METHOD FOR AUTHENTICATING KEY INFORMATION BETWEEN TERMINALS OF A COMMUNICATION LINK
First Claim
1. Method for authenticating a piece of key information between a first terminal and a second terminal of a planned communication connection according to the Session Initial Protocol (SIP), comprising:
- authenticating a piece of transmitted key information for at least one certificate signed by a first terminal or second terminal using a key management protocol;
inserting at least one fingerprint of a certificate signed by said first terminal or said second terminal in the body of an SIP message;
inserting into a header of the SIP message date information certificate reference information, and identity information for the terminal signing the certificate;
copying the identity information from an area of the header or the body; and
generating a signature from the fingerprint, the date information, and the copied identity information and inserting said signature into a different area of the header of the SIP message.
5 Assignments
0 Petitions
Accused Products
Abstract
With the help of a key management protocol, the transmitted key information (si) is authenticated by at least one certificate signed by the terminals (A, B), and at least one fingerprint (fp) of the public keys or certificate, which were used for authenticating the key information (si), is added to the useful part of an SIP message (INVITE). The identity information (idi) present in the header (SIPH) of an SIP message is additionally copied into a region of the header (SIPH) or the useful part (B), and a signature (S) is produced by way of the fingerprint (fp), the datum information (di) presented in the header (SIPH) of an SIP message, the copied identity information (idi′), and optionally the certificate reference information (hz), and is inserted into a further region of the header (SIPH) of the SIP message (INVITE). Advantageously, the additional signature that is produced and inserted according to the invention also remains uninfluenced during a transmission across several networks of different network operators, thereby achieving unique authentication of the transmitted key information. With the method according to the invention, accordingly attacks on the security of the authentication in the networks of the different network operators can be avoided.
40 Citations
22 Claims
-
1. Method for authenticating a piece of key information between a first terminal and a second terminal of a planned communication connection according to the Session Initial Protocol (SIP), comprising:
-
authenticating a piece of transmitted key information for at least one certificate signed by a first terminal or second terminal using a key management protocol; inserting at least one fingerprint of a certificate signed by said first terminal or said second terminal in the body of an SIP message; inserting into a header of the SIP message date information certificate reference information, and identity information for the terminal signing the certificate; copying the identity information from an area of the header or the body; and generating a signature from the fingerprint, the date information, and the copied identity information and inserting said signature into a different area of the header of the SIP message. - View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 11, 12)
-
-
4. (canceled)
-
10. (canceled)
-
13. A method for transmitting a message from a first terminal device to a second terminal device comprising:
-
the first terminal device creating a first message for transmission to the second terminal, the first message having a header and a body, the first message created by a process comprising; deriving at least one fingerprint from at least one of a public key and a certificate of the first terminal, inserting the at least one fingerprint into the body of the message to authenticate the at least one of the public key and the certificate, and inserting a piece of identification information and a piece of date information into the header of the first message; copying and inserting the piece of the identification information into the first message; a server entering a piece of reference information into the header of the first message; generating a signature using the copied piece of identification information, the piece of the reference information, and the fingerprint inserted into the body of the first message; inserting the signature into the header of the first message; and forwarding the first message toward the second terminal device. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
a first terminal; a server in communication with the first terminal; the first terminal device creating a first message for transmission to a second terminal, the first message having a header and a body, the first message created by a process comprising; deriving at least one fingerprint from at least one of a public key and a certificate of the first terminal, inserting the at least one fingerprint into the body of the message to authenticate the at least one of the public key and the certificate, and inserting a piece of identification information and a piece of date information into the header of the first message; the server or the first terminal copying and inserting the piece of the identification information into the first message; the server entering a piece of reference information into the header of the first message; the server generating a signature using the copied piece of identification information, the piece of the reference information, and the fingerprint inserted into the body of the first message; the server inserting the signature into the header of the first message; and the server forwarding the first message toward the second terminal device.
-
Specification