METHOD FOR AUTHENTICATING KEY INFORMATION BETWEEN TERMINALS OF A COMMUNICATION LINK

US 20110289319A1
Filed: 01/07/2008
Published: 11/24/2011
Est. Priority Date: 01/07/2008
Status: Active Grant

First Claim

Patent Images

1. Method for authenticating a piece of key information between a first terminal and a second terminal of a planned communication connection according to the Session Initial Protocol (SIP), comprising:

authenticating a piece of transmitted key information for at least one certificate signed by a first terminal or second terminal using a key management protocol;

inserting at least one fingerprint of a certificate signed by said first terminal or said second terminal in the body of an SIP message;

inserting into a header of the SIP message date information certificate reference information, and identity information for the terminal signing the certificate;

copying the identity information from an area of the header or the body; and

generating a signature from the fingerprint, the date information, and the copied identity information and inserting said signature into a different area of the header of the SIP message.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

With the help of a key management protocol, the transmitted key information (si) is authenticated by at least one certificate signed by the terminals (A, B), and at least one fingerprint (fp) of the public keys or certificate, which were used for authenticating the key information (si), is added to the useful part of an SIP message (INVITE). The identity information (idi) present in the header (SIPH) of an SIP message is additionally copied into a region of the header (SIPH) or the useful part (B), and a signature (S) is produced by way of the fingerprint (fp), the datum information (di) presented in the header (SIPH) of an SIP message, the copied identity information (idi′), and optionally the certificate reference information (hz), and is inserted into a further region of the header (SIPH) of the SIP message (INVITE). Advantageously, the additional signature that is produced and inserted according to the invention also remains uninfluenced during a transmission across several networks of different network operators, thereby achieving unique authentication of the transmitted key information. With the method according to the invention, accordingly attacks on the security of the authentication in the networks of the different network operators can be avoided.

40 Citations

View as Search Results

22 Claims

1. Method for authenticating a piece of key information between a first terminal and a second terminal of a planned communication connection according to the Session Initial Protocol (SIP), comprising:
- authenticating a piece of transmitted key information for at least one certificate signed by a first terminal or second terminal using a key management protocol;
  
  inserting at least one fingerprint of a certificate signed by said first terminal or said second terminal in the body of an SIP message;
  
  inserting into a header of the SIP message date information certificate reference information, and identity information for the terminal signing the certificate;
  
  copying the identity information from an area of the header or the body; and
  
  generating a signature from the fingerprint, the date information, and the copied identity information and inserting said signature into a different area of the header of the SIP message.
- View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 11, 12)
- - 2. The method of claim 1, comprising including certification reference information when generating the signature.
  - 3. The method of claim 1, comprising at least one additional piece of existing authentication-related information in the SIP message when generating the signature.
  - 5. The method of claim 1, comprising inserting the identity information, the date information, and the certificate reference information in predetermined fields of the header of the SIP message, and inserting the fingerprint in a predetermined field of the body of the SIP message, wherein at least the parts of the predetermined fields that contain this information are used in generating the signature.
  - 6. The method of claim 1, wherein the certificate reference information contains a reference placing the certificate in the domain in which the SIP message is generated.
  - 7. The method of claim 6, wherein the certificate reference information is represented by a member of the group consisting of an Internet link and a URI address.
  - 8. The method of claim 1, wherein the SIP message is generated in said first terminal or said second terminal, and the actions of copying the identity information from an area of the header, inserting the certificate reference information, generating the signature, and inserting it in another area of the header are performed in the domain where the terminal generating the SIP message is located.
  - 9. The method of claim 1, comprising inserting the copied identity information and the signature into additional areas of the header for the SIP message.
  - 11. The method of claim 1, wherein at least one of said first terminal and said second terminal is a terminal device with one of an Internet protocol, a gateway, or a server, and wherein the domain is a member of the group consisting of a VoIP switch, a session border controller—
    - and a VoIP-SIP proxy.
  - 12. A terminal and proxy for executing the method of claim 1.

4. (canceled)

10. (canceled)

13. A method for transmitting a message from a first terminal device to a second terminal device comprising:
- the first terminal device creating a first message for transmission to the second terminal, the first message having a header and a body, the first message created by a process comprising;
  
  deriving at least one fingerprint from at least one of a public key and a certificate of the first terminal,inserting the at least one fingerprint into the body of the message to authenticate the at least one of the public key and the certificate, andinserting a piece of identification information and a piece of date information into the header of the first message;
  
  copying and inserting the piece of the identification information into the first message;
  
  a server entering a piece of reference information into the header of the first message;
  
  generating a signature using the copied piece of identification information, the piece of the reference information, and the fingerprint inserted into the body of the first message;
  
  inserting the signature into the header of the first message; and
  
  forwarding the first message toward the second terminal device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13 wherein the signature is generated by also using a piece of private key information and a hash value derived from the date information.
  - 15. The method of claim 13 wherein the signature is generated by also using signature information managed by the server and a hash value derived from the date information.
  - 16. The method of claim 13 wherein the copied identification information is copied and inserted by the first terminal or by the server.
  - 17. The method of claim 13 wherein the fingerprint is inserted into a Session Description Protocol (SDP) field of the body of the first message.
  - 18. The method of claim 13 wherein the piece of the reference information indicates a network address at which a domain certificate is stored or is accessible.
  - 19. The method of claim 13 wherein the server is a first server and the method further comprises a second server receiving the first message and testing the signature to authenticate the first message.
  - 20. The method of claim 19 further comprising a second terminal sending an answering message in response to the first message.
  - 21. A system for executing the method of claim 13.

22. A system comprising:
- a first terminal;
  
  a server in communication with the first terminal;
  
  the first terminal device creating a first message for transmission to a second terminal, the first message having a header and a body, the first message created by a process comprising;
  
  deriving at least one fingerprint from at least one of a public key and a certificate of the first terminal,inserting the at least one fingerprint into the body of the message to authenticate the at least one of the public key and the certificate, andinserting a piece of identification information and a piece of date information into the header of the first message;
  
  the server or the first terminal copying and inserting the piece of the identification information into the first message;
  
  the server entering a piece of reference information into the header of the first message;
  
  the server generating a signature using the copied piece of identification information, the piece of the reference information, and the fingerprint inserted into the body of the first message;
  
  the server inserting the signature into the header of the first message; and
  
  the server forwarding the first message toward the second terminal device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unify Patente GmbH & Co. KG (Atos Se)
Original Assignee
Unify Patente GmbH & Co. KG (Atos Se)
Inventors
Elwell, John, Fischer, Kai

Granted Patent

US 8,745,400 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 65/1104   Session initiation protocol...

H04L 9/3247   involving digital signatures

METHOD FOR AUTHENTICATING KEY INFORMATION BETWEEN TERMINALS OF A COMMUNICATION LINK

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR AUTHENTICATING KEY INFORMATION BETWEEN TERMINALS OF A COMMUNICATION LINK

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links