Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

US 7,770,007 B2
Filed: 06/04/2007
Issued: 08/03/2010
Est. Priority Date: 06/14/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of a Session Initiation Protocol (“

SIP”

) client for providing mutual authentication between the SIP client and a SIP proxy, comprising;

sending to the SIP proxy a first request;

receiving from the SIP proxy a first challenge to the first request that includes a SIP proxy security context, the first challenge to the first request comprising an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol;

in response to the SIP client receiving the first challenge,obtaining from a distribution center a session key of the SIP proxy and a Kerberos server ticket, the Kerberos server ticket encrypted with a key of the SIP proxy and including authentication data of the SIP client; and

sending to the SIP proxy a second request signed using the session key the second request including a proxy authorization header with the Kerberos server ticket and a security context based on the SIP proxy security context;

receiving from the SIP proxy a first response to the second request; and

verifying that the first response was signed using the session key to authenticate the SIP proxy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided to integrate the Kerberos security mechanism into the message flow of the signaling operation under the Session Initiation Protocol to allow a SIP client and a SIP proxy to authenticate each other. When the SIP proxy receives an request message, such an INVITE request, from the SIP client, it responds with a challenge message indicating that authentication based on Kerberos is required.

In response, the SIP client sends a second request message with a proxy authorization header containing authentication data, including a Kerberos server ticket for the Proxy, to allow the proxy to authenticate the client'"'"'s user.

40 Citations

View as Search Results

20 Claims

1. A method of a Session Initiation Protocol (“
- SIP”
  
  ) client for providing mutual authentication between the SIP client and a SIP proxy, comprising;
  
  sending to the SIP proxy a first request;
  
  receiving from the SIP proxy a first challenge to the first request that includes a SIP proxy security context, the first challenge to the first request comprising an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol;
  
  in response to the SIP client receiving the first challenge,obtaining from a distribution center a session key of the SIP proxy and a Kerberos server ticket, the Kerberos server ticket encrypted with a key of the SIP proxy and including authentication data of the SIP client; and
  
  sending to the SIP proxy a second request signed using the session key the second request including a proxy authorization header with the Kerberos server ticket and a security context based on the SIP proxy security context;
  
  receiving from the SIP proxy a first response to the second request; and
  
  verifying that the first response was signed using the session key to authenticate the SIP proxy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising signing a subsequent request sent to the SIP proxy with the session key.
  - 3. The method of claim 2 further comprising receiving a second challenge to the second request from the SIP proxy;
    - in response to receiving the second challenge, obtaining from the distribution center a new session key and a new Kerberos server ticket; and
      
      sending to the SIP proxy a third request signed using the new session key and including the new Kerberos server ticket.
  - 4. The method of claim 1 wherein a first request is a member of a group comprising an invite request, a register request, a message request, a subscribe request, a notify request, and a service request.
  - 5. The method of claim 1 further comprising the SIP proxy, upon receiving the second request,the SIP proxy receiving the second request;
    - in response to receiving the second request, the SIP proxy decrypting the Kerberos server ticket based on the key of the SIP proxy;
      
      the SIP proxy forwarding the second request to a server when the authentication data in the decrypted Kerberos server ticket indicates that the SIP client is authentic, the security context included in the second request matches the SIP proxy security context, and the second request is signed by the session key;
      
      in response to receiving from the server a second response to the second request, the SIP proxy generating the first response by signing with the session key and forwarding the first response to the SIP client.
  - 6. The method of claim 1 further comprising:
    - the SIP proxy receiving from the SIP client the first request;
      
      in response to receiving the first request, the SIP proxy creating the session key with the distribution center; and
      
      the SIP proxy sending to the SIP client the first challenge that includes the SIP proxy security context.
  - 7. The method of claim 1 wherein the Kerberos server ticket includes a copy of the session key.

8. A computer-readable storage device having computer executable instructions for controlling a Session Initiation Protocol (“
- SIP”
  
  ) proxy to provide mutual authentication with a SIP client, by a method comprising;
  
  receiving a first request from the SIP client;
  
  in response to the first request, sending to the SIP client a first challenge that includes a SIP proxy security context, the first challenge to the first request comprising an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol;
  
  determining a session key of the SIP proxy with a distribution center;
  
  receiving a second request from the SIP client, wherein the second request includes a proxy authorization header with data representing a Kerberos server ticket;
  
  in response to the second request, decrypting the Kerberos server ticket of the second request using a key of the SIP proxy; and
  
  when authentication data of the SIP client in the decrypted Kerberos server ticket indicates that the SIP client is authentic, a security context included in the second request matches the SIP proxy security context, and the second request is signed by the session key, signing a response with the session key to establish authentication of the response and forwarding the signed response to the SIP client.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The computer-readable storage device of claim 8 wherein determining a session key of the SIP proxy with the distribution center includes the SIP proxy creating the session key and providing the session key to the distribution center.
  - 10. The computer-readable storage device of claim 8 wherein the Kerberos server ticket includes the session key.
  - 11. The computer-readable storage device of claim 8 further comprising:
    - the SIP client sending the first request to the SIP proxy;
      
      in response to receiving the challenge, the SIP client determining the session key of the SIP proxy with the distribution center;
      
      in response to receiving the challenge, the SIP client obtaining from the distribution center the Kerberos server ticket encrypted with the key of the SIP proxy, the Kerberos server ticket including authentication data of the SIP client;
      
      the SIP client generating the second request by signing the Kerberos server ticket encrypted with the key of the SIP proxy, and signing the SIP proxy security context with the session key;
      
      the SIP client sending to the SIP proxy the second request; and
      
      in response to receiving the signed response, the SIP client verifying that the response was signed using the session key to authenticate the SIP proxy.
  - 12. The computer-readable storage device of claim 11 wherein the key of the SIP proxy is a long-term key of the SIP proxy, and wherein the SIP proxy obtaining from the distribution center includes obtaining the Kerberos server ticket encrypted with the long-term key of the SIP proxy.
  - 13. The computer-readable storage device of claim 11 further comprising the SIP client signing a subsequent message to the SIP proxy using the session key, and sending the signed subsequent message to the SIP proxy.
  - 14. The computer-readable storage device of claim 13 further comprising in response to receiving the subsequent message from the SIP client, the SIP proxy determining whether the subsequent message is signed using the session key.
  - 15. The computer-readable storage device of claim 11 further comprising in response to receiving a subsequent challenge from the SIP proxy, the SIP client obtaining from the distribution center a new session key and a new Kerberos server ticket and the SIP client sending to the SIP proxy a third request signed using the new session key and including the new Kerberos server ticket.
  - 16. The computer-readable storage device of claim 15 further comprising in response to the security context being no longer valid, the SIP proxy sending to the SIP client the subsequent challenge that includes a new SIP proxy security context;
    - and the SIP proxy creating a new session key of the SIP proxy with the distribution center.
  - 17. The computer-readable storage device of claim 8 wherein the first request is a member of a group comprising an invite request, a register request, a message request, a subscribe request, a notify request, and a service request.

18. A computing system for providing mutual authentication between a Session Initiation Protocol (“
- SIP”
  
  ) client and a SIP proxy, comprising;
  
  a SIP client component thatsends a first request to the SIP proxy;
  
  in response to receiving from the SIP proxy a challenge to the first request, the challenge including a SIP proxy security context and an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol, obtains from a distribution center a session key of the SIP proxy and a Kerberos server ticket, the Kerberos server ticket encrypted with a key of the SIP proxy and including authentication data of the SIP client;
  
  sends to the SIP proxy a second request signed using the session key and that includes the Kerberos server ticket in a proxy authorization header and a security context based on the SIP proxy security context;
  
  receives from the SIP proxy a response to the second request; and
  
  authenticates the SIP proxy by verifying that the response was signed using the session key; and
  
  a SIP proxy component thatupon receiving the first request from the SIP client,sends to the SIP client the challenge that includes the SIP proxy security context, wherein the challenge includes an indication of an authentication mechanism comprising at least Kerberos and NTLM Protocol; and
  
  creates the session key with the distribution center;
  
  upon receiving the second request from the SIP client,decrypts the Kerberos server ticket of the second request using the key of the SIP proxy; and
  
  when authentication data of the SIP client in the decrypted Kerberos server ticket indicates that the SIP client is authentic, the security context included in the second request matches the SIP proxy security context, and the second request is signed by the session key,generates the response by signing with the session key to establish authentication of the response; and
  
  sends the response to the SIP client.
- View Dependent Claims (19, 20)
- - 19. The computer system of claim 18 wherein the SIP client component signs subsequent requests sent to the SIP proxy with the session key.
  - 20. The computer system of claim 18 wherein the SIP client component further, when a subsequent challenge is received from the SIP proxy, obtains from the distribution center a new session key and sends to the SIP proxy a subsequent request signed using the new session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bobde, Nikhil, Han, Mu, Demirtjis, Ann
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H

Application Number

US11/757,877
Publication Number

US 20080022383A1
Time in Patent Office

1,156 Days
Field of Search

726/1, 713/169, 713/150, 713/171
US Class Current

713/169
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0869   for achieving mutual authen...

H04L 63/123   received data contents, e.g...

H04L 63/205   involving negotiation or de...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links