Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
2002-05-06
2004-09-14
Vu, Kim (Department: 2135)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S156000, C380S259000, C380S277000
Reexamination Certificate
active
06792534
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates in general to secure data transmission and more specifically to secure data transmission in end-to-end communication systems that use call signaling to exchange keys using intermediary transfers.
Secure communication of digital information is very important in many of today's systems. For example, in a typical voice-over-Internet-Protocol (“voice-over-IP,” or “VoIP”) system a Call Management Server (CMS) is operated by a VoIP service provider. The CMS interfaces with a user of a digital telephone and with another CMS at a remote location that, in turn, interfaces with another user of a digital telephone (or Multimedia Terminal Adapter (MTA)). Such a system allows the users to speak with each other over a large network such as the Internet.
Naturally, users would like their conversations (and other data exchanges) to be secure. However, it is difficult to maintain a high level of security over a large, amorphous network, such as the Internet, where information may go through many servers, switches, routers, hubs, and other intermediary devices before arriving at an intended destination. One approach to maintain security is to have the two CMSs exchange “media stream keys” to be used during a phone call. Several approaches to exchanging such keys exist in the prior art. For example, PacketCable call signaling protocols can be used. However, these approaches still require a transfer of keying material from a first CMS to a second CMS, and then a subsequent exchange of keying material from the second CMS to the first CMS. When keys (or other data) are exchanged in this manner, the keys are subjected to intermediary devices twice. Since each intermediary device is a potential security threat to data it is desirable to minimize the exposure of the keys to the intermediary devices.
In a system using a PacketCable approach, the call signaling protocol between two telephones, or VoIP terminals or MTAs, is called Network-Based Call Signaling (NCS). Each call signaling interface between an MTA and a CMS is secured at the network layer. In the case that each of the MTAs participating in a VoIP connection is controlled by a separate CMS, the CMS to CMS signaling protocol is based on Session Initiation Protocol (SIP). SIP, and other standards, are used to define exchange and management of keys, such as session keys and media stream keys. Also, authentication information and other related data may be transferred to initiate a session. This material is referred to collectively as “keying material.”
SUMMARY OF THE INVENTION
The present invention reduces the exposure of keying material to intermediary devices in a communication channel between first and second servers. In one embodiment, a second server receives a first half of media stream keys from a first server. The second server uses a Kerberos-based Application Request and tickets to communicate the second half of the media stream keys to the first server. Using this approach, the exposure of the media stream keys is reduced to only the first and second servers.
In one embodiment the invention provides a method for exchanging keys between first and second servers, wherein a communication path between the first and second servers includes one or more intermediary transfer devices. The method comprises receiving, at the second server, a portion of media stream keys to be used in a subsequent data transmission; using a security mechanism to protect additional portions of media stream keys to be used in a subsequent transmission; and transferring the protected additional portions of media stream keys to the first server via the one or more intermediary transfer devices.
REFERENCES:
patent: 4803725 (1989-02-01), Horne et al.
patent: 5115466 (1992-05-01), Presttun
patent: 5535276 (1996-07-01), Ganesan
patent: 6031913 (2000-02-01), Hassan et al.
patent: 6225888 (2001-05-01), Juopperi
patent: 6377690 (2002-04-01), Witschorik
Schneier, Applied Cryptography, 1996,Jihn Wiley & Sons, Inc,second edition,pp. 566-569.
General Instrument Corporation
Song Hosuk
Townsend and Townsend / and Crew LLP
Vu Kim
LandOfFree
End-to end protection of media stream encryption keys for... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with End-to end protection of media stream encryption keys for..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and End-to end protection of media stream encryption keys for... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3258441