Dual-tier security architecture for inter-domain environments
First Claim
1. A method for establishing a secure communication between users employing endpoints in a system including one or more security zones, each security zone including one or more of said endpoints and a Zone Keeper, wherein at least one of said users is a caller utilizing a first endpoint in one of said one or more security zones and at least another one of said users is a callee utilizing a second endpoint in one of said one or more security zones, the method including the steps of:
- said caller sending a communication request message including a communication request for establishing a secure multimedia communication including security information identifying said caller, via said first endpoint to a first one of said Zone Keepers associated with a security zone including said first endpoint;
said first Zone Keeper authenticating the identity of said caller, and if said caller identity is authenticated, authorizing said caller'"'"'s communication request;
said first Zone keeper determining whether said requested secure communication is an intra-zone or an inter-zone communication;
if said requested communication is an intra-zone communication both said first and second endpoints are in the same security zone, said first Zone Keeper in conjunction with said first and second endpoints in said first security zone establishing said secure communication between said caller and said callee;
if said requested communication is an inter-zone communication said first and second endpoints are in first and second security zones, respectively, said first Zone Keeper sending said request message to said second Zone Keeper associated with said second security zone; and
establishing said secure inter-zone communication utilizing said first Zone Keeper, said first endpoint in said first security zone, said second Zone Keeper and said second endpoint in said second security zone.
19 Assignments
0 Petitions
Accused Products
Abstract
A two-tier security architecture that provides balance between the use of public and secret-key cryptography to realize cost-effectiveness and scalability of security. One tier is an intra-zone tier and the other tier is an inter-zone tier. The intra-zone tier addresses communication between users employing endpoints within a prescribed Security Zone and is designed to achieve cost-effectiveness. The inter-zone tier specifies how communication between users employing endpoints from different Security Zones can be established and is designed to provide scalability for intra-enterprise and/or inter-enterprise communications. Specifically, each Security Zone has a “Zone Keeper” and one or more endpoints that may be employed by users. The Zone Keeper authenticates, i.e., validates, users employing an endpoint in the Security Zone and determines whether a caller and a callee are security compatible. When setting up a communication, the caller provides the Zone Keeper security information in order for the caller to prove its identity. The callee supplies to the caller information confirming its identity. A proposal on how the communication is to be Set-up is sent from the caller to the callee, and if they agree to the proposal and their security is authenticated, the communication is started. For inter-zone, inter-domain, communications, the caller provides information as described above to its Zone Keeper. Then, the caller'"'"'s Zone Keeper forwards the caller'"'"'s request to the Zone Keeper of the security associated with the callee. Additionally, the caller'"'"'s Zone Keeper also supplies the callee'"'"'s Zone Keeper with its security identity so that the callee'"'"'s Zone Keeper may authenticate that the request is from the caller'"'"'s Zone Keeper. Then, the callee'"'"'s Zone Keeper sends back an authorization to the Caller'"'"'s Zone Keeper. This authorization includes the callee'"'"'s Zone Keeper security identity so that the caller'"'"'s Zone Keeper can authenticate that the authorization is from the callee'"'"'s Zone Keeper.
89 Citations
46 Claims
-
1. A method for establishing a secure communication between users employing endpoints in a system including one or more security zones, each security zone including one or more of said endpoints and a Zone Keeper, wherein at least one of said users is a caller utilizing a first endpoint in one of said one or more security zones and at least another one of said users is a callee utilizing a second endpoint in one of said one or more security zones, the method including the steps of:
-
said caller sending a communication request message including a communication request for establishing a secure multimedia communication including security information identifying said caller, via said first endpoint to a first one of said Zone Keepers associated with a security zone including said first endpoint; said first Zone Keeper authenticating the identity of said caller, and if said caller identity is authenticated, authorizing said caller'"'"'s communication request; said first Zone keeper determining whether said requested secure communication is an intra-zone or an inter-zone communication; if said requested communication is an intra-zone communication both said first and second endpoints are in the same security zone, said first Zone Keeper in conjunction with said first and second endpoints in said first security zone establishing said secure communication between said caller and said callee; if said requested communication is an inter-zone communication said first and second endpoints are in first and second security zones, respectively, said first Zone Keeper sending said request message to said second Zone Keeper associated with said second security zone; and establishing said secure inter-zone communication utilizing said first Zone Keeper, said first endpoint in said first security zone, said second Zone Keeper and said second endpoint in said second security zone. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A method for establishing a secure communication between users employing endpoints in a system including one or more security zones, each security zone including one or more of said endpoints and a Zone Keeper, wherein at least one of said users is a caller utilizing a first endpoint in one of said one or more security zones and at least another one of said users is a callee utilizing a second endpoint in one of said one or more security zones, the method including the steps of:
-
said caller sending a communication request message including a communication request for establishing a secure multimedia communication including security information identifying said caller, via said first endpoint to a first one of said Zone Keepers associated with a security zone including said first endpoint; said first Zone Keeper authenticating the identity of said caller, and if said caller identity is authenticated, authorizing said caller'"'"'s communication request; said first Zone keeper determining whether said endpoint being used by said callee is in said first security zone or in a second one of said security zones; if it is determined that said second endpoint in said second security, said first Zone Keeper forwarding said communication request message to a second Zone Keeper associated with said second security zone; said second Zone Keeper authenticating that the communication request message is from said first Zone Keeper; said second Zone Keeper sending an authorization message including an authorization of said caller communication request to said first Zone Keeper, said authorization message including security information identifying said second Zone Keeper and security information identifying said callee; said first Zone Keeper authenticating the authorization in said authorization message sent by said second Zone Keeper; if said authorization in said authorization message is authenticated, said first Zone keeper sending said authorization message to said caller via said first endpoint; said caller sending, via said associated one of said endpoints, a connection request message including a communication proposal for establishing a secure multimedia communication connection with said callee, via said second endpoint; said callee authenticating said authorization and said communication proposal; said callee sending, via said second endpoint, to said caller via said first endpoint, an acceptance message indicating that callee accepts the communication proposal, said message including security information identifying said callee; said caller authenticating the identity of said callee; and if said caller authenticates said identity of said callee, establishing said caller and said callee communication through said first and second endpoints, wherein a secure multimedia communication is established. - View Dependent Claims (42, 43, 44, 45, 46)
-
Specification