Verifying cryptographic identity during media session initialization

US 8,200,959 B2
Filed: 06/28/2007
Issued: 06/12/2012
Est. Priority Date: 06/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, through a network interface of an authentication agent, a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint;

verifying the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source;

receiving a certificate including a second public key;

verifying that the certificate is consistent with data in the media initialization message;

confirming the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and

in response to confirming the identity, exchanging the real-time media with the remote endpoint.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint'"'"'s agent may create the signature over some fields of the message using an enterprise network'"'"'s private key. The agent may insert the signature into the message and send the message to a recipient endpoint'"'"'s authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media.

Citations

24 Claims

1. A method comprising:
- receiving, through a network interface of an authentication agent, a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint;
  
  verifying the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source;
  
  receiving a certificate including a second public key;
  
  verifying that the certificate is consistent with data in the media initialization message;
  
  confirming the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and
  
  in response to confirming the identity, exchanging the real-time media with the remote endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein:
    - the trusted source is an enterprise network; and
      
      the identity comprises one of the following at the enterprise network;
      
      a user name, a phone number, or an enterprise-specific identifier.
  - 3. The method of claim 1, wherein the media initialization message is a session initiation protocol (SIP) invite message containing a session description protocol (SDP) body.
  - 4. The method of claim 3, wherein:
    - the portion of the fields comprise one or more of the following SIP fields;
      
      Contact, Date, Call-ID, CSeq, To, and From;
      
      the plurality of fields includes at least one unsigned field not in the portion of the fields, the unsigned field comprising the SDP body; and
      
      a session border controller modifies the unsigned field after the signature is inserted into the media initialization message.
  - 5. The method of claim 1, wherein verifying that the certificate is consistent with data in the media initialization message comprises:
    - identifying a fingerprint field in the media initialization message;
      
      performing a cryptographic hash of the certificate; and
      
      verifying that the cryptographic hash is equivalent to the fingerprint field.
  - 6. The method of claim 1, wherein confirming the identity of the remote endpoint comprises:
    - sending an encryption request to the remote endpoint, the encryption request specifying data and requesting that the remote endpoint encrypt the data with the second private key;
      
      receiving a response from the remote endpoint;
      
      decrypting the response with the second public key; and
      
      confirming that the decrypted response is equivalent to the data specified by the encryption request.
  - 7. The method of claim 1, further comprising establishing a media session between the remote endpoint and a recipient endpoint through signaling.
  - 8. The method of claim 7, wherein the identity is confirmed using one of the following protocols:
    - TLS, DTLS, ICE, and HIP.

9. A system comprising:
- an authentication agent operable to;
  
  receive a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint; and
  
  verify the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source; and
  
  a recipient endpoint operable to;
  
  receive a certificate including a second public key;
  
  verify that the certificate is consistent with data in the media initialization message;
  
  confirm the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and
  
  in response to confirming the identity, exchange the real-time media with the remote endpoint.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein:
    - the trusted source is an enterprise network; and
      
      the identity comprises one of the following at the enterprise network;
      
      a user name, a phone number, or an enterprise-specific identifier.
  - 11. The system of claim 9, wherein the media initialization message is a SIP invite message containing a SDP body.
  - 12. The system of claim 11, wherein:
    - the portion of the fields comprise one or more of the following SIP fields;
      
      Contact, Date, Call-ID, CSeq, To, and From;
      
      the plurality of fields includes at least one unsigned field not in the portion of the fields, the unsigned field comprising the SDP body; and
      
      a session border controller modifies the unsigned field after the signature is inserted into the media initialization message.
  - 13. The system of claim 9, wherein verifying that the certificate is consistent with data in the media initialization message comprises:
    - identifying a fingerprint field in the media initialization message;
      
      performing a cryptographic hash of the certificate; and
      
      verifying that the cryptographic hash is equivalent to the fingerprint field.
  - 14. The system of claim 9, wherein confirming the identity of the remote endpoint comprises:
    - sending an encryption request to the remote endpoint, the encryption request specifying data and requesting that the remote endpoint encrypt the data with the second private key;
      
      receiving a response from the remote endpoint;
      
      decrypting the response with the second public key; and
      
      confirming that the decrypted response is equivalent to the data specified by the encryption request.
  - 15. The system of claim 9, wherein the identity is confirmed using one of the following protocols:
    - TLS, DTLS, ICE, and HIP.

16. Logic encoded in one or more non-transitory tangible media for execution and when executed operable to:
- receive a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint;
  
  verify the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source;
  
  receive a certificate including a second public key;
  
  verify that the certificate is consistent with data in the media initialization message;
  
  confirm the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and
  
  in response to confirming the identity, exchange the real-time media with the remote endpoint.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The logic of claim 16, wherein:
    - the trusted source is an enterprise network; and
      
      the identity comprises one of the following at the enterprise network;
      
      a user name, a phone number, or an enterprise-specific identifier.
  - 18. The logic of claim 16, wherein the media initialization message is a SIP invite message containing a SDP body.
  - 19. The logic of claim 18, wherein:
    - the portion of the fields comprise one or more of the following SIP fields;
      
      Contact, Date, Call-ID, CSeq, To, and From;
      
      the plurality of fields includes at least one unsigned field not in the portion of the fields, the unsigned field comprising the SDP body; and
      
      a session border controller modifies the unsigned field after the signature is inserted into the media initialization message.
  - 20. The logic of claim 16, wherein verifying that the certificate is consistent with data in the media initialization message comprises:
    - identifying a fingerprint field in the media initialization message;
      
      performing a cryptographic hash of the certificate; and
      
      verifying that the cryptographic hash is equivalent to the fingerprint field.
  - 21. The logic of claim 16, wherein confirming the identity of the remote endpoint comprises:
    - sending an encryption request to the remote endpoint, the encryption request specifying data and requesting that the remote endpoint encrypt the data with the second private key;
      
      receiving a response from the remote endpoint;
      
      decrypting the response with the second public key; and
      
      confirming that the decrypted response is equivalent to the data specified by the encryption request.
  - 22. The logic of claim 16, further operable to establish a media session between the remote endpoint and a recipient endpoint through signaling.
  - 23. The logic of claim 22, wherein the identity is confirmed using one of the following protocols:
    - TLS, DTLS, ICE, and HIP.

24. A system comprising:
- means for receiving a media initialization message requesting a media session for the exchange of real-time media with a remote endpoint, the media initialization message asserting an identity and comprising a plurality of fields and a signature, the signature formed by encrypting a portion of the fields with a first private key associated with a trusted source other than the endpoint, the plurality of fields including at least one unsigned field not in the portion of the fields, the unsigned field indicating a source address of the remote endpoint;
  
  means for verifying the signature using a first public key corresponding to the first private key, the first public key associated with the trusted source, the verification of the signature confirming that the identity was authenticated by the trusted source;
  
  means for receiving a certificate including a second public key;
  
  means for verifying that the certificate is consistent with data in the media initialization message;
  
  means for confirming the identity of the remote endpoint by receiving confirmation that the remote endpoint knows a second private key corresponding to the second public key; and
  
  means for, in response to confirming the identity, exchanging the real-time media with the remote endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wing, Daniel G., Jennings, Cullen F.
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US11/770,226
Publication Number

US 20090006844A1
Time in Patent Office

1,811 Days
Field of Search

713156-157, 713176-177, 713/180, 713/158, 709/204, 709/227, 455/41.1, 340/425.5, 340/438
US Class Current

713/156
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/126 the source of the received ...

Verifying cryptographic identity during media session initialization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying cryptographic identity during media session initialization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links