Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

US 7,243,370 B2
Filed: 05/17/2002
Issued: 07/10/2007
Est. Priority Date: 06/14/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for mutual authentication between a Session Initiation Protocol (“

SIP”

) client and a SIP proxy in connection with initiating a session through the SIP proxy, the method comprising;

sending from the SIP client to the SIP proxy a first invite request;

in response to the SIP proxy receiving the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context;

in response to the SIP client receiving the challenge,obtaining from a domain controller of the SIP client a session key of the SIP proxy and a server ticket, the session key encrypted with a key of the SIP client, the server ticket encrypted with a long-term key of the SIP proxy and including authentication data of the SIP client;

decrypting the session key based the key of the SIP client; and

sending to the SIP proxy a second invite request signed by the session key and that includes the server ticket and the SIP proxy security context;

in response to receiving at the SIP proxy the second invite request,decrypting the server ticket based on the long-term key of the SIP proxy;

when the authentication data of the SIP client in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request based on the second invite request;

upon receiving from the intended server a response to the invite request, signing the response with the session key; and

forwarding the signed response to the SIP client so that SIP client authenticates the SIP proxy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided to integrate the Kerberos security mechanism into the message flow of the signaling operation under the Session Initiation Protocol to allow a SIP client and a SIP proxy to authenticate each other. When the SIP proxy receives an request message, such an INVITE request, from the SIP client, it responds with a challenge message indicating that authentication based on Kerberos is required. In response, the SIP client sends a second request message with a proxy authorization header containing authentication data, including a Kerberos server ticket for the Proxy, to allow the proxy to authenticate the client'"'"'s user.

92 Citations

View as Search Results

22 Claims

1. A method for mutual authentication between a Session Initiation Protocol (“
- SIP”
  
  ) client and a SIP proxy in connection with initiating a session through the SIP proxy, the method comprising;
  
  sending from the SIP client to the SIP proxy a first invite request;
  
  in response to the SIP proxy receiving the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context;
  
  in response to the SIP client receiving the challenge,obtaining from a domain controller of the SIP client a session key of the SIP proxy and a server ticket, the session key encrypted with a key of the SIP client, the server ticket encrypted with a long-term key of the SIP proxy and including authentication data of the SIP client;
  
  decrypting the session key based the key of the SIP client; and
  
  sending to the SIP proxy a second invite request signed by the session key and that includes the server ticket and the SIP proxy security context;
  
  in response to receiving at the SIP proxy the second invite request,decrypting the server ticket based on the long-term key of the SIP proxy;
  
  when the authentication data of the SIP client in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request based on the second invite request;
  
  upon receiving from the intended server a response to the invite request, signing the response with the session key; and
  
  forwarding the signed response to the SIP client so that SIP client authenticates the SIP proxy.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the SIP proxy creates the session key.
  - 3. The method of claim 2 wherein the SIP proxy provides the session key to its domain controller, which provides the session key to the domain controller of the SIP client.
  - 4. The method of claim 1 wherein the server ticket includes the session key.
  - 5. The method of claim 1 wherein upon receiving at the SIP client the signed response, confirming that the response is signed with the session key.

6. A computer-readable medium embedded with instructions for controlling a computer system to provide mutual authentication between a Session Initiation Protocol (“
- SIP”
  
  ) client and a SIP proxy in connection with initiating a session through the SIP proxy, by a method comprising;
  
  receiving from the SIP client a first invite request;
  
  providing to an intermediary computer a session key;
  
  in response receiving the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context;
  
  receiving at the SIP proxy a second invite request signed by a session key that includes an encrypted server ticket and a security context, the server ticket including authentication data;
  
  decrypting the server ticket based on a long-term key of the SIP proxy;
  
  when the authentication data in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request; and
  
  upon receiving from the intended server a response to the invite request, signing the response with the session key and forwarding the signed response to the SIP client so that SIP client authenticates the SIP proxy.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable medium of claim 6 wherein the server ticket includes the session key.
  - 8. The computer-readable medium of claim 6 wherein the intermediary computer provides the session key to the SIP client.
  - 9. The computer-readable medium of claim 6 wherein the intermediary computer is a domain controller of the SIP proxy and the domain controller of the SIP proxy provides the session key to a domain controller of the SIP client.
  - 10. The computer-readable medium of claim 6 wherein the SIP client in response to receiving the challenge,obtains from the intermediary computer the session key of the SIP proxy and the server ticket, the session key encrypted with a key of the SIP client, the server ticket encrypted with the long-term key of the SIP proxy and including authentication data of the SIP client;
    - decrypts the session key based the key of the SIP client; and
      
      sends to the SIP proxy the second invite request signed by the session key and that includes the server ticket and the SIP proxy security context.

11. A computer-readable medium embedded with instructions for controlling a computer system to provide mutual authentication between a Session Initiation Protocol (“
- SIP”
  
  ) client and a SIP proxy in connection with initiating a session through the SIP proxy, by a method comprising;
  
  sending to the SIP proxy a first invite request;
  
  receiving from the SIP proxy a challenge that includes a SIP proxy security context;
  
  in response to the SIP client receiving the challenge,obtaining from an intermediary computer of the SIP client a session key of the SIP proxy and a server ticket, the server ticket encrypted with a long-term key of the SIP proxy and including authentication data of the SIP client so that the SIP proxy can authenticate the SIP client; and
  
  sending to the SIP proxy a second invite request signed by the session key and that includes the server ticket and the SIP proxy security context;
  
  receiving from the SIP proxy a response to the second invite request; and
  
  verifying that the response was signed by the session key to authenticate the SIP proxy.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer-readable medium of claim 11 wherein the server ticket includes the session key.
  - 13. The computer-readable medium of claim 11 wherein the intermediary computer of the SIP client obtains the session key from an intermediary computer of the SIP proxy.
  - 14. The computer-readable medium of claim 13 wherein the intermediary computers are domain controllers.
  - 15. The computer-readable medium of claim 11 wherein the SIP client and the SIP proxy are in different domains.
  - 16. The computer-readable medium of claim 11 wherein the SIP proxy authenticates the SIP client based on the authentication data of the server ticket.
  - 17. The computer-readable medium of claim 11 wherein the SIP proxy upon receiving the second invite request,decrypts the server ticket based on a long-term key of the SIP proxy;
    - when the authentication data in the server ticket indicates that the SIP client is authentic, the security context included in the signed invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sends to an intended server an invite request;
      
      upon receiving from the intended server a response to the invite request, signs the response with the session key and forwards the signed response to the SIP client so that SIP client authenticates the SIP proxy.
  - 18. The computer-readable medium of claim 15 wherein the SIP proxy receives from the SIP client the first invite request, provides to the intermediary computer the session key, and sends to the SIP client a challenge that includes the SIP proxy security context.

19. A method for mutual authentication between a Session Initiation Protocol (“
- SIP”
  
  ) client and a SIP proxy in connection with initiating a session through the SIP proxy, the method comprising;
  
  sending from the SIP client to the SIP proxy a first invite request;
  
  upon receiving at the SIP proxy the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context;
  
  upon receiving at the SIP client the challenge, sending to the SIP proxy a second invite request signed by a session key provided by the SIP proxy via an intermediary computer and that includes a server ticket and the SIP proxy security context, the server ticket including authentication data of the SIP client;
  
  upon receiving at the SIP proxy the second invite request,when the authenticate data of the SIP client in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request based on the second invite request; and
  
  upon receiving from the intended server a response to the invite request, signing the response with the session key and forwarding the signed response to the SIP client; and
  
  upon receiving at SIP client the response, verifying that the response is signed with the session key to authenticate the SIP proxy.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19 wherein the SIP client encrypts the server ticket with a long-term key of the SIP proxy and the SIP proxy decrypts the server ticket based on the long-term key of the SIP proxy.
  - 21. The method of claim 19 wherein the SIP proxy provides the session key to the intermediary computer.
  - 22. The method of claim 19 wherein when the SIP proxy and SIP client are in different domains, the SIP proxy provides the session key to an intermediary computer of the domain of the SIP proxy which provides the session key to an intermediary computer of the domain of the SIP client which provides the session key to the SIP client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bobde, Nikhil P., Han, Mu, Demirtjis, Ann
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H.

Application Number

US10/151,747
Publication Number

US 20030005280A1
Time in Patent Office

1,880 Days
Field of Search

726/10, 726/12, 726/4, 726/5, 726/11, 726/14
US Class Current

726/10
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0869   for achieving mutual authen...

H04L 63/123   received data contents, e.g...

H04L 63/205   involving negotiation or de...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links