Method and system for secure communications with IP telephony appliance

US 7,965,701 B1
Filed: 04/29/2005
Issued: 06/21/2011
Est. Priority Date: 09/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method for communicating with a telephony enabled device, wherein the device is also capable of communicating on an Internet protocol based (IP) network, comprising:

activating the telephony enabled device for communicating on a telephony network and communicating on the IP network;

the telephony enabled device broadcasting on the IP network a request for initial IP network information;

in response to the broadcast, the telephony enabled device first receiving an IP address for the telephony enabled device via the first communication;

in response to the broadcast, the telephony enabled device performing a first set of communications with a network node identified by a first IP address for establishing a first communication therebetween;

the telephony enabled device second receiving update information related to an update of operational information used in operating the telephony enabled device, wherein the update information is received via an encrypted and authenticated communication on the IP network from the network node;

the telephony enabled device third receiving a second IP address from the network node for an IP server;

in response to receiving the second IP address, the telephony enabled device fourth receiving security information for encrypting and authenticating IP communications received by the telephony enabled device from the IP server, wherein the security information is determined via an encrypted and authenticated communication on the IP network;

the telephony enabled device authenticating, with the security information, an IP communication between the IP server and the telephony enabled device, including a substep of authenticating whether an IP communication received on a particular port of the telephony enabled device is from the IP server;

the telephony enabled device decrypting, with the security information, the IP communication between the IP server and the telephony enabled device; and

wherein subsequent processing of each communication C of at least most IP communications on the port is dependent upon a corresponding result for authenticating that the communication C is from the IP server, wherein when said result indicates the communication C is not from the IP server, at least one instruction in the communication C is not processed in a manner that the instruction would be processed if said result indicated C were from the IP server.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are disclosed for providing secure communications with a communication appliance such as an IP telephone, wherein such an appliance has a reduced risk to attacks by unauthorized or rogue applications. In particular, “denial of service” and “man-in-the-middle” attacks are prevented. One embodiment establishes authenticated and encrypted communications with a single IP server for transmitting and receiving substantially all IP application communications with third parties.

Citations

18 Claims

1. A method for communicating with a telephony enabled device, wherein the device is also capable of communicating on an Internet protocol based (IP) network, comprising:
- activating the telephony enabled device for communicating on a telephony network and communicating on the IP network;
  
  the telephony enabled device broadcasting on the IP network a request for initial IP network information;
  
  in response to the broadcast, the telephony enabled device first receiving an IP address for the telephony enabled device via the first communication;
  
  in response to the broadcast, the telephony enabled device performing a first set of communications with a network node identified by a first IP address for establishing a first communication therebetween;
  
  the telephony enabled device second receiving update information related to an update of operational information used in operating the telephony enabled device, wherein the update information is received via an encrypted and authenticated communication on the IP network from the network node;
  
  the telephony enabled device third receiving a second IP address from the network node for an IP server;
  
  in response to receiving the second IP address, the telephony enabled device fourth receiving security information for encrypting and authenticating IP communications received by the telephony enabled device from the IP server, wherein the security information is determined via an encrypted and authenticated communication on the IP network;
  
  the telephony enabled device authenticating, with the security information, an IP communication between the IP server and the telephony enabled device, including a substep of authenticating whether an IP communication received on a particular port of the telephony enabled device is from the IP server;
  
  the telephony enabled device decrypting, with the security information, the IP communication between the IP server and the telephony enabled device; and
  
  wherein subsequent processing of each communication C of at least most IP communications on the port is dependent upon a corresponding result for authenticating that the communication C is from the IP server, wherein when said result indicates the communication C is not from the IP server, at least one instruction in the communication C is not processed in a manner that the instruction would be processed if said result indicated C were from the IP server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said step of activating includes preventing reception of communications on at least one IP port.
  - 3. The method of claim 1, wherein the request comprises a request for one or more of:
    - the IP address for the telephony enabled device, and the first IP address for the network node from which said update information is received.
  - 4. The method of claim 1, wherein the update of operation information includes information for configuring the telephony enabled device.
  - 5. The method of claim 1, wherein the telephony enabled device receives further information from the network node, the further information includes receiving one or more of the following:
    - (a) a firmware revision or data update for the telephony enabled device;
      
      (b) other necessary information for enabling operation of the telephony enabled device;
      
      (c) information necessary to authenticate firmware; and
      
      (d) information to securely retrieve information from a backup server.
  - 6. The method of claim 5, wherein at least some of (a) through (d) are received.
  - 7. The method of claim 1, wherein said step of fourth receiving includes establishing secure communications with the IP server for communicating one or more encryption or decryption keys as at least part of the security information.
  - 8. The method of claim 1, wherein said step of authenticating includes satisfying network requests that are first identified as from the IP server, and not satisfying at least most requests from network sources different from the IP server.
  - 9. The method of claim 1, wherein the IP server controls at least one of network access to the telephony enabled device and network communication to the telephony enabled device.

10. A method for providing both telephony and IP network services, including:
- a network identification server transmitting a network address in response to a request for a network address by a network communication appliance;
  
  a configuration server transmitting configuration information in response to a request by the network communication appliance;
  
  an appliance connection server communicating with the network communication appliance, wherein for at least most IP communications with the network communication appliance, the IP communications are with the appliance connection server, wherein said appliance connection server is an intermediary server that can perform steps (a) to (e) and selectively perform one of the following;
  
  (a) determining whether a licensing criterion is satisfied for an application in communication with the network communication appliance;
  
  (b) encrypting information received from an application communicating with the network communication appliance;
  
  (c) decrypting information received from the network communication appliance for subsequently transmitting to an application communicating with the network communication appliance;
  
  (d) accessing, information about the network communication appliance, including one or more of;
  
  (d-1) a telephony extension for the network communication appliance;
  
  (d-2) an IP address for the network communication appliance;
  
  (d-3) an encryption key for encrypting information transmitted to the network communication appliance;
  
  (d-4) an authentication key for authenticating information received from the network communication appliance; and
  
  (e) at least one of;
  
  exchanging and negotiating keys for subsequently encrypting and authenticating communications between the network communication appliance and the server.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein said step of the network identification server transmitting is in response to a network broadcast for network information that includes one or more of:
    - a network address, and a network address of a network server.
  - 12. The method of claim 10, wherein said step of the configuration server transmitting includes transmitting one or more of the following:
    - (i) the network IP address of an appliance connection server;
      
      (ii) a firmware revision or data update for the network communication appliance;
      
      (iii) other necessary information for enabling operation of the network communication appliance;
      
      (iv) information necessary to authenticate the firmware; and
      
      (v) information to securely retrieve information from a backup server.
  - 13. The method of claim 12, wherein at least some of (i) through (v) are transmitted to the network communication appliance.
  - 14. The method of claim 10, wherein said step of communicating includes establishing secure communications with the appliance connection server for communicating one or more encryption or decryption keys with the network communication appliance.
  - 15. The method of claim 10, wherein said step of communicating includes satisfying network requests that are first identified as from the network communication appliance, wherein said step of satisfying includes authenticating that the request is from one of a plurality of network communication appliances registered to communicate with the appliance connection server for receiving encrypted communications from the appliance connection server, wherein the appliance connection server is an intermediary network node for controlling communications between the plurality of network communication appliances and a plurality of applications.
  - 16. The method of claim 15, wherein said appliance connection server communicates with the plurality of applications via a common application programming interface.

17. A communication appliance for performing the following steps:
- broadcasting a request for a network address;
  
  first receiving a network address in response to the request for a network address by the communication appliance from a network identification server;
  
  sending a request for configuration information to a configuration server;
  
  second receiving configuration information in response to the request by the communication appliance from the configuration server;
  
  communicating with an appliance connection server, wherein the appliance connection server serves as an intermediary network node that can perform steps (a) to (e) and selectively perform one of the following with each application (A) of a plurality of applications that communicate with the appliance connection server via an IP network;
  
  (a) determining whether a licensing criterion is satisfied for the application A in communication with the network communication appliance;
  
  (b) encrypting information received from the application A communicating with the network communication appliance;
  
  (c) decrypting information received from the network communication appliance for subsequently transmitting to the application A communicating with the network communication appliance;
  
  (d) accessing information about the network communication appliance, including one or more of;
  
  (d-1) a telephony extension for the network communication appliance;
  
  (d-2) an IP address for the network communication appliance;
  
  (d-3) an encryption key for encrypting information transmitted to the network communication appliance;
  
  (d-4) an authentication key for authenticating information received from the network communication appliance; and
  
  (e) at least one of;
  
  exchanging and negotiating keys for subsequently encrypting and authenticating communications between the network communication appliance and the server.
- View Dependent Claims (18)
- - 18. The communication appliance of claim 17, wherein at least two different network communication protocols are used for communicating with third parties, wherein one of the protocols is TCP/IP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Toennis, Roger L., Robinson, Richard L.
Primary Examiner(s)
Elahee; MD S
Assistant Examiner(s)
SHARIFZADA, IBRAHAM K

Application Number

US11/119,188
Time in Patent Office

2,244 Days
Field of Search

370/352
US Class Current

370/352
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/1441   Countermeasures against mal...

H04L 65/1053   IP private branch exchange ...

H04M 7/0078   Security; Fraud detection; ...

Method and system for secure communications with IP telephony appliance

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for secure communications with IP telephony appliance

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links