System for negotiating security association on application layer

US 8,028,161 B2
Filed: 09/03/2002
Issued: 09/27/2011
Est. Priority Date: 09/03/2001
Status: Active Grant

First Claim

Patent Images

1. A method for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, comprising:

transmitting in a first SIP-compatible message along with a random number and authentication data, a list of more than one possible security association between the first computer and the second computer from the first computer to the second computer according to SIP protocol of the application layer, an integrity algorithm, a validity time period, and a security parameter index being included for and assigned to each security association in the list, each security parameter index identifying a corresponding security association in the list, said security associations including a maximum life of the security associations;

respectively determining cryptographic parameters for a cryptographically protected communication link in a network layer to be set up using the security association,selecting a security association by the second computer from among the list of more than one possible security association received using said first SIP-compatible message, andtransmitting to the first computer in a second SIP-compatible message at least one of the security association selected by the second computer and an indication of the security association selected by the second computer to be used by the first and second computer without reselecting a new security association for the validity time period, whereinthe first computer is a mobile communication terminal and the second computer is a mobile radio network computer and a communication link is set up using the security association selected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first computer sends a list of possible security associations to a second computer in a message according to a protocol of an application layer, a security parameter index being contained in the message for each security association. The second computer selects a security association and transmits it or an indication of the security association selected by it to the first computer.

30 Citations

View as Search Results

21 Claims

1. A method for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, comprising:
- transmitting in a first SIP-compatible message along with a random number and authentication data, a list of more than one possible security association between the first computer and the second computer from the first computer to the second computer according to SIP protocol of the application layer, an integrity algorithm, a validity time period, and a security parameter index being included for and assigned to each security association in the list, each security parameter index identifying a corresponding security association in the list, said security associations including a maximum life of the security associations;
  
  respectively determining cryptographic parameters for a cryptographically protected communication link in a network layer to be set up using the security association,selecting a security association by the second computer from among the list of more than one possible security association received using said first SIP-compatible message, andtransmitting to the first computer in a second SIP-compatible message at least one of the security association selected by the second computer and an indication of the security association selected by the second computer to be used by the first and second computer without reselecting a new security association for the validity time period, whereinthe first computer is a mobile communication terminal and the second computer is a mobile radio network computer and a communication link is set up using the security association selected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as claimed in claim 1, wherein the telecommunication network is a mobile radio telecommunication network connecting another mobile communication terminal and a mobile radio network computer.
  - 3. The method as claimed in claim 2,wherein the mobile communication terminal transmits a registration message according to the SIP protocol of the application layer to the mobile radio network computer, andwherein the mobile radio network computer transmits an authentication message according to the SIP protocol of the application layer to the mobile communication terminal.
  - 4. The method as claimed in claim 1, further comprising transmitting an acknowledgement message from the first computer to the second computer to confirm the security association selected by the second computer for a future communication link.
  - 5. The method as claimed in claim 4, wherein the acknowledgement message contains the selected security association in a form cryptographically protected according to the selected security association.
  - 6. The method as claimed in claim 5, wherein the selected security association is protected in the acknowledgement message according to an integrity protection method determined in the selected security association.
  - 7. The method as claimed in claim 6, further comprising:
    - verifying the acknowledgement message by the second computer, andsetting up a communication using the selected security association only if said verifying is successful.
  - 8. The method as claimed in claim 7, further comprising carrying out reciprocal authentication between the first computer and the second computer prior to transmitting the list of possible security associations.
  - 9. The method as claimed in claim 8, wherein said carrying out reciprocal authentication includes exchanging a session key between the first computer and the second computer.
  - 10. The method as claimed in claim 9, further comprising deriving a further key from the session key for use within the security association selected by the second computer.
  - 11. The method as claimed in claim 10, further comprising coding the security associations according to an Internet Key Exchange protocol.
  - 12. The method as claimed in claim 11, further comprising protecting a communication relationship according to IPsec using the security associations.
  - 13. The method as claimed in claim 12, further comprising transporting user data using Encapsulating Security Payload protocol in the network layer.
  - 14. The method as claimed in claim 13, wherein said transmitting of the security parameter index is performed in a signaling part of a respective message according to the SIP protocol format of the application layer.
  - 15. The method as claimed in claim 14, wherein the security association determines the cryptographic parameters to be used in the network layer for a unidirectional communication link.

16. A system for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, comprising:
- a processor in each of the first computer and the second computer programmed to transmit a first SIP-compatible message from the first computer to the second computer, the message having a random number, authentication data and a list of more than one possible security association between the first computer and the second computer according to SIP protocol of the application layer, including an integrity algorithm, a validity time period, and a security parameter index assigned to and identifying each security association in the list, the security association respectively determining cryptographic parameters used for a cryptographically protected communication link in a network layer to be set up using the security association, andwherein the second computer selects to select a security association from among the list of more than one possible security association received using said first SIP-compatible message, and a second SIP-compatible message is transmitted from the second computer to the first computer at least one of the security association selected by the second computer and an indication of the security association selected by the second computer to be used by the first and second computer is provided without reselecting a new security association for the validity time period, andthe first computer is a mobile communication terminal and the second computer is a mobile radio network computer.

17. A computer, coupled to a remote computer via a telecommunication network, for negotiating a security association on an application layer between said computer and the remote computer, comprising:
- a processor programmed to transmit to the remote computer a first SIP-compatible message with a random number, authentication data and a list of more than one possible security association between the computer and the remote computer according to SIP protocol of the application layer, including a security parameter index assigned to and identifying each security association in the list, an integrity algorithm, and a validity time period, the security association respectively determining cryptographic parameters used for a cryptographically protected communication link in a network layer to be set up using the security association, anda processor programmed to receive in a second SIP-compatible message from the remote computer at least one of a selected security association and an indication of the selected security association selected by the remote computer from among the list of more than one possible security associations received using said first SIP-compatible message to be used by the computer and the remote computer without reselecting a new security association for the validity time period, wherein the remote computer is a mobile radio network computer.

18. A computer, coupled to a remote computer via a telecommunication network, for negotiating a security association on an application layer between the remote computer and said computer, comprising:
- a processor programmed to receive a first SIP-compatible message according to SIP protocol of the application layer, the message including a random number, authentication data and a list of more than one possible security association between the remote computer and the computer and a security parameter index assigned to and identifying each security association, an integrity algorithm, and a validity time period, the security association being used for respectively determining cryptographic parameters used for a cryptographically protected communication link in a network layer, to be set up using the security association, to select a security association from among the list of more than one possible security association received using said first SIP-compatible message, and to transmit to the remote computer in a second SIP-compatible message at least one of the security association and an indication of the security association to be used by the computer and the remote computer without reselecting a new security association for the validity time period, wherein said remote computer is a mobile radio network computer.

19. At least one computer readable recording medium storing at least one program to control at least one processor to perform a method for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, the first computer and the second computer being coupled to one another via a telecommunication network, said method comprising:
- transmitting a first SIP-compatible message with a random number, authentication data and a list of more than one possible security association between the first computer and the second computer from the first computer to the second computer according to SIP protocol of the application layer, a security parameter index being included for and assigned to each security association in the list, as well as an integrity algorithm, and a validity time period, each security parameter index identifying a corresponding security association in the list;
  
  respectively determining cryptographic parameters for a cryptographically protected communication link in a network layer to be set up using the security association,selecting a security association by the second computer from among the list of more than one possible security association received using said first SIP-compatible message, andtransmitting in a second SIP-compatible message to the first computer at least one of the security association selected by the second computer and an indication of the security association selected by the second computer to be used by the first and second computer without reselecting a new security association for the validity time period, whereinthe first computer is a mobile communication terminal and the second computer is a mobile radio network computer.

20. A method for computer-aided negotiation of a security association on an application layer between a first computer and a second computer, comprising:
- transmitting a SIP-compatible message with a random number, authentication data and a list of more than one possible security association from the first computer to the second computer according to SIP protocol of the application layer, said security associations specifying an integrity algorithm, at least one of a maximum life of the security associations and a maximum service life of keys, one security association in the list to be used by the first and second computer without reselecting a new security association for a validity time period, whereinthe first computer is a mobile communication terminal and the second computer is a mobile radio network computer and the second computer selects the one security association from among the list of more than one possible security association received using said first SIP-compatible message.

21. A method, comprising:
- transmitting a SIP-compatible message with a random number, authentication data and a list of more than one possible security association between a first computer and a second computer based on SIP protocol of an application layer, the security associations including, an integrity algorithm, and a maximum life of keys, one security association in the list to be used by the first and second computer without reselecting a new security association for a validity time period, andwherein the first computer is a mobile communication terminal and the second computer is a mobile radio network computer and the second computer selects the one security association from among the list of more than one possible security association received using said first SIP-compatible message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Kröselberg, Dirk
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US10/233,013
Publication Number

US 20040210766A1
Time in Patent Office

3,311 Days
Field of Search

None
US Class Current

713/152
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/164   at the network layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

System for negotiating security association on application layer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System for negotiating security association on application layer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links