the tunneling protocol, and identifiers corresponding to the cryptographic suite(s) supported by the cryptographic module that may be applied together with the tunneling protocol, as determined by a query from the apparatus to the security policies module. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- the key derivation module obtains cryptographic keys for encryption and/or authentication of data packets by deriving the keys from the ISIM/USIM application;
-
35. A method of establishing an end-to-end transparent tunnel between a first private network and a second private network through a public network to form a virtual private network, comprising:
-
including in the first and second private networks a respective Internet Protocol Multimedia Subsystem (IMS) device having an IM Subscriber Identity Module (ISIM), each IMS device being configured with a set of cryptographic suites and able to exchange data blocks with respective hosts in the first and second private networks and to support a tunneling protocol; registering and authenticating the IMS devices with respective IMS networks to which the respective ISIMs belong, and with respective IMS keys, thus establishing respective IMS secure tunnels between the IMS devices and the IMS networks; receiving, at an originating IMS device from an originating host of the first private network, a request to submit data blocks towards a destination host identified by a network address of the second private network; mapping the network address of the destination host into an IMS address of a destination IMS device of the second private network; and negotiating and selecting a cryptographic suite between the originating IMS device and the destination IMS device from at least one cryptographic suite commonly supported by the originating and destination IMS devices, through respective IMS secure tunnels and IMS networks; wherein negotiating and selecting includes; deriving at the originating and destination IMS devices respective suite keys for the selected cryptographic suite from the IMS keys used with the respective IMS networks; exchanging respective suite keys by the originating and destination IMS devices; and establishing a secure tunnel between the originating and destination IMS devices through the public network by applying the exchanged suite keys with the selected cryptographic suite to data blocks exchanged by the originating and destination IMS devices. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42)
-
Specification