Internet protocol telephony security architecture

US 8,544,077 B2
Filed: 06/23/2009
Issued: 09/24/2013
Est. Priority Date: 04/09/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A secure IP telephony system, the system comprising:

a Cable Telephony Adapter (CTA) coupled to an IP telephony network and comprising a public/private key pair and a public key certificate signed by a certificate authority;

a Key Distribution Center (KDC) coupled to the IP telephony network and configured to generate a ticket and session key to the CTA in response to a request from the CTA and distribute the session key to the CTA using public key encryption; and

a signaling controller coupled to the IP telephony network and configured to receive the ticket in a set up request from the CTA and generate and distribute a symmetric sub-key to the CTA in response to the set up request in a reply message, wherein both the call set up request and the reply message are encrypted using the session key,wherein the ticket includes an identity of the CTA, an identity of the signaling controller, and an expiration time.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers. The secure devices, such as the CTA, can communicate with other secure devices by establishing signaling and bearer channels that are encrypted with session specific symmetric keys derived from a symmetric key distributed by a signaling controller.

7 Citations

View as Search Results

18 Claims

1. A secure IP telephony system, the system comprising:
- a Cable Telephony Adapter (CTA) coupled to an IP telephony network and comprising a public/private key pair and a public key certificate signed by a certificate authority;
  
  a Key Distribution Center (KDC) coupled to the IP telephony network and configured to generate a ticket and session key to the CTA in response to a request from the CTA and distribute the session key to the CTA using public key encryption; and
  
  a signaling controller coupled to the IP telephony network and configured to receive the ticket in a set up request from the CTA and generate and distribute a symmetric sub-key to the CTA in response to the set up request in a reply message, wherein both the call set up request and the reply message are encrypted using the session key,wherein the ticket includes an identity of the CTA, an identity of the signaling controller, and an expiration time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the CTA establishes a secure session with the signaling controller based on the sub-key.
  - 3. The system of claim 1, wherein the KDC is configured to distribute a Kerberos ticket to the CTA in a Kerberos exchange.
  - 4. The system of claim 1, wherein the signaling controller is further configured to generate an end to end sub-key and send it both to the CTA and to a destination device.
  - 5. The system of claim 4 wherein the CTA and the destination device derive at least one symmetric bearer traffic key from the end to end sub-key.
  - 6. The system of claim 4, wherein the destination device is associated with a remote signaling controller and wherein the signaling controller delivers the end to end sub-key to the destination device via the remote signaling controller.
  - 7. The system of claim 4 wherein the CTA and the destination device derive at least one symmetric signaling key from the end to end sub-key.
  - 8. The system of claim 7, wherein the at least one symmetric signaling key comprises:
    - an Hash-based Message Authentication Code (HMAC) key; and
      
      a Data Encryption Standard (DES) key.
  - 9. The system of claim 8, wherein the HMAC key comprises a 160-bit Secure Hash Algorithm (SHA-1) HMAC key.
  - 10. The system of claim 8, wherein the DES key comprises a 168-bit 3 DES key.
  - 11. The system of claim 7, wherein the at least one symmetric bearer traffic key comprises at least one 3 DES key.
  - 12. The system of claim 11, wherein the at least one 3 DES key comprises a first 168-bit 3-key 3 DES key for encrypting a transmit direction and a second, distinct 168-bit 3-key 3 DES key for encrypting a receive direction.
  - 13. The system of claim 1, wherein the signaling controller is further configured to distribute an end to end sub-key to a destination device.
  - 14. The system of claim 13, wherein the CTA is configured to communicate with the destination device using symmetric encryption keys derived from the end to end sub-key.
  - 15. The system of claim 13, wherein the CTA is configured to communicate bearer channel traffic with the destination device using RTP packets encrypted with a at least one symmetric key derived from the end to end sub-key.
  - 16. The system of claim 13, wherein the CTA is configured to communicate encrypted signaling messages with the destination device using an IPsec ESP session with at least one symmetric key derived from the end to end sub-key.
  - 17. The system of claim 13, wherein the destination device comprises a remote CTA coupled to the IP telephony network.
  - 18. The system of claim 13, wherein the destination device comprises a Plain Old Telephone Service (POTS) gateway coupled to the IP telephony network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
Motorola Mobility LLC (Lenovo Group Ltd.)
Inventors
Sprunk, Eric J., Moroney, Paul, Medvinsky, Alexander, Anderson, Steven E., Fellows, Jonathan A.
Primary Examiner(s)
Lipman, Jacob

Application Number

US12/490,124
Publication Number

US 20090323954A1
Time in Patent Office

1,554 Days
Field of Search

726/10, 380/266, 380/279, 380/259
US Class Current

726/10
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/606   by securing the transmissio...

G06F 2207/7219   Countermeasures against sid...

G06F 2211/008   Public Key, Asymmetric Key,...

G06F 2221/2129   Authenticate client device ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/12   Applying verification of th...

H04L 65/1043   Gateway controllers, e.g. m...

H04L 65/1101   Session protocols

H04L 9/083   involving central third par...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

Internet protocol telephony security architecture

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Internet protocol telephony security architecture

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links