Methods of providing an integrated and mutual authentication in a communication network

US 8,661,253 B2
Filed: 07/18/2011
Issued: 02/25/2014
Est. Priority Date: 07/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method for providing an integrated and mutual authentication in a communication network, the method comprising:

at a Session Initiation Protocol (SIP) client;

transmitting a service ticket request to a key distribution center in response to a provision of a user'"'"'s security credentials to authenticate to the key distribution center;

responsive to the transmitting, receiving a session key encrypted with a Ticket Granting Ticket (TGT) session key shared between a SIP client and a Kerberos authentication server, and receiving a service ticket encrypted with a SIP service key shared between a SIP server and the Kerberos authentication server, wherein the service ticket includes the session key;

decrypting the session key encrypted with the TGT session key shared between the SIP client and the Kerberos authentication server;

transmitting the service ticket to the SIP server;

utilizing the session key for mutual digest authentication with the SIP server, upon the service ticket being decrypted by the SIP server using the SIP service key shared between the SIP server and the Kerberos authentication server,conveying an authorization header, comprising a challenge value, to the SIP server;

in response to conveying the authorization header, receiving a responsive authorization header, comprising a new challenge value, from the SIP server;

storing a portion of the received authorization header; and

pre-emptively sending a new authorization header, based on the stored portion of the received authorization header, to the SIP server without first receiving another new challenge value from the SIP server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service ticket request is transmitted to a key distribution center in response to providing the security credential. In response to the transmitting, a session key encrypted with a TGT session key shared between a SIP client and a Kerberos authentication server, and a service ticket encrypted with a SIP service key shared between a SIP server and the Kerberos authentication server are received. The service ticket includes the session key. The session key, encrypted with the SIP session key shared between the SIP client and the Kerberos authentication server, is decrypted by the SIP client. The service ticket is transmitted to a SIP server. The SIP server decrypts the service ticket using the SIP service key shared between the SIP server and the Kerberos authentication server and stores the session key. The session key is utilized for mutual digest authentication between the SIP client and the SIP server.

11 Citations

View as Search Results

20 Claims

1. A method for providing an integrated and mutual authentication in a communication network, the method comprising:
- at a Session Initiation Protocol (SIP) client;
  
  transmitting a service ticket request to a key distribution center in response to a provision of a user'"'"'s security credentials to authenticate to the key distribution center;
  
  responsive to the transmitting, receiving a session key encrypted with a Ticket Granting Ticket (TGT) session key shared between a SIP client and a Kerberos authentication server, and receiving a service ticket encrypted with a SIP service key shared between a SIP server and the Kerberos authentication server, wherein the service ticket includes the session key;
  
  decrypting the session key encrypted with the TGT session key shared between the SIP client and the Kerberos authentication server;
  
  transmitting the service ticket to the SIP server;
  
  utilizing the session key for mutual digest authentication with the SIP server, upon the service ticket being decrypted by the SIP server using the SIP service key shared between the SIP server and the Kerberos authentication server,conveying an authorization header, comprising a challenge value, to the SIP server;
  
  in response to conveying the authorization header, receiving a responsive authorization header, comprising a new challenge value, from the SIP server;
  
  storing a portion of the received authorization header; and
  
  pre-emptively sending a new authorization header, based on the stored portion of the received authorization header, to the SIP server without first receiving another new challenge value from the SIP server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising:
    - utilizing the session key to calculate a digest authentication header, wherein the digest authentication header is included in each message transmitted between the SIP client and the SIP server.
  - 3. The method of claim 2 further comprising, upon registration with the SIP server, preemptively transmitting the digest authorization header to the SIP server prior to receipt of a challenge from the SIP server.
  - 4. The method of claim 1 wherein providing the security credential to authenticate to the key distribution center further includes authenticating to an active directory.
  - 5. The method of claim 1 wherein transmitting the service ticket to the SIP server further includes transmitting a subscribe message to the SIP server, wherein the subscribe message includes the service ticket.
  - 6. The method of claim 1 wherein conveying an authorization header to the SIP server comprises receiving a challenge from the SIP server and, in response, conveying the authorization header to the SIP server.
  - 7. The method of claim 6 wherein the receiving the challenge from the SIP server further includes receiving a SIP 401 message from the SIP server, wherein the SIP 401 message includes a digest authentication header.
  - 8. The method of claim 6 wherein conveying the authorization header comprises transmitting a subscribe message to the SIP server, wherein the subscribe message includes a digest authorization header, and wherein the digest authorization header includes a hash value derived in part from a SIP client-generated nonce value.
  - 9. The method of claim 1 wherein receiving the responsive authorization header comprises receiving a SIP 200 message from the SIP server, wherein the SIP 200 message includes a digest Authentication-Info header, and wherein the digest authorization header includes a hash value derived in part from a SIP server-generated next-nonce value.
  - 10. The method of claim 9 wherein storing a portion of the received authorization header comprises:
    - responsive to the receiving the SIP 200 message from the SIP server, verifying the digest Authentication-Info header; and
      
      storing the SIP server-generated next-nonce value.
  - 11. The method of claim 9 wherein sending a new authorization header comprises transmitting an invite message to the SIP server, wherein the invite message includes the digest authorization header, and wherein the digest authorization header includes the hash value derived in part from a SIP client-generated nonce value, the SIP server-generated next-nonce value, and the session key.
  - 12. The method of claim 11 further comprising, responsive to transmitting the invite message, receiving the SIP 200 message from the SIP server, wherein the SIP 200 message includes the digest Authentication-Info header, and wherein the digest Authentication-Info header includes the hash value derived in part from the SIP client-generated nonce value, the SIP server-generated nonce value, and the session key, and wherein the SIP 200 message passes the SIP server-generated next-nonce value to the SIP client.
  - 13. The method of claim 12 further comprising:
    - responsive to receiving the SIP 200 message from the SIP server, verifying the digest Authentication-Info header; and
      
      transmitting an acknowledgement (ACK) message to the SIP server, wherein the ACK message includes the digest authorization header, and wherein the digest authorization header of the ACK message includes the hash value derived in part from the same SIP client-generated and SIP server-generated nonce values that are used to derive the hash value included in the digest authorization header of the invite message.

14. A method for providing an integrated and mutual authentication in a communication network, the method comprising:
- at a SIP server;
  
  receiving a service ticket from a SIP client, wherein the service ticket is encrypted with a SIP service key shared between the SIP server and a Kerberos authentication server by a key distribution center in response to a security credential received by the key distribution center from the SIP client, and wherein the service ticket includes a session key;
  
  decrypting the service ticket using the SIP service key shared between the SIP server and the Kerberos authentication server;
  
  storing the session key;
  
  utilizing the session key for mutual digest authentication between the SIP client and the SIP server;
  
  receiving an authorization header, comprising a challenge value, from the SIP client;
  
  storing the challenge value;
  
  conveying a responsive authorization header, comprising a new challenge value, to the SIP client; and
  
  receiving a new authorization header, based on a portion of the conveyed authorization header, from the SIP client without first conveying another new challenge value to the SIP client.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14 further comprising transmitting a SIP 401 message to the SIP client, wherein the SIP 401 message includes a digest authentication header.
  - 16. The method of claim 14 wherein receiving an authorization header, comprising a challenge value, from the SIP client comprises receiving a subscribe message from the SIP client, wherein the subscribe message includes a digest authorization header that includes a hash value derived in part from a SIP client-generated nonce value.
  - 17. The method of claim 16 further comprising responsive to receiving the subscribe message from the SIP client, verifying the digest authorization header included within the subscribe message.
  - 18. The method of claim 16 further comprising:
    - generating a SIP server-generated next-nonce value; and
      
      wherein storing the challenge value comprises storing the SIP client-generated nonce value and wherein conveying a responsive authorization header comprises transmitting a SIP 200 message to the SIP client, wherein the SIP 200 message includes the digest Authentication-Info header, and wherein the digest authorization header includes the hash value derived in part from a SIP client-generated nonce value, the SIP server-generated nonce value, and the session key, and wherein the SIP 200 message passes the SIP server-generated next-nonce value to the SIP client.
  - 19. The method of claim 14 further comprising:
    - receiving an invite message from the SIP client, wherein the invite message includes a digest authorization header;
      
      responsive to receiving the invite message, verifying the digest authorization header included within the invite message; and
      
      generating a SIP server-generated next-nonce value.
  - 20. The method of claim 19 further comprising:
    - transmitting a SIP 200 message to the SIP client, wherein the SIP 200 message includes the digest Authentication-Info header, and wherein the digest authorization header includes the hash value derived in part from a SIP client-generated nonce value, the SIP server-generated nonce value, and the session key, and wherein the SIP 200 message passes the SIP server-generated next-nonce value to the SIP client; and
      
      receiving an acknowledgement (ACK) message from the SIP client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Motorola Solutions, Inc.
Original Assignee
Motorola Solutions, Inc.
Inventors
Nowakowski, James M., Wen, Shaokai
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US13/184,990
Publication Number

US 20130024688A1
Time in Patent Office

953 Days
Field of Search

713/168, 713/169, 380/278, 726/2, 726/5, 726/10
US Class Current

713/168
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0869   for achieving mutual authen...

H04L 65/1104   Session initiation protocol...

Methods of providing an integrated and mutual authentication in a communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods of providing an integrated and mutual authentication in a communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links