US2009259851A1PendingUtilityA1

Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment

Assignee: FAYNBERG IGORPriority: Apr 10, 2008Filed: Apr 10, 2008Published: Oct 15, 2009
Est. expiryApr 10, 2028(~1.7 yrs left)· nominal 20-yr term from priority
H04L 9/006H04L 65/1073H04L 9/3263H04L 2209/80H04L 65/1016H04L 9/3271H04L 63/0442H04L 63/0435H04W 12/06H04L 63/0853H04W 12/122H04W 12/065H04W 12/069H04L 63/061
45
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and apparatus arc provided for user authentication using a Public Key Infrastructure (PKI) in an IP-based telephony environment, such as an IMS network. A user of a user device attempting to access an IP-based telephony network can be authenticated by obtaining one or more private keys of the user from a secure memory associated with the user device; generating an integrity key and a ciphering key; encrypting the integrity key and the ciphering key using a session key; encrypting the session key with a public key of the IP-based telephony network; and providing the encrypted session key, encrypted integrity key and encrypted ciphering key to the IP-based telephony network for authentication. A network-based method is also provided for authenticating a user in an IP-based telephony network.

Claims

exact text as granted — not AI-modified
1 . An authentication method performed by a user device attempting to access an IP-based telephony network, comprising:
 obtaining one or more private keys of said user from a secure memory associated with said user device;   generating an integrity key and a ciphering key;   encrypting said integrity key and said ciphering key using a session key;   encrypting said session key with a public key of said IP-based telephony network; and   providing said encrypted session key, encrypted integrity key and encrypted ciphering key to said IP-based telephony network for authentication.   
   
   
       2 . The method of  claim 1 , wherein said generating step is performed by a smart card. 
   
   
       3 . The method of  claim 1 , wherein said secure memory is embodied on a smart card. 
   
   
       4 . The method of  claim 3 , wherein said smart card comprises a secure IMS Subscriber Identity Module (ISIM). 
   
   
       5 . The method of  claim 3 , wherein said smart card is configured to securely store data and to perform computations on said data. 
   
   
       6 . The method of  claim 1 , further comprising the step of encrypting one or more of said encrypted session key, said encrypted integrity key and said encrypted ciphering key using said one or more private keys. 
   
   
       7 . The method of  claim 1 , wherein said step of encrypting said integrity key and said ciphering key using a session key further comprises the step of encrypting a user identity using said session key. 
   
   
       8 . The method of  claim 7 , wherein said user identity can be obtained only by a holder of said session key. 
   
   
       9 . The method of  claim 1 , further comprising the step of receiving an authentication of a server of said IP-based telephony network. 
   
   
       10 . The method of  claim 1 , further comprising the step of providing a nonce that protects against a replay attack. 
   
   
       11 . The method of  claim 1 , wherein said IP-based telephony network is an IMS network. 
   
   
       12 . The method of  claim 1 , wherein said step of generating an integrity key and a ciphering key further comprises the step of generating one or more of said integrity key and said ciphering key using said one or more private keys. 
   
   
       13 . A method for authenticating a user employing a user device attempting to access an IP-based telephony network, comprising:
 obtaining an encrypted session key encrypted with a public key of said IP-based telephony network;   obtaining an encrypted integrity key and encrypted ciphering key from said user device, wherein said integrity key and said ciphering key were generated by a secure device associated with said user device using one or more private keys of said user;   decrypting said encrypted session key using said public key of said IP-based telephony network;   decrypting said encrypted integrity key and encrypted ciphering key using said decrypted session key; and   authenticating said user device based on a Public Key Infrastructure (PKI) computation.   
   
   
       14 . The method of  claim 13 , further comprising the step of validating information received from said user by comparing said received information to stored information, 
   
   
       15 . The method of  claim 13 , further comprising the step of authenticating said IP-based telephony network to said user. 
   
   
       16 . The method of  claim 15 , wherein said step of authenticating said IP-based telephony network to said user further comprises the step of encrypting a nonce using a public key of said user. 
   
   
       17 . The method of  claim 16 , wherein said step of authenticating said IP-based telephony network to said user further comprises the step of encrypting said encrypted nonce using a signature operation based on a private key of said IP-based telephony network. 
   
   
       18 . The method of  claim 13 , wherein said secure device comprises a smart card having a secure IMS Subscriber Identity Module (ISIM). 
   
   
       19 . The method of  claim 13 , wherein said IP-based telephony network is an IMS network. 
   
   
       20 . An apparatus for use by a user device in an IP-based telephony network, comprising:
 a secure memory for storing one or more private keys of said used; and   at least one processor, coupled to the secure memory, operative to:   generate an integrity key and a ciphering key.   
   
   
       21 . The apparatus of  claim 20 , wherein said secure memory further comprises a network certificate containing a public key of said network. 
   
   
       22 . The apparatus of  claim 20 , wherein said secure memory further comprises an identifier of said user. 
   
   
       23 . The apparatus of  claim 20 , wherein said processor is further configured to perform an encryption with at least one PKI algorithm. 
   
   
       24 . The apparatus of  claim 20 , wherein said processor is further configured to generate a session key. 
   
   
       25 . The apparatus of  claim 20 , wherein said processor is further configured to generate one or more of said integrity key and said ciphering key using said one or more private keys. 
   
   
       26 . An apparatus, comprising:
 a secure memory for storing one or more private keys of a user attempting to access an IP-based telephony network; and   at least one processor; coupled to the secure memory, operative to:   obtain said one or more private keys of said user from said secure memory;   generate an integrity key and a ciphering key;   encrypt said integrity key and said ciphering key using a session key;   encrypt said session key with a public key of said IP-based telephony network; and   provide said encrypted session key, encrypted integrity key and encrypted ciphering key to said IP-based telephony network for authentication.   
   
   
       27 . An apparatus for authenticating a user employing a user device attempting to access an IP-based telephony network, comprising:
 a memory; and   at least one processor, coupled to the memory, operative to:   obtain an encrypted session key encrypted with a public key of said IP-based telephony network;   obtain an encrypted integrity key and encrypted ciphering key from said user device, wherein said integrity key and said ciphering key were generated by a secure device associated with said user device using one or more private keys of said user;   decrypt said encrypted session key using said public key of said IP-based telephony network;   decrypt said encrypted integrity key and encrypted ciphering key using said decrypted session key; and   authenticate said user device based on a Public Key Infrastructure (PKI) computation.

Join the waitlist — get patent alerts

Track US2009259851A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.