[go: up one dir, main page]

WO1999062222A2 - Method for safe telephony with mobility in a tele and data communications system which includes an ip-network - Google Patents

Method for safe telephony with mobility in a tele and data communications system which includes an ip-network Download PDF

Info

Publication number
WO1999062222A2
WO1999062222A2 PCT/SE1999/000814 SE9900814W WO9962222A2 WO 1999062222 A2 WO1999062222 A2 WO 1999062222A2 SE 9900814 W SE9900814 W SE 9900814W WO 9962222 A2 WO9962222 A2 WO 9962222A2
Authority
WO
WIPO (PCT)
Prior art keywords
network
identity code
unit
mobility manager
initiating
Prior art date
Application number
PCT/SE1999/000814
Other languages
French (fr)
Other versions
WO1999062222A3 (en
Inventor
Per Gustavsson
Staffan Lundgren
Mattias Mårtensson
Eskil ÅHLIN
Original Assignee
Telia Ab (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telia Ab (Publ) filed Critical Telia Ab (Publ)
Priority to EP99929982A priority Critical patent/EP1082837A2/en
Priority to EEP200000701A priority patent/EE03893B1/en
Publication of WO1999062222A2 publication Critical patent/WO1999062222A2/en
Publication of WO1999062222A3 publication Critical patent/WO1999062222A3/en
Priority to NO20005868A priority patent/NO20005868L/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • the present invention relates to a method for safe telephony with mobility in a tele and data communications system which includes an IP-network.
  • Kerberos ⁇ A known solution of the managing of keys is called Kerberos ⁇ .
  • This known solution provides a central distribution of keys and is intended for users of services in networks. Kerberos ® attends to that the user can confirm his/her identity to a given service without risk that anybody is tapping the transmission in order to in a later stage unduly borrow the user's identity.
  • an authentication is performed in two steps. In the first step one issues an authentication service (AS) , a so called TGS-ticket in exchange for a person proving that he/she is the person he/she gives himself/herself out to be.
  • AS authentication service
  • the user identification is made by the user initially once and for all registers himself/herself manually and receives a password from Kerberos ® .
  • the password is stored centrally.
  • the TGS-ticket includes i.a. a TGS-session key, the name of the service (i.e. TGS), a time stamp and period of validity.
  • TGS-session key the name of the service (i.e. TGS)
  • TGS-session key the name of the service
  • TGS-session key the name of the service
  • period of validity i.e.
  • the user receives the TGS-ticket encrypted by TGS password and a copy of the TGS-session key encrypted by the user's password.
  • the TGS-ticket is valid as access to a ticket issuing service (TGS) .
  • TGS ticket issuing service
  • the user for that reason turns to TGS to get service tickets to other services.
  • the user transmits the TGS-ticket encrypted by TGS password and the name of the service which is asked for to TGS.
  • TGS returns a ticket to the service encrypted by the password of the service and a copy of a service session key encrypted by the TGS-session key.
  • For each new service the user wants to utilise he/she in the same way turns to said TGS and encloses his/her TGS-ticket in the transmission .
  • This known method has several advantages. The user need only give his/her password once per working period.
  • Kerberos ® is not directly applicable on IP-telephony with mobility, such as a system with DECT-telephones which have access to an IP- network. For that reason there exists a need for a security solution for such telephony.
  • the aim of the present invention consequently is to create a security solution for IP-telephony with mobility.
  • Figure 1 diagrammatically shows a tele and data communications system in which an embodiment of the method is implemented
  • Figure 2 diagrammatically shows a part of the system in Figure 1 in detail .
  • each DECT-telephone 3 an identity code (ID-code) is stored which is created in such a way that it is unique, preferably globally unique.
  • ID-code is transmitted to the base station 5 of the domain. From there the ID-code is forwarded to a mobility manager, here a so called proxy manager 9, see Figure 2, which is arranged in an IP-managing unit (IMU) 7.
  • the proxy manager 9 starts for each DECT-telephone 3 a proxy 11, i.e. en proxy which represents the DECT-telephone 3 towards the Internet, or any other IP-network.
  • the information is collected from a specific initiating database 13, which here is called telephone directory.
  • the telephone directory is reached via the IP-network 15.
  • Kerberos ® is utilised, and which i.a. is implemented on a server 17, which handles the central distribution of keys.
  • the information includes IP-address, the subscriber's user name, and a key for mobile IP.
  • the proxy manager 9 is user and the telephone directory 13 the service which shall be used.
  • the proxy manager 9 For the proxy manager 9 to receive the information, it consequently must authenticate itself to the AS-part of the server 17 to get a TGS-ticket, and then utilises the identity code as user identity, and then by transmitting the TGS-ticket to the TGS-part of the server 17 receive a service ticket to the telephone directory.
  • the information is transmitted well encrypted from the telephone directory 13 to the proxy manager 9, as has been described above.
  • the proxy manager 9 then starts a proxy 11 with the information as input data.
  • the proxy 11 now has the function of a mobile node. If it should be in a foreign network it will make use of a mobile IP to attend to that traffic which is intended for it is routed to right address.
  • This authentication is made by means of an encryption algorithm and a secret key which is shared by the mobile node, i.e. the proxy 11, and the mobility manager in its home network.
  • the secret key is the above mentioned key for mobile IP which the proxy manager 9 receivers from the database 13.
  • the proxy 11 is preferably compatible with the ITU- standard H.323, which can be utilised according to the following.
  • the receiver collects a session key from Kerberos ® and establishes a safe and authenticated channel. After that H.323 follows on.
  • the speech is accordingly transmitted encrypted in order that it shall not be possible to tap.
  • participants, which are not authorised subscribers in the system are prevented, by the authentication, from making free calls.
  • Kerberos ® can be exchanged for another equivalent method which implies equivalent good authentication and encryption.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention relates to a method for safe telephony with mobility in a tele and data communications system (1) which includes an IP-network (15), at which the telephony is executed with mobile units and at which the method for each mobile unit includes the steps: to create a unique identity code and store it in the unit; to, at the switching on of the unit, at least at switching it on in a home domain, transmit the identity code to a mobility manager (9); to, via the IP-network, establish contact between the mobility manager and an initiating database (13) for transmission of initiating information for Internet communication from the initiating data base to the mobility manager, which step includes to, by utilisation of the identity code, authenticate the mobility manager for access to the initiating data base, and to encrypt the initiating information at the transmission; and to, by means of the initiating information, start a proxy (11) which represents the unit towards the Internet.

Description

METHOD FOR SAFE TELEPHONY WITH MOBILITY IN A TELE AND DATA COMMUNICATIONS SYSTEM WHICH INCLUDES AN IP-NETWORK
TECHNICAL FIELD The present invention relates to a method for safe telephony with mobility in a tele and data communications system which includes an IP-network.
BACKGROUND OF THE TECHNOLOGY In a data and telecommunications system which offers a user IP-telephony with mobility, the integrity of the Internet-traffic must be taken into consideration. This means for instance that the network operator can debit services to right account and that there is no risk for unauthorised utilisation.
For that reason there is a great need of well functioning security systems which as far as possible guarantee a correct and safe identification of a user. This is not least of importance for a correct debiting. Further, for example, an unauthorised person shall not be in a position to forward telephone calls and shall not be in a position to take part in the communication between two users of the system. Communication channels in the system for that reason must be encrypted and authenticated. This, in its turn, creates a need for common keys.
If all participants in the system would exchange and store each other's keys, this would involve a security risk. Besides it would impair the scalability of the system. A known solution of the managing of keys is called Kerberos©. This known solution provides a central distribution of keys and is intended for users of services in networks. Kerberos® attends to that the user can confirm his/her identity to a given service without risk that anybody is tapping the transmission in order to in a later stage unduly borrow the user's identity. In this known solution an authentication is performed in two steps. In the first step one issues an authentication service (AS) , a so called TGS-ticket in exchange for a person proving that he/she is the person he/she gives himself/herself out to be.
The user identification is made by the user initially once and for all registers himself/herself manually and receives a password from Kerberos®. The password is stored centrally. When the user then wants to utilise services in the network he/she orders the TGS-ticket with his/her user identity as identification. The TGS-ticket includes i.a. a TGS-session key, the name of the service (i.e. TGS), a time stamp and period of validity. In return from the TGS the user receives the TGS-ticket encrypted by TGS password and a copy of the TGS-session key encrypted by the user's password. By that, only the true user can decrypt and utilise the information. In this way the password is never transmitted freely over the network.
The TGS-ticket is valid as access to a ticket issuing service (TGS) . In the second step, the user for that reason turns to TGS to get service tickets to other services. In this step the user transmits the TGS-ticket encrypted by TGS password and the name of the service which is asked for to TGS. TGS returns a ticket to the service encrypted by the password of the service and a copy of a service session key encrypted by the TGS-session key. For each new service the user wants to utilise he/she in the same way turns to said TGS and encloses his/her TGS-ticket in the transmission . This known method has several advantages. The user need only give his/her password once per working period. Only registered users can utilise the system because the user has to authenticate himself/herself at AT before he/she receives a ticket for a service. Services know that the user is authentic and not anyone who has copied the original message, because only the authentic sender knows the session key and is in a position to decode the traffic. The user also knows that a service is genuine because the session key in the ticket is encrypted by the key of the service. Only the genuine service consequently can decode the session key. Besides the user is always waiting for answer and consequently can be sure that the service is genuine .
The method according to Kerberos®, however, is not directly applicable on IP-telephony with mobility, such as a system with DECT-telephones which have access to an IP- network. For that reason there exists a need for a security solution for such telephony.
SUMMARY FO THE INVENTION The aim of the present invention consequently is to create a security solution for IP-telephony with mobility.
The object is achieved by a method for safe communication according to the invention as it is defined in patent claim 1 of the enclosed patent claims.
BRIEF DESCRIPTION OF THE DRAWINGS
In the following, embodiments of the method according to the invention will be described in detail with reference to the enclosed drawings, where: Figure 1 diagrammatically shows a tele and data communications system in which an embodiment of the method is implemented; and
Figure 2 diagrammatically shows a part of the system in Figure 1 in detail .
DETAILED DESCRIPTION OF EMBODIMENTS
Below, a preferred embodiment of the method according to the invention will be described, at which it is exemplified applied in a tele and data communications system which includes wireless telephones in form of DECT- telephones and which is shown in Figure 1. The method according to the invention is especially suited for such systems .
In each DECT-telephone 3 an identity code (ID-code) is stored which is created in such a way that it is unique, preferably globally unique. When the DECT-telephone 3 is in its home domain, i.e. a DECT-domain, and is switched on, the ID-code is transmitted to the base station 5 of the domain. From there the ID-code is forwarded to a mobility manager, here a so called proxy manager 9, see Figure 2, which is arranged in an IP-managing unit (IMU) 7. The proxy manager 9 starts for each DECT-telephone 3 a proxy 11, i.e. en proxy which represents the DECT-telephone 3 towards the Internet, or any other IP-network. The proxy manager 9, however requires a certain initiating information to be able to start a proxy 11. The information is collected from a specific initiating database 13, which here is called telephone directory. The telephone directory is reached via the IP-network 15. In order to have the information transmitted in a safe way, the above mentioned described known method called Kerberos® is utilised, and which i.a. is implemented on a server 17, which handles the central distribution of keys. The information includes IP-address, the subscriber's user name, and a key for mobile IP.
In this situation the proxy manager 9 is user and the telephone directory 13 the service which shall be used. For the proxy manager 9 to receive the information, it consequently must authenticate itself to the AS-part of the server 17 to get a TGS-ticket, and then utilises the identity code as user identity, and then by transmitting the TGS-ticket to the TGS-part of the server 17 receive a service ticket to the telephone directory. The information is transmitted well encrypted from the telephone directory 13 to the proxy manager 9, as has been described above. The proxy manager 9 then starts a proxy 11 with the information as input data. The proxy 11 now has the function of a mobile node. If it should be in a foreign network it will make use of a mobile IP to attend to that traffic which is intended for it is routed to right address. Within mobile IP authentication is of outmost importance because unauthorised persons without authentication might change the traffic in the system as they please, or fraudulently give themselves out as another persons than they are. This authentication is made by means of an encryption algorithm and a secret key which is shared by the mobile node, i.e. the proxy 11, and the mobility manager in its home network. The secret key is the above mentioned key for mobile IP which the proxy manager 9 receivers from the database 13. When the subscriber wants to utilise any of the services which the network operator offers, for instance make a call, both the subscriber and the operator are interested in that the debiting for the utilisation will be correct. The proxy 11 then contacts a debiting service to charge right account with right sum. This communication is also made by means of Kerberos®.
The proxy 11 is preferably compatible with the ITU- standard H.323, which can be utilised according to the following. At the communication between two subscribers, the receiver collects a session key from Kerberos® and establishes a safe and authenticated channel. After that H.323 follows on. The speech is accordingly transmitted encrypted in order that it shall not be possible to tap. At the same time participants, which are not authorised subscribers in the system, are prevented, by the authentication, from making free calls.
Above, a preferred embodiment of the method according to the invention has been described. This shall only be regarded as an example of how the invention can be implemented. A lot of modifications are possible within the frame of the invention as it is defined in the patent claims. Below follows some examples of such modifications. Above, the method has been described for IP- telephony with DECT-telephones. It is also applicable for other types of mobile IP-telephony . One example is a computer which is moved between different access points .
The above described key distribution method Kerberos® can be exchanged for another equivalent method which implies equivalent good authentication and encryption.

Claims

PATENT CLAIMS
1. Method for safe telephony with mobility in a tele and data communications system (1) which includes an IP- network (15) , at which the telephony is executed by mobile units, and at which the method for each mobile unit is c h a r a c t e r i s e d in the steps : to create a unique identity code and store it in the unit ; - to, when the unit is switched on, at least when it is switched on in a home domain, transmit the identity code to a mobility manager (9) ; to, via the IP-network, establish contact between the mobility manager and an initiating database (13) for transmission of initiating information for Internet communication from the initiation database to the mobility manager, which step includes to, by utilisation of the identity code, authenticate the mobility manager for access to the initiation database, and to encrypt the initiation information at the transmission; and to, by means of the initiating information, start a proxy (11) which represents the unit towards Internet.
2. Method according to patent claim 1, c h a r a c t e r i s e d in that said proxy for access to services in the communications system initially via the IP- network by means of in the initiating information included data authenticates itself to a server which centrally manages keys, at which the proxy from a part of the server receives a TGS-ticket and after that, by providing the TGS- ticket, via a TGS-part of said server receives service tickets for different services, at which each service ticket includes one for the service in question specific session key.
3. Method according to patent claim 1 or 2 , c h a r a c t e r i s e d in that in the data base store initiating information which for each user includes IP- address and key for mobile IP.
4. Method according to any of the preceding patent claims, c h a r a c t e r i s e d in that the step to, when the unit is switched on, at least when it is switched on in a home domain, transmit the identity code to a mobility manager, when the unit is a DECT-telephone, includes to transmit the identity code from the telephone to a base station (5) in the home domain, and to forward the identity code from the base station to the mobility manager .
5. Method according to any of the precedent patent claims, c h a r a c t e r i s e d in that the proxy, when it is in a foreign network, makes use of a mobile IP to attend to that traffic which is intended for it, is routed to right address .
PCT/SE1999/000814 1998-05-27 1999-05-12 Method for safe telephony with mobility in a tele and data communications system which includes an ip-network WO1999062222A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP99929982A EP1082837A2 (en) 1998-05-27 1999-05-12 Method for safe telephony with mobility in a tele and data communications system which includes an ip-network
EEP200000701A EE03893B1 (en) 1998-05-27 1999-05-12 A secure mobile communication method for use in an IP network communication and data communication system
NO20005868A NO20005868L (en) 1998-05-27 2000-11-21 Procedure for secure telephony in a telecommunications and data communication system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE9801871-6 1998-05-27
SE9801871A SE512440C2 (en) 1998-05-27 1998-05-27 Method for secure telephony with mobility in a telephone and data communication system comprising an IP network

Publications (2)

Publication Number Publication Date
WO1999062222A2 true WO1999062222A2 (en) 1999-12-02
WO1999062222A3 WO1999062222A3 (en) 2000-02-03

Family

ID=20411477

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE1999/000814 WO1999062222A2 (en) 1998-05-27 1999-05-12 Method for safe telephony with mobility in a tele and data communications system which includes an ip-network

Country Status (5)

Country Link
EP (1) EP1082837A2 (en)
EE (1) EE03893B1 (en)
NO (1) NO20005868L (en)
SE (1) SE512440C2 (en)
WO (1) WO1999062222A2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2807597A1 (en) * 2000-04-11 2001-10-12 Sagem Digital cordless communication network mobility having handset entering second base area detected/requesting registration with location sent and server requesting position confirmation/base state re initialisation request.
WO2005083972A1 (en) 2004-03-01 2005-09-09 Jobbagy Miklos Set of equipment for secure direct information transfer over the internet
CN1322702C (en) * 2003-12-30 2007-06-20 华为技术有限公司 Identificaton method of internet protocol speech sound cut-in equipment
CN100349400C (en) * 2004-02-11 2007-11-14 任荣昌 Multiple service exchange method and system based on IP network user identification
US8365258B2 (en) 2006-11-16 2013-01-29 Phonefactor, Inc. Multi factor authentication
US9762576B2 (en) 2006-11-16 2017-09-12 Phonefactor, Inc. Enhanced multi factor authentication

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5535276A (en) * 1994-11-09 1996-07-09 Bell Atlantic Network Services, Inc. Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography
US5602918A (en) * 1995-12-22 1997-02-11 Virtual Open Network Environment Corp. Application level security system and method
GB2317539B (en) * 1996-09-18 2001-03-28 Secure Computing Corp Generalized security policy management system and method
US5684950A (en) * 1996-09-23 1997-11-04 Lockheed Martin Corporation Method and system for authenticating users to multiple computer servers via a single sign-on

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2807597A1 (en) * 2000-04-11 2001-10-12 Sagem Digital cordless communication network mobility having handset entering second base area detected/requesting registration with location sent and server requesting position confirmation/base state re initialisation request.
CN1322702C (en) * 2003-12-30 2007-06-20 华为技术有限公司 Identificaton method of internet protocol speech sound cut-in equipment
CN100349400C (en) * 2004-02-11 2007-11-14 任荣昌 Multiple service exchange method and system based on IP network user identification
WO2005083972A1 (en) 2004-03-01 2005-09-09 Jobbagy Miklos Set of equipment for secure direct information transfer over the internet
US8208638B2 (en) 2004-03-01 2012-06-26 Jobbagy Miklos Set of equipment for secure direct information transfer over the internet
US8365258B2 (en) 2006-11-16 2013-01-29 Phonefactor, Inc. Multi factor authentication
US9762576B2 (en) 2006-11-16 2017-09-12 Phonefactor, Inc. Enhanced multi factor authentication
US10122715B2 (en) 2006-11-16 2018-11-06 Microsoft Technology Licensing, Llc Enhanced multi factor authentication

Also Published As

Publication number Publication date
SE9801871L (en) 1999-11-28
SE9801871D0 (en) 1998-05-27
EE200000701A (en) 2002-04-15
NO20005868D0 (en) 2000-11-21
NO20005868L (en) 2001-01-25
WO1999062222A3 (en) 2000-02-03
SE512440C2 (en) 2000-03-20
EP1082837A2 (en) 2001-03-14
EE03893B1 (en) 2002-10-15

Similar Documents

Publication Publication Date Title
US7882543B2 (en) Systems and methods for added authentication in distributed network delivered half-duplex communications
US6334056B1 (en) Secure gateway processing for handheld device markup language (HDML)
Hwang et al. A self-encryption mechanism for authentication of roaming and teleconference services
US6145084A (en) Adaptive communication system enabling dissimilar devices to exchange information over a network
US7865173B2 (en) Method and arrangement for authentication procedures in a communication network
CN1839608B (en) Device and method for generating a unique user's identity for use between different domains
US7197297B2 (en) Authentication method for enabling a user of a mobile station to access to private data or services
US7340525B1 (en) Method and apparatus for single sign-on in a wireless environment
CN100435508C (en) Method and equipment for safety Internetwork protocol communication in call processing system
JP2000232690A (en) Method for security for communication network and method for data transfer with security
WO2001054346A1 (en) Method for issuing an electronic identity
WO2001050682A1 (en) Communication using virtual telephone numbers
CN112565294A (en) Identity authentication method based on block chain electronic signature
WO1999062222A2 (en) Method for safe telephony with mobility in a tele and data communications system which includes an ip-network
JP2005020310A (en) Information management system
MXPA01013117A (en) System and method for local policy enforcement for internet service providers.
US20050190904A1 (en) Method for performing network-based telephone user identification
US6961851B2 (en) Method and apparatus for providing communications security using a remote server
US11146536B2 (en) Method and a system for managing user identities for use during communication between two web browsers
US7139377B2 (en) Method of providing services to remote private terminals and an associated device
JPH0759154A (en) Inter-network authentication key generating method
KR100637996B1 (en) Dial Authentication Provision System
WO1999037055A1 (en) System and method for providing secure remote access to a computer network
US20040250067A1 (en) Method and device for securing communications in a computer network
KR20000054658A (en) Method for application SSMS

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): EE JP LT LV NO US

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): EE JP LT LV NO US

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 1999929982

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1999929982

Country of ref document: EP