Verifying cryptographic identity during media session initialization
First Claim
1. A method comprising:
- receiving, through a network interface of an authentication agent, a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint;
verifying the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source;
receiving a certificate including a second public key;
verifying that the certificate is consistent with data in the media initialization message;
confirming the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and
in response to confirming the identity, exchanging the real-time media with the remote endpoint.
1 Assignment
0 Petitions
Accused Products
Abstract
An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint'"'"'s agent may create the signature over some fields of the message using an enterprise network'"'"'s private key. The agent may insert the signature into the message and send the message to a recipient endpoint'"'"'s authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media.
-
Citations
24 Claims
-
1. A method comprising:
-
receiving, through a network interface of an authentication agent, a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint; verifying the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source; receiving a certificate including a second public key; verifying that the certificate is consistent with data in the media initialization message; confirming the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and in response to confirming the identity, exchanging the real-time media with the remote endpoint. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
an authentication agent operable to; receive a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint; and verify the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source; and a recipient endpoint operable to; receive a certificate including a second public key; verify that the certificate is consistent with data in the media initialization message; confirm the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and in response to confirming the identity, exchange the real-time media with the remote endpoint. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. Logic encoded in one or more non-transitory tangible media for execution and when executed operable to:
-
receive a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint; verify the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source; receive a certificate including a second public key; verify that the certificate is consistent with data in the media initialization message; confirm the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and in response to confirming the identity, exchange the real-time media with the remote endpoint. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A system comprising:
-
means for receiving a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint; means for verifying the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source; means for receiving a certificate including a second public key; means for verifying that the certificate is consistent with data in the media initialization message; means for confirming the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and means for, in response to confirming the identity, exchanging the real-time media with the remote endpoint.
-
Specification