Internet protocol telephony security architecture

US 7,568,223 B2
Filed: 07/15/2004
Issued: 07/28/2009
Est. Priority Date: 04/09/1999
Status: Expired due to Term

First Claim

Patent Images

1. A secure IP telephony system, the system comprising:

a signaling controller within an IP telephony network and in communication with at least one Cable Telephony Adapter (CTA), and configured to perform call set up and tear down and to generate a symmetric sub-key in response to a request from the at least one CTA, the request including a signaling controller ticket;

wherein the signaling controller ticket comprises a signaling controller session key, an identity of the at least one CTA, and an identity of the signaling controller;

the signaling controller further configured to distribute the symmetric sub-key to the at least one CTA in response to the signaling controller ticket; and

a Key Distribution Center (KDC) within the IP telephony network and coupled to the signaling controller, and configured to generate and distribute the signaling controller ticket and said signaling controller session key to the at least one CTA using public key encryption,wherein said at least one CTA generates an additional symmetric key specific for a given call based on the symmetric sub-key provided by the signaling controller.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers. The secure devices, such as the CTA, can communicate with other secure devices by establishing signaling and bearer channels that are encrypted with session specific symmetric keys derived from a symmetric key distributed by a signaling controller.

16 Citations

View as Search Results

15 Claims

1. A secure IP telephony system, the system comprising:
- a signaling controller within an IP telephony network and in communication with at least one Cable Telephony Adapter (CTA), and configured to perform call set up and tear down and to generate a symmetric sub-key in response to a request from the at least one CTA, the request including a signaling controller ticket;
  
  wherein the signaling controller ticket comprises a signaling controller session key, an identity of the at least one CTA, and an identity of the signaling controller;
  
  the signaling controller further configured to distribute the symmetric sub-key to the at least one CTA in response to the signaling controller ticket; and
  
  a Key Distribution Center (KDC) within the IP telephony network and coupled to the signaling controller, and configured to generate and distribute the signaling controller ticket and said signaling controller session key to the at least one CTA using public key encryption,wherein said at least one CTA generates an additional symmetric key specific for a given call based on the symmetric sub-key provided by the signaling controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the signaling controller is configured to generate and distribute the symmetric sub-key in response to a Kerberos request from the at least one CTA.
  - 3. The system of claim 1, wherein the signaling controller distributes the sub-key encrypted with the signaling controller session key.
  - 4. The system of claim 1, wherein the signaling controller receives from the at least one CTA the signaling controller ticket, wherein a portion of the signaling controller ticket is encrypted with a signaling controller server key.
  - 5. The system of claim 1, wherein the request comprises a Kerberos Application Request having the signaling controller ticket and encrypted data including a name of the at least one CTA.
  - 6. The system of claim 1, wherein the request includes a timestamp.
  - 7. The system of claim 1, wherein the signaling controller authenticates the at least one CTA using the signaling controller ticket.
  - 8. The system of claim 1, wherein the signaling controller communicates with the CTA in an IPsec ESP session in response to receiving a valid signaling controller ticket.
  - 9. The system of claim 1, wherein the signaling controller ticket comprises a Kerberos ticket.
  - 10. The system of claim 1, wherein the signaling controller ticket further comprises an expiration time.
  - 11. The system of claim 1, wherein the KDC distributes to the at least one CTA the signaling controller ticket and a copy of the session key outside of the signaling controller ticket encrypted with a CTA public key.
  - 12. The system of claim 1, wherein the KDC distributes the signaling controller ticket to the at least one CTA, and also distributes to the at least one CTA a copy of the session key outside of the signaling controller ticket encrypted using a shared secret derived from a Diffie-Hellman exchange.
  - 13. The system of claim 1, wherein said additional symmetric key is valid for a single call.
  - 14. The system of claim 1, wherein the KDC generates and distributes the signaling controller ticket in a Kerberos exchange with the at least one CTA.
  - 15. The system of claim 9, further comprising a Provisioning Certificate Authority (CA) in communication with the IP telephony network configured to receive a manufacturer signed CTA certificate and distribute an operator network-specific certificate to the at least one CTA.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Anderson, Steven E., Fellows, Jonathan A., Medvinsky, Alexander, Sprunk, Eric J., Moroney, Paul
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Lipman; Jacob

Application Number

US10/893,047
Publication Number

US 20050027985A1
Time in Patent Office

1,839 Days
Field of Search

380/279, 380/266, 726/10
US Class Current

726/10
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/606   by securing the transmissio...

G06F 2207/7219   Countermeasures against sid...

G06F 2211/008   Public Key, Asymmetric Key,...

G06F 2221/2129   Authenticate client device ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/12   Applying verification of th...

H04L 65/1043   Gateway controllers, e.g. m...

H04L 65/1101   Session protocols

H04L 9/083   involving central third par...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

Internet protocol telephony security architecture

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Internet protocol telephony security architecture

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others