EP1082837A2 - Method for safe telephony with mobility in a tele and data communications system which includes an ip-network - Google Patents

Method for safe telephony with mobility in a tele and data communications system which includes an ip-network

Info

Publication number
EP1082837A2
EP1082837A2 EP99929982A EP99929982A EP1082837A2 EP 1082837 A2 EP1082837 A2 EP 1082837A2 EP 99929982 A EP99929982 A EP 99929982A EP 99929982 A EP99929982 A EP 99929982A EP 1082837 A2 EP1082837 A2 EP 1082837A2
Authority
EP
European Patent Office
Prior art keywords
network
identity code
unit
mobility manager
initiating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP99929982A
Other languages
German (de)
French (fr)
Inventor
Per Gustavsson
Staffan Lundgren
Mattias Maartensson
Eskil Aahlin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telia Co AB
Original Assignee
Telia AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telia AB filed Critical Telia AB
Publication of EP1082837A2 publication Critical patent/EP1082837A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • the present invention relates to a method for safe telephony with mobility in a tele and data communications system which includes an IP-network.
  • Kerberos ⁇ A known solution of the managing of keys is called Kerberos ⁇ .
  • This known solution provides a central distribution of keys and is intended for users of services in networks. Kerberos ® attends to that the user can confirm his/her identity to a given service without risk that anybody is tapping the transmission in order to in a later stage unduly borrow the user's identity.
  • an authentication is performed in two steps. In the first step one issues an authentication service (AS) , a so called TGS-ticket in exchange for a person proving that he/she is the person he/she gives himself/herself out to be.
  • AS authentication service
  • the user identification is made by the user initially once and for all registers himself/herself manually and receives a password from Kerberos ® .
  • the password is stored centrally.
  • the TGS-ticket includes i.a. a TGS-session key, the name of the service (i.e. TGS), a time stamp and period of validity.
  • TGS-session key the name of the service (i.e. TGS)
  • TGS-session key the name of the service
  • TGS-session key the name of the service
  • period of validity i.e.
  • the user receives the TGS-ticket encrypted by TGS password and a copy of the TGS-session key encrypted by the user's password.
  • the TGS-ticket is valid as access to a ticket issuing service (TGS) .
  • TGS ticket issuing service
  • the user for that reason turns to TGS to get service tickets to other services.
  • the user transmits the TGS-ticket encrypted by TGS password and the name of the service which is asked for to TGS.
  • TGS returns a ticket to the service encrypted by the password of the service and a copy of a service session key encrypted by the TGS-session key.
  • For each new service the user wants to utilise he/she in the same way turns to said TGS and encloses his/her TGS-ticket in the transmission .
  • This known method has several advantages. The user need only give his/her password once per working period.
  • Kerberos ® is not directly applicable on IP-telephony with mobility, such as a system with DECT-telephones which have access to an IP- network. For that reason there exists a need for a security solution for such telephony.
  • the aim of the present invention consequently is to create a security solution for IP-telephony with mobility.
  • Figure 1 diagrammatically shows a tele and data communications system in which an embodiment of the method is implemented
  • Figure 2 diagrammatically shows a part of the system in Figure 1 in detail .
  • each DECT-telephone 3 an identity code (ID-code) is stored which is created in such a way that it is unique, preferably globally unique.
  • ID-code is transmitted to the base station 5 of the domain. From there the ID-code is forwarded to a mobility manager, here a so called proxy manager 9, see Figure 2, which is arranged in an IP-managing unit (IMU) 7.
  • the proxy manager 9 starts for each DECT-telephone 3 a proxy 11, i.e. en proxy which represents the DECT-telephone 3 towards the Internet, or any other IP-network.
  • the information is collected from a specific initiating database 13, which here is called telephone directory.
  • the telephone directory is reached via the IP-network 15.
  • Kerberos ® is utilised, and which i.a. is implemented on a server 17, which handles the central distribution of keys.
  • the information includes IP-address, the subscriber's user name, and a key for mobile IP.
  • the proxy manager 9 is user and the telephone directory 13 the service which shall be used.
  • the proxy manager 9 For the proxy manager 9 to receive the information, it consequently must authenticate itself to the AS-part of the server 17 to get a TGS-ticket, and then utilises the identity code as user identity, and then by transmitting the TGS-ticket to the TGS-part of the server 17 receive a service ticket to the telephone directory.
  • the information is transmitted well encrypted from the telephone directory 13 to the proxy manager 9, as has been described above.
  • the proxy manager 9 then starts a proxy 11 with the information as input data.
  • the proxy 11 now has the function of a mobile node. If it should be in a foreign network it will make use of a mobile IP to attend to that traffic which is intended for it is routed to right address.
  • This authentication is made by means of an encryption algorithm and a secret key which is shared by the mobile node, i.e. the proxy 11, and the mobility manager in its home network.
  • the secret key is the above mentioned key for mobile IP which the proxy manager 9 receivers from the database 13.
  • the proxy 11 is preferably compatible with the ITU- standard H.323, which can be utilised according to the following.
  • the receiver collects a session key from Kerberos ® and establishes a safe and authenticated channel. After that H.323 follows on.
  • the speech is accordingly transmitted encrypted in order that it shall not be possible to tap.
  • participants, which are not authorised subscribers in the system are prevented, by the authentication, from making free calls.
  • Kerberos ® can be exchanged for another equivalent method which implies equivalent good authentication and encryption.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention relates to a method for safe telephony with mobility in a tele and data communications system (1) which includes an IP-network (15), at which the telephony is executed with mobile units and at which the method for each mobile unit includes the steps: to create a unique identity code and store it in the unit; to, at the switching on of the unit, at least at switching it on in a home domain, transmit the identity code to a mobility manager (9); to, via the IP-network, establish contact between the mobility manager and an initiating database (13) for transmission of initiating information for Internet communication from the initiating data base to the mobility manager, which step includes to, by utilisation of the identity code, authenticate the mobility manager for access to the initiating data base, and to encrypt the initiating information at the transmission; and to, by means of the initiating information, start a proxy (11) which represents the unit towards the Internet.

Description

METHOD FOR SAFE TELEPHONY WITH MOBILITY IN A TELE AND DATA COMMUNICATIONS SYSTEM WHICH INCLUDES AN IP-NETWORK
TECHNICAL FIELD The present invention relates to a method for safe telephony with mobility in a tele and data communications system which includes an IP-network.
BACKGROUND OF THE TECHNOLOGY In a data and telecommunications system which offers a user IP-telephony with mobility, the integrity of the Internet-traffic must be taken into consideration. This means for instance that the network operator can debit services to right account and that there is no risk for unauthorised utilisation.
For that reason there is a great need of well functioning security systems which as far as possible guarantee a correct and safe identification of a user. This is not least of importance for a correct debiting. Further, for example, an unauthorised person shall not be in a position to forward telephone calls and shall not be in a position to take part in the communication between two users of the system. Communication channels in the system for that reason must be encrypted and authenticated. This, in its turn, creates a need for common keys.
If all participants in the system would exchange and store each other's keys, this would involve a security risk. Besides it would impair the scalability of the system. A known solution of the managing of keys is called Kerberos©. This known solution provides a central distribution of keys and is intended for users of services in networks. Kerberos® attends to that the user can confirm his/her identity to a given service without risk that anybody is tapping the transmission in order to in a later stage unduly borrow the user's identity. In this known solution an authentication is performed in two steps. In the first step one issues an authentication service (AS) , a so called TGS-ticket in exchange for a person proving that he/she is the person he/she gives himself/herself out to be.
The user identification is made by the user initially once and for all registers himself/herself manually and receives a password from Kerberos®. The password is stored centrally. When the user then wants to utilise services in the network he/she orders the TGS-ticket with his/her user identity as identification. The TGS-ticket includes i.a. a TGS-session key, the name of the service (i.e. TGS), a time stamp and period of validity. In return from the TGS the user receives the TGS-ticket encrypted by TGS password and a copy of the TGS-session key encrypted by the user's password. By that, only the true user can decrypt and utilise the information. In this way the password is never transmitted freely over the network.
The TGS-ticket is valid as access to a ticket issuing service (TGS) . In the second step, the user for that reason turns to TGS to get service tickets to other services. In this step the user transmits the TGS-ticket encrypted by TGS password and the name of the service which is asked for to TGS. TGS returns a ticket to the service encrypted by the password of the service and a copy of a service session key encrypted by the TGS-session key. For each new service the user wants to utilise he/she in the same way turns to said TGS and encloses his/her TGS-ticket in the transmission . This known method has several advantages. The user need only give his/her password once per working period. Only registered users can utilise the system because the user has to authenticate himself/herself at AT before he/she receives a ticket for a service. Services know that the user is authentic and not anyone who has copied the original message, because only the authentic sender knows the session key and is in a position to decode the traffic. The user also knows that a service is genuine because the session key in the ticket is encrypted by the key of the service. Only the genuine service consequently can decode the session key. Besides the user is always waiting for answer and consequently can be sure that the service is genuine .
The method according to Kerberos®, however, is not directly applicable on IP-telephony with mobility, such as a system with DECT-telephones which have access to an IP- network. For that reason there exists a need for a security solution for such telephony.
SUMMARY FO THE INVENTION The aim of the present invention consequently is to create a security solution for IP-telephony with mobility.
The object is achieved by a method for safe communication according to the invention as it is defined in patent claim 1 of the enclosed patent claims.
BRIEF DESCRIPTION OF THE DRAWINGS
In the following, embodiments of the method according to the invention will be described in detail with reference to the enclosed drawings, where: Figure 1 diagrammatically shows a tele and data communications system in which an embodiment of the method is implemented; and
Figure 2 diagrammatically shows a part of the system in Figure 1 in detail .
DETAILED DESCRIPTION OF EMBODIMENTS
Below, a preferred embodiment of the method according to the invention will be described, at which it is exemplified applied in a tele and data communications system which includes wireless telephones in form of DECT- telephones and which is shown in Figure 1. The method according to the invention is especially suited for such systems .
In each DECT-telephone 3 an identity code (ID-code) is stored which is created in such a way that it is unique, preferably globally unique. When the DECT-telephone 3 is in its home domain, i.e. a DECT-domain, and is switched on, the ID-code is transmitted to the base station 5 of the domain. From there the ID-code is forwarded to a mobility manager, here a so called proxy manager 9, see Figure 2, which is arranged in an IP-managing unit (IMU) 7. The proxy manager 9 starts for each DECT-telephone 3 a proxy 11, i.e. en proxy which represents the DECT-telephone 3 towards the Internet, or any other IP-network. The proxy manager 9, however requires a certain initiating information to be able to start a proxy 11. The information is collected from a specific initiating database 13, which here is called telephone directory. The telephone directory is reached via the IP-network 15. In order to have the information transmitted in a safe way, the above mentioned described known method called Kerberos® is utilised, and which i.a. is implemented on a server 17, which handles the central distribution of keys. The information includes IP-address, the subscriber's user name, and a key for mobile IP.
In this situation the proxy manager 9 is user and the telephone directory 13 the service which shall be used. For the proxy manager 9 to receive the information, it consequently must authenticate itself to the AS-part of the server 17 to get a TGS-ticket, and then utilises the identity code as user identity, and then by transmitting the TGS-ticket to the TGS-part of the server 17 receive a service ticket to the telephone directory. The information is transmitted well encrypted from the telephone directory 13 to the proxy manager 9, as has been described above. The proxy manager 9 then starts a proxy 11 with the information as input data. The proxy 11 now has the function of a mobile node. If it should be in a foreign network it will make use of a mobile IP to attend to that traffic which is intended for it is routed to right address. Within mobile IP authentication is of outmost importance because unauthorised persons without authentication might change the traffic in the system as they please, or fraudulently give themselves out as another persons than they are. This authentication is made by means of an encryption algorithm and a secret key which is shared by the mobile node, i.e. the proxy 11, and the mobility manager in its home network. The secret key is the above mentioned key for mobile IP which the proxy manager 9 receivers from the database 13. When the subscriber wants to utilise any of the services which the network operator offers, for instance make a call, both the subscriber and the operator are interested in that the debiting for the utilisation will be correct. The proxy 11 then contacts a debiting service to charge right account with right sum. This communication is also made by means of Kerberos®.
The proxy 11 is preferably compatible with the ITU- standard H.323, which can be utilised according to the following. At the communication between two subscribers, the receiver collects a session key from Kerberos® and establishes a safe and authenticated channel. After that H.323 follows on. The speech is accordingly transmitted encrypted in order that it shall not be possible to tap. At the same time participants, which are not authorised subscribers in the system, are prevented, by the authentication, from making free calls.
Above, a preferred embodiment of the method according to the invention has been described. This shall only be regarded as an example of how the invention can be implemented. A lot of modifications are possible within the frame of the invention as it is defined in the patent claims. Below follows some examples of such modifications. Above, the method has been described for IP- telephony with DECT-telephones. It is also applicable for other types of mobile IP-telephony . One example is a computer which is moved between different access points .
The above described key distribution method Kerberos® can be exchanged for another equivalent method which implies equivalent good authentication and encryption.

Claims

PATENT CLAIMS
1. Method for safe telephony with mobility in a tele and data communications system (1) which includes an IP- network (15) , at which the telephony is executed by mobile units, and at which the method for each mobile unit is c h a r a c t e r i s e d in the steps : to create a unique identity code and store it in the unit ; - to, when the unit is switched on, at least when it is switched on in a home domain, transmit the identity code to a mobility manager (9) ; to, via the IP-network, establish contact between the mobility manager and an initiating database (13) for transmission of initiating information for Internet communication from the initiation database to the mobility manager, which step includes to, by utilisation of the identity code, authenticate the mobility manager for access to the initiation database, and to encrypt the initiation information at the transmission; and to, by means of the initiating information, start a proxy (11) which represents the unit towards Internet.
2. Method according to patent claim 1, c h a r a c t e r i s e d in that said proxy for access to services in the communications system initially via the IP- network by means of in the initiating information included data authenticates itself to a server which centrally manages keys, at which the proxy from a part of the server receives a TGS-ticket and after that, by providing the TGS- ticket, via a TGS-part of said server receives service tickets for different services, at which each service ticket includes one for the service in question specific session key.
3. Method according to patent claim 1 or 2 , c h a r a c t e r i s e d in that in the data base store initiating information which for each user includes IP- address and key for mobile IP.
4. Method according to any of the preceding patent claims, c h a r a c t e r i s e d in that the step to, when the unit is switched on, at least when it is switched on in a home domain, transmit the identity code to a mobility manager, when the unit is a DECT-telephone, includes to transmit the identity code from the telephone to a base station (5) in the home domain, and to forward the identity code from the base station to the mobility manager .
5. Method according to any of the precedent patent claims, c h a r a c t e r i s e d in that the proxy, when it is in a foreign network, makes use of a mobile IP to attend to that traffic which is intended for it, is routed to right address .
EP99929982A 1998-05-27 1999-05-12 Method for safe telephony with mobility in a tele and data communications system which includes an ip-network Withdrawn EP1082837A2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SE9801871A SE512440C2 (en) 1998-05-27 1998-05-27 Method for secure telephony with mobility in a telephone and data communication system comprising an IP network
SE9801871 1998-05-27
PCT/SE1999/000814 WO1999062222A2 (en) 1998-05-27 1999-05-12 Method for safe telephony with mobility in a tele and data communications system which includes an ip-network

Publications (1)

Publication Number Publication Date
EP1082837A2 true EP1082837A2 (en) 2001-03-14

Family

ID=20411477

Family Applications (1)

Application Number Title Priority Date Filing Date
EP99929982A Withdrawn EP1082837A2 (en) 1998-05-27 1999-05-12 Method for safe telephony with mobility in a tele and data communications system which includes an ip-network

Country Status (5)

Country Link
EP (1) EP1082837A2 (en)
EE (1) EE03893B1 (en)
NO (1) NO20005868L (en)
SE (1) SE512440C2 (en)
WO (1) WO1999062222A2 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2807597B1 (en) * 2000-04-11 2005-04-08 Sagem METHOD FOR MANAGING COMBIN MOBILITY WITHIN A WIRELESS TELECOMMUNICATION NETWORK
CN1322702C (en) * 2003-12-30 2007-06-20 华为技术有限公司 Identificaton method of internet protocol speech sound cut-in equipment
CN100349400C (en) * 2004-02-11 2007-11-14 任荣昌 Multiple service exchange method and system based on IP network user identification
HU226781B1 (en) 2004-03-01 2009-10-28 Miklos Jobbagy Device set for secure direct information transmission over internet
US9762576B2 (en) 2006-11-16 2017-09-12 Phonefactor, Inc. Enhanced multi factor authentication
US8365258B2 (en) 2006-11-16 2013-01-29 Phonefactor, Inc. Multi factor authentication

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5535276A (en) * 1994-11-09 1996-07-09 Bell Atlantic Network Services, Inc. Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography
US5602918A (en) * 1995-12-22 1997-02-11 Virtual Open Network Environment Corp. Application level security system and method
GB2317792B (en) * 1996-09-18 2001-03-28 Secure Computing Corp Virtual private network on application gateway
US5684950A (en) * 1996-09-23 1997-11-04 Lockheed Martin Corporation Method and system for authenticating users to multiple computer servers via a single sign-on

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO9962222A2 *

Also Published As

Publication number Publication date
WO1999062222A2 (en) 1999-12-02
EE200000701A (en) 2002-04-15
NO20005868L (en) 2001-01-25
NO20005868D0 (en) 2000-11-21
EE03893B1 (en) 2002-10-15
SE9801871D0 (en) 1998-05-27
WO1999062222A3 (en) 2000-02-03
SE512440C2 (en) 2000-03-20
SE9801871L (en) 1999-11-28

Similar Documents

Publication Publication Date Title
US6334056B1 (en) Secure gateway processing for handheld device markup language (HDML)
Hwang et al. A self-encryption mechanism for authentication of roaming and teleconference services
US6145084A (en) Adaptive communication system enabling dissimilar devices to exchange information over a network
US7865173B2 (en) Method and arrangement for authentication procedures in a communication network
CN101077017B (en) Systems and methods for facilitating instant communications over distributed cellular networks
CN1839608B (en) Device and method for generating a unique user's identity for use between different domains
US7197297B2 (en) Authentication method for enabling a user of a mobile station to access to private data or services
US7340525B1 (en) Method and apparatus for single sign-on in a wireless environment
JP2000232690A (en) Method for security for communication network and method for data transfer with security
WO2001054346A1 (en) Method for issuing an electronic identity
WO2001050682A1 (en) Communication using virtual telephone numbers
CA2468599A1 (en) Use of a public key key pair in the terminal for authentication and authorization of the telecommunication subscriber in respect of the network operator and business partners
CN112565294A (en) Identity authentication method based on block chain electronic signature
WO1999062222A2 (en) Method for safe telephony with mobility in a tele and data communications system which includes an ip-network
CN1771753B (en) Method and apparatus for user authentication using infrared communication of a mobile terminal
CN101090314A (en) Method and device for providing talking start protocol and ticket grant service
CN100450011C (en) Device for mediating in management orders
US11146536B2 (en) Method and a system for managing user identities for use during communication between two web browsers
US7139377B2 (en) Method of providing services to remote private terminals and an associated device
US20050190904A1 (en) Method for performing network-based telephone user identification
MXPA01013117A (en) System and method for local policy enforcement for internet service providers.
CN100479452C (en) Method for security transmission of card number information from IP terminal to soft switch
US6961851B2 (en) Method and apparatus for providing communications security using a remote server
KR100637996B1 (en) System for providing dialing authorization
WO1999037055A1 (en) System and method for providing secure remote access to a computer network

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20001227

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): DE DK ES FI FR GB IT SE

AX Request for extension of the european patent

Free format text: LT PAYMENT 20001227;LV PAYMENT 20001227

17Q First examination report despatched

Effective date: 20070720

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: TELIASONERA AB

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20100202