Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication
First Claim
Patent Images
1. A method of a Session Initiation Protocol (“
- SIP”
) client for providing mutual authentication between the SIP client and a SIP proxy, comprising;
sending to the SIP proxy a first request;
receiving from the SIP proxy a first challenge to the first request that includes a SIP proxy security context, the first challenge to the first request comprising an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol;
in response to the SIP client receiving the first challenge,obtaining from a distribution center a session key of the SIP proxy and a Kerberos server ticket, the Kerberos server ticket encrypted with a key of the SIP proxy and including authentication data of the SIP client; and
sending to the SIP proxy a second request signed using the session key the second request including a proxy authorization header with the Kerberos server ticket and a security context based on the SIP proxy security context;
receiving from the SIP proxy a first response to the second request; and
verifying that the first response was signed using the session key to authenticate the SIP proxy.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system is provided to integrate the Kerberos security mechanism into the message flow of the signaling operation under the Session Initiation Protocol to allow a SIP client and a SIP proxy to authenticate each other. When the SIP proxy receives an request message, such an INVITE request, from the SIP client, it responds with a challenge message indicating that authentication based on Kerberos is required.
In response, the SIP client sends a second request message with a proxy authorization header containing authentication data, including a Kerberos server ticket for the Proxy, to allow the proxy to authenticate the client'"'"'s user.
-
Citations
20 Claims
-
1. A method of a Session Initiation Protocol (“
- SIP”
) client for providing mutual authentication between the SIP client and a SIP proxy, comprising;sending to the SIP proxy a first request; receiving from the SIP proxy a first challenge to the first request that includes a SIP proxy security context, the first challenge to the first request comprising an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol; in response to the SIP client receiving the first challenge, obtaining from a distribution center a session key of the SIP proxy and a Kerberos server ticket, the Kerberos server ticket encrypted with a key of the SIP proxy and including authentication data of the SIP client; and sending to the SIP proxy a second request signed using the session key the second request including a proxy authorization header with the Kerberos server ticket and a security context based on the SIP proxy security context; receiving from the SIP proxy a first response to the second request; and
verifying that the first response was signed using the session key to authenticate the SIP proxy. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- SIP”
-
8. A computer-readable storage device having computer executable instructions for controlling a Session Initiation Protocol (“
- SIP”
) proxy to provide mutual authentication with a SIP client, by a method comprising;receiving a first request from the SIP client; in response to the first request, sending to the SIP client a first challenge that includes a SIP proxy security context, the first challenge to the first request comprising an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol; determining a session key of the SIP proxy with a distribution center; receiving a second request from the SIP client, wherein the second request includes a proxy authorization header with data representing a Kerberos server ticket; in response to the second request, decrypting the Kerberos server ticket of the second request using a key of the SIP proxy; and when authentication data of the SIP client in the decrypted Kerberos server ticket indicates that the SIP client is authentic, a security context included in the second request matches the SIP proxy security context, and the second request is signed by the session key, signing a response with the session key to establish authentication of the response and forwarding the signed response to the SIP client. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- SIP”
-
18. A computing system for providing mutual authentication between a Session Initiation Protocol (“
- SIP”
) client and a SIP proxy, comprising;a SIP client component that sends a first request to the SIP proxy; in response to receiving from the SIP proxy a challenge to the first request, the challenge including a SIP proxy security context and an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol, obtains from a distribution center a session key of the SIP proxy and a Kerberos server ticket, the Kerberos server ticket encrypted with a key of the SIP proxy and including authentication data of the SIP client; sends to the SIP proxy a second request signed using the session key and that includes the Kerberos server ticket in a proxy authorization header and a security context based on the SIP proxy security context; receives from the SIP proxy a response to the second request; and authenticates the SIP proxy by verifying that the response was signed using the session key; and a SIP proxy component that upon receiving the first request from the SIP client, sends to the SIP client the challenge that includes the SIP proxy security context, wherein the challenge includes an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol; and creates the session key with the distribution center; upon receiving the second request from the SIP client, decrypts the Kerberos server ticket of the second request using the key of the SIP proxy; and when authentication data of the SIP client in the decrypted Kerberos server ticket indicates that the SIP client is authentic, the security context included in the second request matches the SIP proxy security context, and the second request is signed by the session key, generates the response by signing with the session key to establish authentication of the response; and sends the response to the SIP client. - View Dependent Claims (19, 20)
- SIP”
Specification