Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication
First Claim
Patent Images
1. A method for mutual authentication between a Session Initiation Protocol (“
- SIP”
) client and a SIP proxy in connection with initiating a session through the SIP proxy, the method comprising;
sending from the SIP client to the SIP proxy a first invite request;
in response to the SIP proxy receiving the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context;
in response to the SIP client receiving the challenge,obtaining from a domain controller of the SIP client a session key of the SIP proxy and a server ticket, the session key encrypted with a key of the SIP client, the server ticket encrypted with a long-term key of the SIP proxy and including authentication data of the SIP client;
decrypting the session key based the key of the SIP client; and
sending to the SIP proxy a second invite request signed by the session key and that includes the server ticket and the SIP proxy security context;
in response to receiving at the SIP proxy the second invite request,decrypting the server ticket based on the long-term key of the SIP proxy;
when the authentication data of the SIP client in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request based on the second invite request;
upon receiving from the intended server a response to the invite request, signing the response with the session key; and
forwarding the signed response to the SIP client so that SIP client authenticates the SIP proxy.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system is provided to integrate the Kerberos security mechanism into the message flow of the signaling operation under the Session Initiation Protocol to allow a SIP client and a SIP proxy to authenticate each other. When the SIP proxy receives an request message, such an INVITE request, from the SIP client, it responds with a challenge message indicating that authentication based on Kerberos is required. In response, the SIP client sends a second request message with a proxy authorization header containing authentication data, including a Kerberos server ticket for the Proxy, to allow the proxy to authenticate the client'"'"'s user.
92 Citations
22 Claims
-
1. A method for mutual authentication between a Session Initiation Protocol (“
- SIP”
) client and a SIP proxy in connection with initiating a session through the SIP proxy, the method comprising;sending from the SIP client to the SIP proxy a first invite request; in response to the SIP proxy receiving the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context; in response to the SIP client receiving the challenge, obtaining from a domain controller of the SIP client a session key of the SIP proxy and a server ticket, the session key encrypted with a key of the SIP client, the server ticket encrypted with a long-term key of the SIP proxy and including authentication data of the SIP client; decrypting the session key based the key of the SIP client; and sending to the SIP proxy a second invite request signed by the session key and that includes the server ticket and the SIP proxy security context; in response to receiving at the SIP proxy the second invite request, decrypting the server ticket based on the long-term key of the SIP proxy; when the authentication data of the SIP client in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request based on the second invite request; upon receiving from the intended server a response to the invite request, signing the response with the session key; and forwarding the signed response to the SIP client so that SIP client authenticates the SIP proxy. - View Dependent Claims (2, 3, 4, 5)
- SIP”
-
6. A computer-readable medium embedded with instructions for controlling a computer system to provide mutual authentication between a Session Initiation Protocol (“
- SIP”
) client and a SIP proxy in connection with initiating a session through the SIP proxy, by a method comprising;receiving from the SIP client a first invite request; providing to an intermediary computer a session key; in response receiving the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context; receiving at the SIP proxy a second invite request signed by a session key that includes an encrypted server ticket and a security context, the server ticket including authentication data; decrypting the server ticket based on a long-term key of the SIP proxy; when the authentication data in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request; and upon receiving from the intended server a response to the invite request, signing the response with the session key and forwarding the signed response to the SIP client so that SIP client authenticates the SIP proxy. - View Dependent Claims (7, 8, 9, 10)
- SIP”
-
11. A computer-readable medium embedded with instructions for controlling a computer system to provide mutual authentication between a Session Initiation Protocol (“
- SIP”
) client and a SIP proxy in connection with initiating a session through the SIP proxy, by a method comprising;sending to the SIP proxy a first invite request; receiving from the SIP proxy a challenge that includes a SIP proxy security context; in response to the SIP client receiving the challenge, obtaining from an intermediary computer of the SIP client a session key of the SIP proxy and a server ticket, the server ticket encrypted with a long-term key of the SIP proxy and including authentication data of the SIP client so that the SIP proxy can authenticate the SIP client; and sending to the SIP proxy a second invite request signed by the session key and that includes the server ticket and the SIP proxy security context; receiving from the SIP proxy a response to the second invite request; and verifying that the response was signed by the session key to authenticate the SIP proxy. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- SIP”
-
19. A method for mutual authentication between a Session Initiation Protocol (“
- SIP”
) client and a SIP proxy in connection with initiating a session through the SIP proxy, the method comprising;sending from the SIP client to the SIP proxy a first invite request; upon receiving at the SIP proxy the first invite request, sending to the SIP client a challenge that includes a SIP proxy security context; upon receiving at the SIP client the challenge, sending to the SIP proxy a second invite request signed by a session key provided by the SIP proxy via an intermediary computer and that includes a server ticket and the SIP proxy security context, the server ticket including authentication data of the SIP client; upon receiving at the SIP proxy the second invite request, when the authenticate data of the SIP client in the server ticket indicates that the SIP client is authentic, the security context included in the second invite request matches the SIP proxy security context, and the second invite request is signed by the session key, sending to an intended server an invite request based on the second invite request; and upon receiving from the intended server a response to the invite request, signing the response with the session key and forwarding the signed response to the SIP client; and upon receiving at SIP client the response, verifying that the response is signed with the session key to authenticate the SIP proxy. - View Dependent Claims (20, 21, 22)
- SIP”
Specification