Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment
Abstract
Methods and apparatus arc provided for user authentication using a Public Key Infrastructure (PKI) in an IP-based telephony environment, such as an IMS network. A user of a user device attempting to access an IP-based telephony network can be authenticated by obtaining one or more private keys of the user from a secure memory associated with the user device; generating an integrity key and a ciphering key; encrypting the integrity key and the ciphering key using a session key; encrypting the session key with a public key of the IP-based telephony network; and providing the encrypted session key, encrypted integrity key and encrypted ciphering key to the IP-based telephony network for authentication. A network-based method is also provided for authenticating a user in an IP-based telephony network.
Claims
exact text as granted — not AI-modified1 . An authentication method performed by a user device attempting to access an IP-based telephony network, comprising:
obtaining one or more private keys of said user from a secure memory associated with said user device; generating an integrity key and a ciphering key; encrypting said integrity key and said ciphering key using a session key; encrypting said session key with a public key of said IP-based telephony network; and providing said encrypted session key, encrypted integrity key and encrypted ciphering key to said IP-based telephony network for authentication.
2 . The method of claim 1 , wherein said generating step is performed by a smart card.
3 . The method of claim 1 , wherein said secure memory is embodied on a smart card.
4 . The method of claim 3 , wherein said smart card comprises a secure IMS Subscriber Identity Module (ISIM).
5 . The method of claim 3 , wherein said smart card is configured to securely store data and to perform computations on said data.
6 . The method of claim 1 , further comprising the step of encrypting one or more of said encrypted session key, said encrypted integrity key and said encrypted ciphering key using said one or more private keys.
7 . The method of claim 1 , wherein said step of encrypting said integrity key and said ciphering key using a session key further comprises the step of encrypting a user identity using said session key.
8 . The method of claim 7 , wherein said user identity can be obtained only by a holder of said session key.
9 . The method of claim 1 , further comprising the step of receiving an authentication of a server of said IP-based telephony network.
10 . The method of claim 1 , further comprising the step of providing a nonce that protects against a replay attack.
11 . The method of claim 1 , wherein said IP-based telephony network is an IMS network.
12 . The method of claim 1 , wherein said step of generating an integrity key and a ciphering key further comprises the step of generating one or more of said integrity key and said ciphering key using said one or more private keys.
13 . A method for authenticating a user employing a user device attempting to access an IP-based telephony network, comprising:
obtaining an encrypted session key encrypted with a public key of said IP-based telephony network; obtaining an encrypted integrity key and encrypted ciphering key from said user device, wherein said integrity key and said ciphering key were generated by a secure device associated with said user device using one or more private keys of said user; decrypting said encrypted session key using said public key of said IP-based telephony network; decrypting said encrypted integrity key and encrypted ciphering key using said decrypted session key; and authenticating said user device based on a Public Key Infrastructure (PKI) computation.
14 . The method of claim 13 , further comprising the step of validating information received from said user by comparing said received information to stored information,
15 . The method of claim 13 , further comprising the step of authenticating said IP-based telephony network to said user.
16 . The method of claim 15 , wherein said step of authenticating said IP-based telephony network to said user further comprises the step of encrypting a nonce using a public key of said user.
17 . The method of claim 16 , wherein said step of authenticating said IP-based telephony network to said user further comprises the step of encrypting said encrypted nonce using a signature operation based on a private key of said IP-based telephony network.
18 . The method of claim 13 , wherein said secure device comprises a smart card having a secure IMS Subscriber Identity Module (ISIM).
19 . The method of claim 13 , wherein said IP-based telephony network is an IMS network.
20 . An apparatus for use by a user device in an IP-based telephony network, comprising:
a secure memory for storing one or more private keys of said used; and at least one processor, coupled to the secure memory, operative to: generate an integrity key and a ciphering key.
21 . The apparatus of claim 20 , wherein said secure memory further comprises a network certificate containing a public key of said network.
22 . The apparatus of claim 20 , wherein said secure memory further comprises an identifier of said user.
23 . The apparatus of claim 20 , wherein said processor is further configured to perform an encryption with at least one PKI algorithm.
24 . The apparatus of claim 20 , wherein said processor is further configured to generate a session key.
25 . The apparatus of claim 20 , wherein said processor is further configured to generate one or more of said integrity key and said ciphering key using said one or more private keys.
26 . An apparatus, comprising:
a secure memory for storing one or more private keys of a user attempting to access an IP-based telephony network; and at least one processor; coupled to the secure memory, operative to: obtain said one or more private keys of said user from said secure memory; generate an integrity key and a ciphering key; encrypt said integrity key and said ciphering key using a session key; encrypt said session key with a public key of said IP-based telephony network; and provide said encrypted session key, encrypted integrity key and encrypted ciphering key to said IP-based telephony network for authentication.
27 . An apparatus for authenticating a user employing a user device attempting to access an IP-based telephony network, comprising:
a memory; and at least one processor, coupled to the memory, operative to: obtain an encrypted session key encrypted with a public key of said IP-based telephony network; obtain an encrypted integrity key and encrypted ciphering key from said user device, wherein said integrity key and said ciphering key were generated by a secure device associated with said user device using one or more private keys of said user; decrypt said encrypted session key using said public key of said IP-based telephony network; decrypt said encrypted integrity key and encrypted ciphering key using said decrypted session key; and authenticate said user device based on a Public Key Infrastructure (PKI) computation.Join the waitlist — get patent alerts
Track US2009259851A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.