Key server for securing IP telephony registration, control, and maintenance
First Claim
1. A method for provisioning and registering a packet-switched communications device in an enterprise network, comprising:
- (a) providing an unprovisioned first packet-switched communications device in an enterprise network, the first packet-switched communications device having a corresponding unique identifier and an electronic address on the enterprise network;
(b) as part of a provisioning process establishing, by the first packet-switched communications device, a secure communications session with a key generating agent in the enterprise network;
(c) providing, to the key generating agent through the session, (i) when a key identifier is derived using the unique identifier associated with the first packet-switched communications device, the unique identifier or (ii) when the key identifier is derived using information not associated with the first packet-switched communications device, no unique identifier;
(d) receiving, from the key generating agent through the session, (i) a secret key derived from an enterprise master key and a key identifier and (ii) the key identifier;
(e) forwarding to an application server a registration request, wherein the registration request comprises the key identifier and wherein the first packet-switched communications device has a limited ability to communicate with a provisioned and registered second packet-switched communications device in the enterprise network until the first packet-switched communications device is successfully registered in step (g);
(f) authenticating the first packet-switched communications device with the secret key or an authentication key derived therefrom; and
(g) when the first packet-switched communications device is successfully authenticated, registering the first packet-switched communications device, wherein steps (b) through (e) occur after the first packet-switched communications device has been located at an end user'"'"'s premises and wherein the first and second packet-switched communications device have different and unique secret keys and key identifiers.
24 Assignments
0 Petitions
Accused Products
Abstract
A packet-switched communications device in an enterprise network is provided. The packet-switched communications device has a corresponding unique identifier, such as an address or extension. The device includes a processor operable to (a) establish a secure communications session with a key generating agent in the enterprise network; (b) provide, to the key generating agent through the session, the unique identifier of the communications device; and (c) receive, from the key generating agent through the session, a secret key and a key identifier. An application server authenticates the packet switched device using the secret key. After authentication is successful, secure communications is established between the packet switched device and the application server.
389 Citations
61 Claims
-
1. A method for provisioning and registering a packet-switched communications device in an enterprise network, comprising:
-
(a) providing an unprovisioned first packet-switched communications device in an enterprise network, the first packet-switched communications device having a corresponding unique identifier and an electronic address on the enterprise network; (b) as part of a provisioning process establishing, by the first packet-switched communications device, a secure communications session with a key generating agent in the enterprise network; (c) providing, to the key generating agent through the session, (i) when a key identifier is derived using the unique identifier associated with the first packet-switched communications device, the unique identifier or (ii) when the key identifier is derived using information not associated with the first packet-switched communications device, no unique identifier; (d) receiving, from the key generating agent through the session, (i) a secret key derived from an enterprise master key and a key identifier and (ii) the key identifier; (e) forwarding to an application server a registration request, wherein the registration request comprises the key identifier and wherein the first packet-switched communications device has a limited ability to communicate with a provisioned and registered second packet-switched communications device in the enterprise network until the first packet-switched communications device is successfully registered in step (g); (f) authenticating the first packet-switched communications device with the secret key or an authentication key derived therefrom; and (g) when the first packet-switched communications device is successfully authenticated, registering the first packet-switched communications device, wherein steps (b) through (e) occur after the first packet-switched communications device has been located at an end user'"'"'s premises and wherein the first and second packet-switched communications device have different and unique secret keys and key identifiers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An enterprise network including a first packet-switched communications device having a corresponding unique identifier and an electronic address on the enterprise network, the first packet-switched communications device comprising:
a first processor in the packet-switched communications device operable to; (A1) establish, as part of a provisioning process, a secure communications session with a key generating agent in the enterprise network; (A2) provide, to the key generating agent through the session, (i) when a key identifier is derived using a unique identifier associated with the first packet-switched communications device, the unique identifier or (ii) when the key identifier is derived using information not associated with the first packet-switched communications device, no unique identifier; (A3) receive, from the key generating agent through the session, (i) a secret key derived from a key identifier and an enterprise master key and (ii) the key identifier; (A4) forward to an application server a registration request, wherein the registration request comprises the key identifier and wherein the first packet-switched communications device has a limited ability to communicate with a provisioned and registered second packet-switched communications device in the enterprise network until the first packet-switched communications device is successfully registered in operation (B2); and
wherein the application server comprises a second processor that is operable to;(B1) authenticate the communications device with the secret key or an authentication key derived therefrom; and (B2) when the communications device is successfully authenticated, register the communications device, wherein operations (A1) through (B1) occur after the first packet-switched communications device has been located at an end user'"'"'s premises and wherein the first and second packet-switched communications device have different and unique secret keys and key identifiers. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
41. A method for provisioning and registering a packet-switched communications device in an enterprise network, comprising:
-
(a) assigning an electronic address to a first communications device; (b) providing the electronic address and an address associated with a key generating agent to the first communications device; (c) authenticating, by the first communications device, the key generating agent; and (d) when authentication of the key generating agent is successful, performing the following additional steps; (e) establishing, as part of a provisioning process, a secure communications session between the first communications device and the key generating agent, wherein the first communications device has a corresponding unique identifier; (f) providing the unique identifier to the key generating agent through the secure communications session; (g) receiving, from the key generating agent through the session, (i) a secret key derived from an enterprise master key, the unique identifier, and a key identifier and (ii) the key identifier; (h) forwarding to an application server a registration request, wherein the registration request comprises the key identifier and wherein the first communications device has a limited ability to communicate with a provisioned and registered second packet-switched communications device in the enterprise network until the first communications device is successfully registered in step (j); (i) authenticating the first communications device with the secret key or an authentication key derived therefrom; and (j) when the first communications device is successfully authenticated, registering the first communications device, wherein steps (e) through (j) occur after the first communications device has been located at an end user'"'"'s premises and wherein the first and second packet-switched communications device have different and unique secret keys and key identifiers. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
-
-
58. A method, comprising:
-
(a) requesting, by an unprovisioned and unregistered first communications device, a first electronic address to be assigned to the first communications device and a second electronic address associated with a key generating agent; (b) receiving, by the first communication device, the first and second electronic addresses; (c) thereafter contacting and authenticating, by the first communications device, the key generating agent; (d) when authentication of the key generating agent is successful, establishing, by the first communications device and as part of a provisioning process, a secure communications session with the key generating agent, wherein the first communications device has a corresponding unique identifier; (e) providing the unique identifier to the key generating agent through the secure communications session; (g) receiving, from the key generating agent through the session, a secret key derived from an enterprise master key, the unique identifier, and a key identifier; (h) forwarding, to an application server, a registration request, wherein the registration request comprises the key identifier and wherein the unregistered first communications device has a limited ability to communicate with a provisioned and registered second packet-switched communications device in the enterprise network until the first communications device is successfully registered; and (i) when the application server, has successfully authenticated the first communications device using the secret key or an authentication key derived therefrom, registering the first communications device, wherein steps (a) through (i) occur after the first communications device has been located at an end user'"'"'s premises and wherein the first and second packet-switched communications devices have different and unique secret keys and key identifiers. - View Dependent Claims (59, 60, 61)
-
Specification