EP1082837A2 - Method for safe telephony with mobility in a tele and data communications system which includes an ip-network - Google Patents
Method for safe telephony with mobility in a tele and data communications system which includes an ip-networkInfo
- Publication number
- EP1082837A2 EP1082837A2 EP99929982A EP99929982A EP1082837A2 EP 1082837 A2 EP1082837 A2 EP 1082837A2 EP 99929982 A EP99929982 A EP 99929982A EP 99929982 A EP99929982 A EP 99929982A EP 1082837 A2 EP1082837 A2 EP 1082837A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- network
- identity code
- unit
- mobility manager
- initiating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Definitions
- the present invention relates to a method for safe telephony with mobility in a tele and data communications system which includes an IP-network.
- Kerberos ⁇ A known solution of the managing of keys is called Kerberos ⁇ .
- This known solution provides a central distribution of keys and is intended for users of services in networks. Kerberos ® attends to that the user can confirm his/her identity to a given service without risk that anybody is tapping the transmission in order to in a later stage unduly borrow the user's identity.
- an authentication is performed in two steps. In the first step one issues an authentication service (AS) , a so called TGS-ticket in exchange for a person proving that he/she is the person he/she gives himself/herself out to be.
- AS authentication service
- the user identification is made by the user initially once and for all registers himself/herself manually and receives a password from Kerberos ® .
- the password is stored centrally.
- the TGS-ticket includes i.a. a TGS-session key, the name of the service (i.e. TGS), a time stamp and period of validity.
- TGS-session key the name of the service (i.e. TGS)
- TGS-session key the name of the service
- TGS-session key the name of the service
- period of validity i.e.
- the user receives the TGS-ticket encrypted by TGS password and a copy of the TGS-session key encrypted by the user's password.
- the TGS-ticket is valid as access to a ticket issuing service (TGS) .
- TGS ticket issuing service
- the user for that reason turns to TGS to get service tickets to other services.
- the user transmits the TGS-ticket encrypted by TGS password and the name of the service which is asked for to TGS.
- TGS returns a ticket to the service encrypted by the password of the service and a copy of a service session key encrypted by the TGS-session key.
- For each new service the user wants to utilise he/she in the same way turns to said TGS and encloses his/her TGS-ticket in the transmission .
- This known method has several advantages. The user need only give his/her password once per working period.
- Kerberos ® is not directly applicable on IP-telephony with mobility, such as a system with DECT-telephones which have access to an IP- network. For that reason there exists a need for a security solution for such telephony.
- the aim of the present invention consequently is to create a security solution for IP-telephony with mobility.
- Figure 1 diagrammatically shows a tele and data communications system in which an embodiment of the method is implemented
- Figure 2 diagrammatically shows a part of the system in Figure 1 in detail .
- each DECT-telephone 3 an identity code (ID-code) is stored which is created in such a way that it is unique, preferably globally unique.
- ID-code is transmitted to the base station 5 of the domain. From there the ID-code is forwarded to a mobility manager, here a so called proxy manager 9, see Figure 2, which is arranged in an IP-managing unit (IMU) 7.
- the proxy manager 9 starts for each DECT-telephone 3 a proxy 11, i.e. en proxy which represents the DECT-telephone 3 towards the Internet, or any other IP-network.
- the information is collected from a specific initiating database 13, which here is called telephone directory.
- the telephone directory is reached via the IP-network 15.
- Kerberos ® is utilised, and which i.a. is implemented on a server 17, which handles the central distribution of keys.
- the information includes IP-address, the subscriber's user name, and a key for mobile IP.
- the proxy manager 9 is user and the telephone directory 13 the service which shall be used.
- the proxy manager 9 For the proxy manager 9 to receive the information, it consequently must authenticate itself to the AS-part of the server 17 to get a TGS-ticket, and then utilises the identity code as user identity, and then by transmitting the TGS-ticket to the TGS-part of the server 17 receive a service ticket to the telephone directory.
- the information is transmitted well encrypted from the telephone directory 13 to the proxy manager 9, as has been described above.
- the proxy manager 9 then starts a proxy 11 with the information as input data.
- the proxy 11 now has the function of a mobile node. If it should be in a foreign network it will make use of a mobile IP to attend to that traffic which is intended for it is routed to right address.
- This authentication is made by means of an encryption algorithm and a secret key which is shared by the mobile node, i.e. the proxy 11, and the mobility manager in its home network.
- the secret key is the above mentioned key for mobile IP which the proxy manager 9 receivers from the database 13.
- the proxy 11 is preferably compatible with the ITU- standard H.323, which can be utilised according to the following.
- the receiver collects a session key from Kerberos ® and establishes a safe and authenticated channel. After that H.323 follows on.
- the speech is accordingly transmitted encrypted in order that it shall not be possible to tap.
- participants, which are not authorised subscribers in the system are prevented, by the authentication, from making free calls.
- Kerberos ® can be exchanged for another equivalent method which implies equivalent good authentication and encryption.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention relates to a method for safe telephony with mobility in a tele and data communications system (1) which includes an IP-network (15), at which the telephony is executed with mobile units and at which the method for each mobile unit includes the steps: to create a unique identity code and store it in the unit; to, at the switching on of the unit, at least at switching it on in a home domain, transmit the identity code to a mobility manager (9); to, via the IP-network, establish contact between the mobility manager and an initiating database (13) for transmission of initiating information for Internet communication from the initiating data base to the mobility manager, which step includes to, by utilisation of the identity code, authenticate the mobility manager for access to the initiating data base, and to encrypt the initiating information at the transmission; and to, by means of the initiating information, start a proxy (11) which represents the unit towards the Internet.
Description
METHOD FOR SAFE TELEPHONY WITH MOBILITY IN A TELE AND DATA COMMUNICATIONS SYSTEM WHICH INCLUDES AN IP-NETWORK
TECHNICAL FIELD The present invention relates to a method for safe telephony with mobility in a tele and data communications system which includes an IP-network.
BACKGROUND OF THE TECHNOLOGY In a data and telecommunications system which offers a user IP-telephony with mobility, the integrity of the Internet-traffic must be taken into consideration. This means for instance that the network operator can debit services to right account and that there is no risk for unauthorised utilisation.
For that reason there is a great need of well functioning security systems which as far as possible guarantee a correct and safe identification of a user. This is not least of importance for a correct debiting. Further, for example, an unauthorised person shall not be in a position to forward telephone calls and shall not be in a position to take part in the communication between two users of the system. Communication channels in the system for that reason must be encrypted and authenticated. This, in its turn, creates a need for common keys.
If all participants in the system would exchange and store each other's keys, this would involve a security risk. Besides it would impair the scalability of the system. A known solution of the managing of keys is called Kerberos©. This known solution provides a central distribution of keys and is intended for users of services in networks. Kerberos® attends to that the user can confirm his/her identity to a given service without risk that anybody is tapping the transmission in order to in a later stage unduly borrow the user's identity. In this known
solution an authentication is performed in two steps. In the first step one issues an authentication service (AS) , a so called TGS-ticket in exchange for a person proving that he/she is the person he/she gives himself/herself out to be.
The user identification is made by the user initially once and for all registers himself/herself manually and receives a password from Kerberos®. The password is stored centrally. When the user then wants to utilise services in the network he/she orders the TGS-ticket with his/her user identity as identification. The TGS-ticket includes i.a. a TGS-session key, the name of the service (i.e. TGS), a time stamp and period of validity. In return from the TGS the user receives the TGS-ticket encrypted by TGS password and a copy of the TGS-session key encrypted by the user's password. By that, only the true user can decrypt and utilise the information. In this way the password is never transmitted freely over the network.
The TGS-ticket is valid as access to a ticket issuing service (TGS) . In the second step, the user for that reason turns to TGS to get service tickets to other services. In this step the user transmits the TGS-ticket encrypted by TGS password and the name of the service which is asked for to TGS. TGS returns a ticket to the service encrypted by the password of the service and a copy of a service session key encrypted by the TGS-session key. For each new service the user wants to utilise he/she in the same way turns to said TGS and encloses his/her TGS-ticket in the transmission . This known method has several advantages. The user need only give his/her password once per working period. Only registered users can utilise the system because the user has to authenticate himself/herself at AT before he/she receives a ticket for a service. Services know that the user is authentic and not anyone who has copied the original message, because only the authentic sender knows
the session key and is in a position to decode the traffic. The user also knows that a service is genuine because the session key in the ticket is encrypted by the key of the service. Only the genuine service consequently can decode the session key. Besides the user is always waiting for answer and consequently can be sure that the service is genuine .
The method according to Kerberos®, however, is not directly applicable on IP-telephony with mobility, such as a system with DECT-telephones which have access to an IP- network. For that reason there exists a need for a security solution for such telephony.
SUMMARY FO THE INVENTION The aim of the present invention consequently is to create a security solution for IP-telephony with mobility.
The object is achieved by a method for safe communication according to the invention as it is defined in patent claim 1 of the enclosed patent claims.
BRIEF DESCRIPTION OF THE DRAWINGS
In the following, embodiments of the method according to the invention will be described in detail with reference to the enclosed drawings, where: Figure 1 diagrammatically shows a tele and data communications system in which an embodiment of the method is implemented; and
Figure 2 diagrammatically shows a part of the system in Figure 1 in detail .
DETAILED DESCRIPTION OF EMBODIMENTS
Below, a preferred embodiment of the method according to the invention will be described, at which it is exemplified applied in a tele and data communications system which includes wireless telephones in form of DECT- telephones and which is shown in Figure 1. The method
according to the invention is especially suited for such systems .
In each DECT-telephone 3 an identity code (ID-code) is stored which is created in such a way that it is unique, preferably globally unique. When the DECT-telephone 3 is in its home domain, i.e. a DECT-domain, and is switched on, the ID-code is transmitted to the base station 5 of the domain. From there the ID-code is forwarded to a mobility manager, here a so called proxy manager 9, see Figure 2, which is arranged in an IP-managing unit (IMU) 7. The proxy manager 9 starts for each DECT-telephone 3 a proxy 11, i.e. en proxy which represents the DECT-telephone 3 towards the Internet, or any other IP-network. The proxy manager 9, however requires a certain initiating information to be able to start a proxy 11. The information is collected from a specific initiating database 13, which here is called telephone directory. The telephone directory is reached via the IP-network 15. In order to have the information transmitted in a safe way, the above mentioned described known method called Kerberos® is utilised, and which i.a. is implemented on a server 17, which handles the central distribution of keys. The information includes IP-address, the subscriber's user name, and a key for mobile IP.
In this situation the proxy manager 9 is user and the telephone directory 13 the service which shall be used. For the proxy manager 9 to receive the information, it consequently must authenticate itself to the AS-part of the server 17 to get a TGS-ticket, and then utilises the identity code as user identity, and then by transmitting the TGS-ticket to the TGS-part of the server 17 receive a service ticket to the telephone directory. The information is transmitted well encrypted from the telephone directory 13 to the proxy manager 9, as has been described above. The proxy manager 9 then starts a proxy 11 with the information as input data.
The proxy 11 now has the function of a mobile node. If it should be in a foreign network it will make use of a mobile IP to attend to that traffic which is intended for it is routed to right address. Within mobile IP authentication is of outmost importance because unauthorised persons without authentication might change the traffic in the system as they please, or fraudulently give themselves out as another persons than they are. This authentication is made by means of an encryption algorithm and a secret key which is shared by the mobile node, i.e. the proxy 11, and the mobility manager in its home network. The secret key is the above mentioned key for mobile IP which the proxy manager 9 receivers from the database 13. When the subscriber wants to utilise any of the services which the network operator offers, for instance make a call, both the subscriber and the operator are interested in that the debiting for the utilisation will be correct. The proxy 11 then contacts a debiting service to charge right account with right sum. This communication is also made by means of Kerberos®.
The proxy 11 is preferably compatible with the ITU- standard H.323, which can be utilised according to the following. At the communication between two subscribers, the receiver collects a session key from Kerberos® and establishes a safe and authenticated channel. After that H.323 follows on. The speech is accordingly transmitted encrypted in order that it shall not be possible to tap. At the same time participants, which are not authorised subscribers in the system, are prevented, by the authentication, from making free calls.
Above, a preferred embodiment of the method according to the invention has been described. This shall only be regarded as an example of how the invention can be implemented. A lot of modifications are possible within the frame of the invention as it is defined in the patent claims. Below follows some examples of such modifications.
Above, the method has been described for IP- telephony with DECT-telephones. It is also applicable for other types of mobile IP-telephony . One example is a computer which is moved between different access points .
The above described key distribution method Kerberos® can be exchanged for another equivalent method which implies equivalent good authentication and encryption.
Claims
1. Method for safe telephony with mobility in a tele and data communications system (1) which includes an IP- network (15) , at which the telephony is executed by mobile units, and at which the method for each mobile unit is c h a r a c t e r i s e d in the steps : to create a unique identity code and store it in the unit ; - to, when the unit is switched on, at least when it is switched on in a home domain, transmit the identity code to a mobility manager (9) ; to, via the IP-network, establish contact between the mobility manager and an initiating database (13) for transmission of initiating information for Internet communication from the initiation database to the mobility manager, which step includes to, by utilisation of the identity code, authenticate the mobility manager for access to the initiation database, and to encrypt the initiation information at the transmission; and to, by means of the initiating information, start a proxy (11) which represents the unit towards Internet.
2. Method according to patent claim 1, c h a r a c t e r i s e d in that said proxy for access to services in the communications system initially via the IP- network by means of in the initiating information included data authenticates itself to a server which centrally manages keys, at which the proxy from a part of the server receives a TGS-ticket and after that, by providing the TGS- ticket, via a TGS-part of said server receives service tickets for different services, at which each service ticket includes one for the service in question specific session key.
3. Method according to patent claim 1 or 2 , c h a r a c t e r i s e d in that in the data base store initiating information which for each user includes IP- address and key for mobile IP.
4. Method according to any of the preceding patent claims, c h a r a c t e r i s e d in that the step to, when the unit is switched on, at least when it is switched on in a home domain, transmit the identity code to a mobility manager, when the unit is a DECT-telephone, includes to transmit the identity code from the telephone to a base station (5) in the home domain, and to forward the identity code from the base station to the mobility manager .
5. Method according to any of the precedent patent claims, c h a r a c t e r i s e d in that the proxy, when it is in a foreign network, makes use of a mobile IP to attend to that traffic which is intended for it, is routed to right address .
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SE9801871A SE512440C2 (en) | 1998-05-27 | 1998-05-27 | Method for secure telephony with mobility in a telephone and data communication system comprising an IP network |
SE9801871 | 1998-05-27 | ||
PCT/SE1999/000814 WO1999062222A2 (en) | 1998-05-27 | 1999-05-12 | Method for safe telephony with mobility in a tele and data communications system which includes an ip-network |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1082837A2 true EP1082837A2 (en) | 2001-03-14 |
Family
ID=20411477
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP99929982A Withdrawn EP1082837A2 (en) | 1998-05-27 | 1999-05-12 | Method for safe telephony with mobility in a tele and data communications system which includes an ip-network |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1082837A2 (en) |
EE (1) | EE03893B1 (en) |
NO (1) | NO20005868L (en) |
SE (1) | SE512440C2 (en) |
WO (1) | WO1999062222A2 (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2807597B1 (en) * | 2000-04-11 | 2005-04-08 | Sagem | METHOD FOR MANAGING COMBIN MOBILITY WITHIN A WIRELESS TELECOMMUNICATION NETWORK |
CN1322702C (en) * | 2003-12-30 | 2007-06-20 | 华为技术有限公司 | Identificaton method of internet protocol speech sound cut-in equipment |
CN100349400C (en) * | 2004-02-11 | 2007-11-14 | 任荣昌 | Multiple service exchange method and system based on IP network user identification |
HU226781B1 (en) | 2004-03-01 | 2009-10-28 | Miklos Jobbagy | Device set for secure direct information transmission over internet |
US9762576B2 (en) | 2006-11-16 | 2017-09-12 | Phonefactor, Inc. | Enhanced multi factor authentication |
US8365258B2 (en) | 2006-11-16 | 2013-01-29 | Phonefactor, Inc. | Multi factor authentication |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5535276A (en) * | 1994-11-09 | 1996-07-09 | Bell Atlantic Network Services, Inc. | Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography |
US5602918A (en) * | 1995-12-22 | 1997-02-11 | Virtual Open Network Environment Corp. | Application level security system and method |
GB2317792B (en) * | 1996-09-18 | 2001-03-28 | Secure Computing Corp | Virtual private network on application gateway |
US5684950A (en) * | 1996-09-23 | 1997-11-04 | Lockheed Martin Corporation | Method and system for authenticating users to multiple computer servers via a single sign-on |
-
1998
- 1998-05-27 SE SE9801871A patent/SE512440C2/en not_active IP Right Cessation
-
1999
- 1999-05-12 EP EP99929982A patent/EP1082837A2/en not_active Withdrawn
- 1999-05-12 EE EEP200000701A patent/EE03893B1/en not_active IP Right Cessation
- 1999-05-12 WO PCT/SE1999/000814 patent/WO1999062222A2/en active Application Filing
-
2000
- 2000-11-21 NO NO20005868A patent/NO20005868L/en not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO9962222A2 * |
Also Published As
Publication number | Publication date |
---|---|
WO1999062222A2 (en) | 1999-12-02 |
EE200000701A (en) | 2002-04-15 |
NO20005868L (en) | 2001-01-25 |
NO20005868D0 (en) | 2000-11-21 |
EE03893B1 (en) | 2002-10-15 |
SE9801871D0 (en) | 1998-05-27 |
WO1999062222A3 (en) | 2000-02-03 |
SE512440C2 (en) | 2000-03-20 |
SE9801871L (en) | 1999-11-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6334056B1 (en) | Secure gateway processing for handheld device markup language (HDML) | |
Hwang et al. | A self-encryption mechanism for authentication of roaming and teleconference services | |
US6145084A (en) | Adaptive communication system enabling dissimilar devices to exchange information over a network | |
US7865173B2 (en) | Method and arrangement for authentication procedures in a communication network | |
CN101077017B (en) | Systems and methods for facilitating instant communications over distributed cellular networks | |
CN1839608B (en) | Device and method for generating a unique user's identity for use between different domains | |
US7197297B2 (en) | Authentication method for enabling a user of a mobile station to access to private data or services | |
US7340525B1 (en) | Method and apparatus for single sign-on in a wireless environment | |
JP2000232690A (en) | Method for security for communication network and method for data transfer with security | |
WO2001054346A1 (en) | Method for issuing an electronic identity | |
WO2001050682A1 (en) | Communication using virtual telephone numbers | |
CA2468599A1 (en) | Use of a public key key pair in the terminal for authentication and authorization of the telecommunication subscriber in respect of the network operator and business partners | |
CN112565294A (en) | Identity authentication method based on block chain electronic signature | |
WO1999062222A2 (en) | Method for safe telephony with mobility in a tele and data communications system which includes an ip-network | |
CN1771753B (en) | Method and apparatus for user authentication using infrared communication of a mobile terminal | |
CN101090314A (en) | Method and device for providing talking start protocol and ticket grant service | |
CN100450011C (en) | Device for mediating in management orders | |
US11146536B2 (en) | Method and a system for managing user identities for use during communication between two web browsers | |
US7139377B2 (en) | Method of providing services to remote private terminals and an associated device | |
US20050190904A1 (en) | Method for performing network-based telephone user identification | |
MXPA01013117A (en) | System and method for local policy enforcement for internet service providers. | |
CN100479452C (en) | Method for security transmission of card number information from IP terminal to soft switch | |
US6961851B2 (en) | Method and apparatus for providing communications security using a remote server | |
KR100637996B1 (en) | System for providing dialing authorization | |
WO1999037055A1 (en) | System and method for providing secure remote access to a computer network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20001227 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): DE DK ES FI FR GB IT SE |
|
AX | Request for extension of the european patent |
Free format text: LT PAYMENT 20001227;LV PAYMENT 20001227 |
|
17Q | First examination report despatched |
Effective date: 20070720 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: TELIASONERA AB |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20100202 |