Method of and apparatus for authenticating control messages in a signaling network

US 7,360,090 B1
Filed: 01/18/2001
Issued: 04/15/2008
Est. Priority Date: 06/30/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A communication network, comprising:

(A) local communication links,(B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages,(C) a signaling communication system for two-way communications of said control data messages between said central office switching systems, said signaling communication system interconnecting the central office switching systems;

(D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and(E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor configured to evaluate an encrypted portion of said control data messages including digital time stamps so as to authenticate corresponding ones of said control messages and, in response, determine if said control data messages are chronologically sequenced.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication network includes an SS7 Security Gatekeeper that authenticates and validates network control messages within, transiting, entering and leaving an overlying control fabric such as an SS7 network. The SS7 Security Gatekeeper incorporates several levels of checks to ensure that messages are properly authenticated, valid, and consistent with call progress and system status. In addition to message format, message content is checked to ensure that the originating node has the proper authority to send the message and to invoke the related functions. Predefined sets of templates may be used to check the messages, each set of templates being associated with respective originating point codes and/or calling party addresses. The templates may also be associated with various system states such that messages corresponding to a particular template cause a state transition along a particular edge to a next state node at which another set of templates are defined. Thus, system and call state is maintained. The monitor also includes signaling point authentication using digital signatures and timestamps. Timestamps are also used to initiate appropriate timeouts and so that old or improperly sequenced message may be ignored, corrected or otherwise processed appropriately. The SS7 Security Gatekeeper may be located at the edge of a network to be protected so that all messaging to and from the protected network most egress by way of the Gatekeeper. Alternatively, the SS7 Security Gatekeeper may be internal to the protected network and configured as a “pseudo switch” so that ISUP messaging is routed through the Gatekeeper while actual traffic is trunked directly between the associated SSPs, bypassing the Gatekeeper.

Citations

40 Claims

1. A communication network, comprising:
- (A) local communication links,(B) a plurality of separately located central office switching systems interconnected via trunk circuits for selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages,(C) a signaling communication system for two-way communications of said control data messages between said central office switching systems, said signaling communication system interconnecting the central office switching systems;
  
  (D) a signaling gateway, separate from the central office switching systems and connected to said signaling communications system, said signaling gateway including an interface connected to a remote communications network and configured to exchange said control data messages between said remote communication network and said central office switching systems by way of said signaling communication system, and(E) a signaling system security monitor, separate from the central office switching systems, said signaling system security monitor configured to evaluate an encrypted portion of said control data messages including digital time stamps so as to authenticate corresponding ones of said control messages and, in response, determine if said control data messages are chronologically sequenced.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The communications network according to claim 1 wherein said signaling system security monitor comprises a certification agent configured to exchange and maintain encryption key certificates.
  - 3. The communications network according to claim 1 wherein said signaling system security monitor is configured to issue and decrypt said digital time stamps.
  - 4. The communications network according to claim 1 wherein said signaling system security monitor comprises a digital certificate issuing authority.
  - 5. The communications network according to claim 1 wherein said signaling system security monitor is configured to selectively communicate said control data messages between said signaling gateway and said signaling communication system in response to said encrypted portions of said control data messages.
  - 6. The communications network according to claim 1 wherein said signaling system security monitor is configured to selectively enable and inhibit said signaling gateway from exchanging said control data messages between said remote communication network and said signaling communication system in response to said encrypted portions of said control data messages.
  - 7. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing states of respective ones of said central office switching systems, said processor additionally responsive to said states for determining if said control messages are proper.
  - 8. The communications network according to claim 1 wherein said signaling gateway is configured to convert SS7 type messages to another packet data format.
  - 9. The communications network according to claim 8 wherein the other packet data format is an Internet Protocol (IP) format.
  - 10. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor a destination point code.
  - 11. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor at least one of SCCP, ISUP, TCAP, and AIN messages.
  - 12. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor calling and called party address parameters contained in SCCP message portions of said control data messages and determine if said monitor calling and called party address parameters are consistent with an authorized signaling relationship.
  - 13. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor calling and called party address parameters contained in an SCCP message portion of said control data messages.
  - 14. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor origination and designation point codes and calling and called party address parameters contained in a TCAP message portion of said control data messages.
  - 15. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor origination and destination point codes parameters contained in a TCAP message portion of said control data messages and determine if a particular destination point code is authorized to send a particular TCAP message to a particular destination point code.
  - 16. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing a state of said communications network.
  - 17. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing permissible states of said communications network and rules for transitioning from each of said permissible states to others of said permissible states.
  - 18. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing data relating call progress status with respective sets of control messages appropriate to initiate a next action consistent with a particular service.
  - 19. The communications network according to claim 1 wherein said signaling system security monitor includes a memory storing a plurality of message templates corresponding to approved ones of said control data messages.
  - 20. The communications network according to claim 19 wherein said plurality of message templates are associated with a plurality of service providers.
  - 21. The communications network according to claim 20 wherein said signaling system security monitor associates each of said control data messages with a corresponding one of said service providers and selects one of said message templates in response to the corresponding one of said service providers.
  - 22. The communications network according to claim 19 wherein said signaling system security monitor includes a memory storing sets of templates, each of said sets corresponding to control messages appropriate to particular call progress flow.
  - 23. The communications network according to claim 22 wherein said templates define message formats, parameters and values associated with control message types selected from SCCP, ISUP, TCAP and AIN type messages.
  - 24. The communications network according to claim 22 wherein said signaling system security monitor is configured to select said sets of templates in response to service provider authorization data associated with respective ones of said control data messages.
  - 25. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor an originating point code.
  - 26. The communications network according to claim 1 wherein said signaling system security monitor is configured to monitor a service indicator.

27. A method of securely interfacing control links of respective communication networks, comprising the steps of:
- exchanging control data messages between a remote communication network and a local signaling communication system;
  
  decrypting a certificate portion of said control data messages including a time stamp so as to authenticate originating point code information corresponding to said control data messages and, in response to said time stamp, determine if said control data messages are chronologically sequenced based on said time stamp so as to determine control message chronological sequencing;
  
  selectively communicating, in response to said decrypting step, control data messages between central office switching systems; and
  
  selectively providing switched call connections between at least two of the local communication links in response to predetermined control data messages.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 28. The method according to claim 27 further comprising a step of converting a protocol of said control data messages between a protocol of said remote communication network and a protocol of said local signaling communication system.
  - 29. The method according to claim 28 wherein one of said protocols is an SS7 compliant message protocol.
  - 30. The method according to claim 29 wherein one of said protocols is an Internet Protocol (IP) format.
  - 31. The method according to claim 27 further comprising a step of monitoring of calling and called party address parameters contained in SCCP message portions of said control data messages.
  - 32. The method according to claim 31 wherein said monitoring step includes determining if said calling and called party address parameters are consistent with an authorized signaling relationship.
  - 33. The method according to claim 27 further comprising a step of monitoring origination and designation point codes and calling and called party address parameters contained in a TCAP message portion of said control data messages.
  - 34. The method according to claim 33 wherein said monitoring step includes monitoring origination and destination point codes parameters contained in a TCAP message portion of said control data messages and determining if a particular destination point code is authorized to send a particular TCAP message to a particular destination point code.
  - 35. The method according to claim 27 further comprising a step of storing a state of said communications network.
  - 36. The method according to claim 27 further comprising a step of storing (i) permissible states of said communications network and (ii) rules for transitioning from each of said permissible states to others of said permissible states.
  - 37. The method according to claim 27 further comprising a step of storing data relating call progress status with respective sets of control messages appropriate to initiate a next action consistent with a particular service.
  - 38. The method according to claim 27 further comprising a step of storing a plurality of message templates.
  - 39. The method according to claim 38 wherein said plurality of message templates are associated with a plurality of service providers.
  - 40. The method according to claim 39 further comprising steps of:
    - associating each of said control data messages with a corresponding one of said service providers; and
      
      selecting one of said message templates in response to the corresponding one of said service providers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Services Corporation (Verizon Communications Inc.)
Inventors
Doskow, Arthur, Jarosinski, Kathleen F., Hetz, Harry A.
Primary Examiner(s)
Truong; Thanhnga
Assistant Examiner(s)
Klimach; Paula W

Application Number

US09/767,292
Time in Patent Office

2,644 Days
Field of Search

713/170, 713/168, 713/375, 713/178, 713/161, 713/181, 713/155, 709/223, 380/257, 380/225, 370/218, 370/230, 370/369, 370/375
US Class Current

713/170
CPC Class Codes

H04L 63/08   for authentication of entit...

H04M 7/1205   where the types of switchin...

H04Q 2213/13176   Common channel signaling, CCS7

H04Q 2213/13339   Ciphering, encryption, secu...

H04Q 3/0025   Provisions for signalling

Method of and apparatus for authenticating control messages in a signaling network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Method of and apparatus for authenticating control messages in a signaling network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links