Establishing a Communication Event Using Secure Signalling
Abstract
A communication event is established between an initiating device and a responding device under the control of a remote communications controller. In a pre-communication event establishment phase, a secure connection is established between the initiating device and the communications controller, and session key negotiation messages are exchanged between the initiating device and the communications controller via the secure connection to obtain session key data in an electronic storage location accessible to the initiating device. The secure connection terminates once the session key data has been obtained. In a subsequent communication event establishment phase—after the session key data has been obtained and the secure connection has terminated in the pre-establishment phase—a communication event request is transmitted from the initiating device to the communications controller comprising a payload encrypted with the session key data.
Claims
exact text as granted — not AI-modified1 . A method of establishing a communication event between an initiating device and a responding device under the control of a remote communications controller, the method comprising implementing by the initiating device the following steps:
in a pre-communication event establishment phase: establishing a secure connection between the initiating device and the communications controller, exchanging session key negotiation messages between the initiating device and the communications controller via the secure connection to obtain, in an electronic storage location accessible to the initiating device, session key data for use by the initiating device in generating encrypted message payloads that are decryptable by the communications controller, wherein the secure connection terminates once the session key data has been obtained; in a subsequent communication event establishment phase: generating a communication event request payload for transmission to the communications controller; encrypting the request payload using the session key data stored in the accessible electronic storage location; and in response to a communication event establishment instruction received at the initiating device after the session key data has been obtained and the secure connection has terminated in the pre-establishment phase, transmitting from the initiating device to the communications controller a communication event request comprising the encrypted request payload, thereby causing the communications controller to decrypt the encrypted request payload, whereby the communication event between the devices is established under the control of the communications controller based on the decrypted payload.
2 . A method according to claim 1 , wherein the request payload identifies the responding device, whereby transmitting the communication event request to the communications controller causes the communications controller to decrypt the encrypted request payload and transmit a communication event invite to the responding device identified in the decrypted payload.
3 . A method according to claim 2 , wherein the request comprises: a device identifier of the responding device, and/or a user identifier of a user of the remote device, and/or or a network address of the responding device, and thereby identifies the responding device.
4 . A method according to claim 1 , wherein the session key negotiation messages are exchanged via the secure connection at an application layer of a network, above a transport layer of the network.
5 . A method according to claim 1 , wherein the session key data comprises:
an encrypted version of a session key received from the communications controller in the pre-establishment phase, the session key having been encrypted by the communications controller using a wrapper key available to communications controller, and/or a session key identifier for identifying the session key to the communications controller.
6 . A method according to claim 5 , wherein the session key data also comprises:
a version of the session key not encrypted with the wrapper key, and/or a client secret and a server secret for generating the unencrypted version of the session key; and/or key derivation data for generating the session key using a key derivation function.
7 . A method according to claim 5 , wherein the initiating device encrypts the request payload using the session key, wherein the request also comprises:
the encrypted version of the session key, whereby the request causes the communications controller to decrypt the session key using the wrapper key, and decrypt the request payload using the decrypted session key, and/or the session key identifier.
8 . A method according to claim 7 , wherein the initiating device encrypts the payload using an encryption key derived from the session key.
9 . A method according to claims 6 and 8 , wherein the initiating device generates the encryption key by applying a key derivation function to the unencrypted version of the session key, and uses the derived encryption key to encrypt the payload.
10 . A method according to claim 1 , wherein the request also comprises a randomized initialization vector generated by the initiating device, whereby the initiating device can reuse the session key data for a later communication event with a different initialization vector.
11 . A method according to claim 1 , wherein the initiating device generates integrity check data by applying a hash function to at least the payload once encrypted, wherein the request also comprises the integrity check data, whereby the communications controller can use the integrity check data to detect any alteration to encrypted payload before decrypting it.
12 . A method according to claims 10 and 11 , wherein the hash function is: applied using an authentication key derived from the session key and/or applied to a combination of the encrypted payload and the initialization vector.
13 . A method according to claim 5 , wherein the session key data also comprises an identifier of the wrapper key received from the communications controller, wherein the request transmitted to the communications controller also comprises the identifier of the wrapper key, whereby the controller can identify which wrapper key to decrypt the session key with.
14 . A method according to claim 1 , wherein the pre-establishment phase comprises receiving at the initiating device from the communications controller a timestamp denoting a time measured remotely at the communications controller, wherein the initiating device stores an indication of a difference between the remotely measured time and a time measured locally at the initiating device; and
wherein the request also comprises a timestamp generated by the initiating device accounting for the difference between the locally measured time and the remotely measured time.
15 . A method according to claim 1 , wherein the request also comprises a randomized request identifier generated by the initiating device.
16 . A method according to claim 1 , wherein the communication event establishment instruction is instigated manually by a user of the initiating device.
17 . A method according to claim 16 , wherein the call establishment instruction is instigated by the user of the initiating device: selecting an option on a display of the initiating device to call the responding device and/or a user of the responding device, or providing a voice or gesture input to the initiating device denoting the responding device and or the user of the responding device.
18 . A method according to claim 1 , wherein a communication client is installed on the initiating device, and the pre-establishment phase is performed as part of the installation of the client or in response to running the installed client on a processor of the initiating device for the first time; or
wherein the pre-establishment phase is instigated at a time specified by a predetermined session key negotiation schedule, or wherein the pre-establishment phase is performed each time a communication client is instantiated on a processor of the initiating device.
19 . An initiating device for establishing a communication event between the initiating device and a responding device under the control of a remote communications controller, the initiating device comprising:
a network interface; memory holding executable code; and a processor connected to the memory and configured to execute the code, wherein the code is configured when executed on the processor to implement the following steps: in a pre-communication event establishment phase: establishing a secure connection between the initiating device and the communications controller, exchanging session key negotiation messages between the initiating device and the communications controller via the secure connection to obtain, in the electronic storage, session key data for use by the initiating device in generating encrypted message payloads that are decryptable by the communications controller, wherein the secure connection terminates once the session key data has been obtained; in a subsequent communication event establishment phase: generating a communication event request payload for transmission to the communications controller; encrypting the request payload using the stored session key data; and in response to a communication event establishment instruction received at the initiating device after the session key data has been obtained and the secure connection has terminated in the pre-establishment phase, transmitting from the initiating device via the network interface to the communications controller a communication event request comprising the encrypted request payload, thereby causing the communications controller to decrypt the encrypted request payload, whereby the communication event between the devices is established under the control of the communications controller based on the decrypted payload.
20 . A computer program product comprising executable code stored on a computer readable storage medium and configured when executed on a processor of an initiating device to establish a communication event between an initiating device and a responding device under the control of a remote communications controller by implementing the following steps:
in a pre-communication event establishment phase: establishing a secure connection between the initiating device and the communications controller, exchanging session key negotiation messages between the initiating device and the communications controller via the secure connection to obtain, in an electronic storage location accessible to the initiating device, session key data for use by the initiating device in generating encrypted message payloads that are decryptable by the communications controller, wherein the secure connection terminates once the session key data has been obtained; in a subsequent communication event establishment phase: generating a communication event request payload for transmission to the communications controller; encrypting the request payload using the session key data stored in the accessible electronic storage location; and in response to a communication event establishment instruction received at the initiating device after the session key data has been obtained and the secure connection has terminated in the pre-establishment phase, transmitting from the initiating device to the communications controller a communication event request comprising the encrypted request payload, thereby causing the communications controller to decrypt the encrypted request payload, whereby the communication event between the devices is established under the control of the communications controller based on the decrypted payload.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.