METHODS AND SYSTEMS FOR END-TO-END SECURE SIP PAYLOADS

US 20110131414A1
Filed: 11/30/2009
Published: 06/02/2011
Est. Priority Date: 11/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a Session Initiation Protocol (SIP) message payload transmitted between a target SIP application server toward a client application residing in one of a user equipment (UE) or in another SIP application server comprising:

determining whether said target SIP application server is associated with said client application'"'"'s domain or with another domain which is different than said client application'"'"'s domain;

if said target SIP application server is associated with said client application'"'"'s domain and if said client application resides in said UE, then protecting said SIP message payload using a Generic Bootstrapping Architecture (GBA) key management protocol between said client application residing in said UE and said target SIP application server; and

if said target SIP application server is associated with said another domain or if said client application resides in said another SIP application server, then protecting said SIP message payload using a hop-by-hop key management protocol between said client application and said target SIP application server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and communication nodes for protecting Session Initiation Protocol (SIP) message payloads are described. Different protection techniques can be used to protect SIP payloads depending upon, for example, whether a recipient client application resides in a user equipment or an application server and/or whether a recipient client application resides in a same SIP/IP domain as the target SIP application server which is sending the SIP payloads.

Citations

17 Claims

1. A method for protecting a Session Initiation Protocol (SIP) message payload transmitted between a target SIP application server toward a client application residing in one of a user equipment (UE) or in another SIP application server comprising:
- determining whether said target SIP application server is associated with said client application'"'"'s domain or with another domain which is different than said client application'"'"'s domain;
  
  if said target SIP application server is associated with said client application'"'"'s domain and if said client application resides in said UE, then protecting said SIP message payload using a Generic Bootstrapping Architecture (GBA) key management protocol between said client application residing in said UE and said target SIP application server; and
  
  if said target SIP application server is associated with said another domain or if said client application resides in said another SIP application server, then protecting said SIP message payload using a hop-by-hop key management protocol between said client application and said target SIP application server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein if said target SIP application server is associated with said another domain, then protecting said SIP message payload using a hop-by-hop key management protocol by:
    - applying said GBA key management protocol for protection of the SIP message payload between the user equipment and an intermediate SIP application server which is operating as a SIP router and which is located in said user equipment'"'"'s domain;
      
      orapplying public key infrastructure (PKI) key protection of the SIP message payload between the application client in a separate SIP application server and the target SIP application server; and
      
      applying public key infrastructure (PKI) key protection for protection of the SIP message payload between the intermediate SIP application server and the target SIP application server.
  - 3. The method of claim 1, wherein said step of applying said GBA key management protocol further comprises:
    - deriving each protection key on a per-subscribed-client basis, wherein a plurality of client applications subscribed to the target SIP application server will receive updates for said target SIP application server using first and second keys which are different from one another.
  - 4. The method of claim 3, further comprising the step of:
    - generating said protection key at said user equipment by said client application; and
      
      using said generated protection key to decrypt subsequently received updates from said target SIP server.
  - 5. The method of claim 1, wherein said step of applying said GBA key management protocol further comprises:
    - deriving each protection key on a per-target basis, wherein a plurality of subscribed clients subscribed to the target SIP application will receive protected SIP message payload updates for said target SIP application using for protection first and second keys which are the same.
  - 6. The method of claim 5, further comprising the step of:
    - generating said protection key at said target SIP application server;
      
      sending said protection key to said client application using GBA or PKI; and
      
      using said generated payload protection key to decrypt subsequently received updates from said target SIP server.
  - 7. The method of claim 2, further comprising:
    - receiving, at said intermediate SIP application server, a payload protection key from said target SIP application server;
      
      encrypting and forwarding said payload protection key using PKI or GBA to said client application; and
      
      using said payload protection key, by said client application, to decrypt subsequently received updates from said target SIP application server.

8. An intermediate SIP server for routing SIP messages from a target SIP application server located in a first SIP/IP domain to a client application located in a second SIP/IP domain comprising:
- an interface for receiving a first SIP message directed to said client application, said message including an encrypted SIP payload protection key from said target SIP application server; and
  
  a processor for decrypting said encrypted SIP payload protection key with a secret key associated with said intermediate SIP server, re-encrypting said decrypted SIP payload protection key using a public key infrastructure (PKI) technique if said client application resides in an application server or a Generic Bootstrapping Architecture (GBA) technique if said client application resides in a user equipment, and transmitting said re-encrypted SIP payload protection key toward said application client.

9. The intermediate SIP server of claim 9, wherein said processor is further configured to verify a signature associated with said encrypted SIP payload protection key.

10. A target SIP application server which transmits SIP payloads toward application clients comprising:
- an interface for receiving SIP messages requesting updates from said target SIP application server; and
  
  a processor for generating and transmitting protected SIP payloads for transmission to client applications in response to said SIP messages,wherein said processor protects said SIP payloads using one of;
  
  a public key infrastructure (PKI) technique for SIP payloads to be transmitted toward client applications which reside in an application server; and
  
  a Generic Bootstrapping Architecture (GBA) technique for SIP payloads to be transmitted toward client applications which reside in a user equipment.
- View Dependent Claims (11, 12, 13, 17)
- - 11. The target SIP server of claim 10, wherein said processor protects SIP payloads to be transmitted toward said client applications which reside in user equipment using said GBA technique only if said user equipment is disposed in a same SIP/IP domain as said target SIP application server.
  - 12. The target SIP server of claim 10, wherein said processor uses said GBA technique to protect said SIP payloads by deriving each protection key on a per-subscribed-client basis, wherein a plurality of client applications subscribed to the target SIP application server will receive updates for said target SIP application server using first and second keys which are different from one another.
  - 13. The target SIP server of claim 10, wherein said processor uses said GBA technique to protect said SIP payloads by deriving each protection key on a per-target basis, wherein a plurality of subscribed clients subscribed to the target SIP application will receive protected SIP message payload updates for said target SIP application using for protection first and second keys which are the same.
  - 17. The method of claim 10, wherein said step of protecting further comprises using said GBA technique to protect said SIP payloads by deriving each protection key on a per-target basis, wherein a plurality of subscribed clients subscribed to the target SIP application will receive protected SIP message payload updates for said target SIP application using for protection first and second keys which are the same.

14. A method for protecting SIP payload data comprising:
- receiving SIP messages requesting updates from a target SIP application server;
  
  protecting SIP payload data using one of;
  
  a public key infrastructure (PKI) technique for SIP payloads to be transmitted toward client applications which reside in an application server; and
  
  a Generic Bootstrapping Architecture (GBA) technique for SIP payloads to be transmitted toward client applications which reside in a user equipment; and
  
  generating and transmitting said protected SIP payloads for transmission to client applications in response to said SIP messages.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein said step of protecting protects SIP payloads to be transmitted toward said client applications which reside in user equipment using said GBA technique only if said user equipment is disposed in a same SIP/IP domain as said target SIP application server.
  - 16. The method of claim 14, wherein step of protecting further comprises using said GBA technique to protect said SIP payloads by deriving each protection key on a per-subscribed-client basis, wherein a plurality of client applications subscribed to the target SIP application server will receive updates for said target SIP application server using first and second keys which are different from one another.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Busin, Åke, Barriga, Luis, Cheng, Yi

Granted Patent

US 8,935,529 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/168   above the transport layer

METHODS AND SYSTEMS FOR END-TO-END SECURE SIP PAYLOADS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR END-TO-END SECURE SIP PAYLOADS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links