WO2003007573A1 - A mechanism to allow authentication of sip calls terminated to a mobile node - Google Patents

A mechanism to allow authentication of sip calls terminated to a mobile node Download PDF

Info

Publication number
WO2003007573A1
WO2003007573A1 PCT/IB2002/002718 IB0202718W WO03007573A1 WO 2003007573 A1 WO2003007573 A1 WO 2003007573A1 IB 0202718 W IB0202718 W IB 0202718W WO 03007573 A1 WO03007573 A1 WO 03007573A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
authentication
subscriber equipment
control element
result
Prior art date
Application number
PCT/IB2002/002718
Other languages
French (fr)
Inventor
Stefano Faccin
Franck Le
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Publication of WO2003007573A1 publication Critical patent/WO2003007573A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1069Session establishment or de-establishment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M7/00Arrangements for interconnection between switching centres
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M7/00Arrangements for interconnection between switching centres
    • H04M7/006Networks other than PSTN/ISDN providing telephone service, e.g. Voice over Internet Protocol (VoIP), including next generation networks with a packet-switched transport layer
    • H04M7/0078Security; Fraud detection; Fraud prevention
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery

Definitions

  • the present invention relates to a method and a network system for performing authentication of terminated calls, in particular of terminated SIP (Session Initiation 0 Protocol) calls.
  • terminated SIP Session Initiation 0 Protocol
  • the network node which actually performs the authentication requests a parameter set consisting of a random number RAND (usually, 128 bit) and a scheduled 5 result (RESP) from an Authentication Center (AuC) and sends the RAND to the mobile node.
  • RAND random number
  • RESP scheduled 5 result
  • AuC Authentication Center
  • the mobile node MS, mobile station
  • the calculation is performed in the mobile node by using a secret algorithm.
  • the user identity, the challenge and a key shared between the user and the authenticator are taken as inputs to an authentication algorithm, thus resulting in the expected output.
  • the shared key must be kept private and only the user and the authenticator should know it; but the
  • the result RESP_CALC is transmitted to the network node performing a verification of the authentication. It checks whether the scheduled result RESP is equal to the calculated result RESP_CALC. If both results are equal, the authentication is successful, otherwise it fails.
  • the serving network i.e. the network providing services to the mobile nodes
  • the invention applies to networks, such as, e.g., Voice over IP (VoIP) networks, where the SIP protocol is adopted as control protocol to setup multimedia communications, for example.
  • VoIP Voice over IP
  • the invention applies to the case of mobile VoIP networks where calls need to be delivered to mobile nodes.
  • the SIP protocol provides a mechanism to allow authentication of a SIP terminal when the terminal registers to a SIP server and when the terminal establishes a SIP call.
  • SIP does not foresee any mechanism to support authentication of SIP calls delivered to the mobile node. That is, SIP, as currently defined, does not allow authentication of terminated calls.
  • the object underlying the invention resides in providing a mechanism which allows an authentication of a subscriber in a mobile terminated call.
  • This object is solved by a method of performing authentication of a subscriber during a subscriber equipment terminated call, comprising the steps of sending a session invitation message to the subscriber equipment, the session invitation message including authentication information, and performing an authentication procedure in the subscriber equipment by using the authentication information.
  • the above object is solved by a network control element, wherein, during a subscriber equipment terminated call, the network control element is adapted to send a session invitation message to the subscriber equipment, the session invitation message including authentication information.
  • a subscriber equipment which is adapted to be connected to a network, and, during a subscriber equipment terminated call, to receive a session invitation message from the network, the session invitation message including authentication information, and to perform an authentication procedure by using the authentication information.
  • information necessary for performing an authentication procedure is included in a session invitation message which is sent during a subscriber equipment terminated call to the subscriber equipment.
  • the above mechanism can easily be implemented, since only new parameters have to be included in fields of existing control protocol messages. That is, the invention provides a simple mechanism and can easily be implemented.
  • a response message as a response to the session invitation message may be sent from the subscriber equipment to the network, the response message including a result of the authentication procedure.
  • the calculated result of the authentication procedure is included in a response message to the session invitation. That is, also for transmitting the result of the authentication, no additional message is required, which also reduces the signaling load on the network.
  • the authentication procedure result may be verified in a network control element.
  • the response message of the subscriber equipment may be forwarded to the originating entity without the result of the authentication procedure .
  • the establishment of the call between the originating entity (i.e., caller) and the subscriber entity (i.e., callee) can easily be completed by forwarding the response message without the parameter indicating the authentication procedure result calculated by the subscriber equipment.
  • a failure message may be forwarded to the originating entity.
  • the originating entity i.e., the caller
  • the SIP (Session Initiation Protocol) protocol may be adopted as a control protocol.
  • the session invitation message may be a SIP INVITE request including an authentication header field.
  • the response message may be a SIP response message including an authorization header field.
  • the verification may be performed in a network control element serving the originating entity.
  • the verification may be performed in another network control element than that network control element serving the originating entity.
  • a scheduled result for the authentication may be forwarded to the other network control element by including the scheduled result into the session invitation message.
  • the other network control element may extract the scheduled result from the session invitation message in the other network control element and forward the session invitation message without the scheduled result to the subscriber equipment.
  • the part authentication information which is necessary to verify the authentication can be conveyed in the session invitation message (e.g., SIP INVITE request) . That is, the signaling load on the network is further reduced.
  • the network control element may be adapted to determine whether it has to perform the verification of the authentication or not. Thus, in response to this determination, the network control element may perform the above steps or not.
  • a response message may be sent as a response to the session invitation message from the subscriber equipment to the network, the response message including a result of the authentication procedure and network authentication information which is used by the subscriber equipment to perform an authentication of the network. That is, the user, i.e., the callee has the possibility to perform an authentication of the network.
  • the network may determine a network authentication result in response to the network authentication information by the network, and send the network authentication result to the subscriber equipment, such that the subscriber equipment may verify the network authentication result.
  • the authentication procedure performing step and the verification step may be repeated a predetermined number of times, wherein different authentication information may be used. That is, a mutiple round trips authentication scheme may be used.
  • the authentication data to be sent to the subscriber equipment may comprise a invitation to the user to type a password.
  • the authentication result may comprise the typed password.
  • an authentication scheme may be applied in which not only the authentication of a SIM card or the like is checked, but also of the user itself, since the user itself has to type the password.
  • Fig. 1 shows a diagram illustrating a signaling flow between a SIP server, a SIP proxy and mobile node MS according to a preferred embodiment of the invention, wherein the authentication is verified in the SIP server,
  • Fig. 2 shows a diagram illustrating a signaling flow between a SIP server, a SIP proxy and mobile node MS according to the preferred embodiment of the invention, wherein the authentication is verified in the SIP proxy,
  • Fig. 3 shows a diagram illustrating a signaling flow between a SIP server, a SIP proxy and mobile node MS according to the preferred embodiment of the invention, wherein authentication is verified in an authentication center,
  • Fig. 4 shows a diagram illustrating a signaling flow according to a modification of the preferred embodiment of the invention.
  • Fig. 5 shows a diagram illustrating a signaling flow according to a further modification of the preferred embodiment of the invention.
  • a mechanism is introduced which allows an authentication of terminated SIP calls by requesting the terminated node to authenticate itself as a part of the call termination procedure.
  • Such an invitation and responding may be advantageously performed by using the SIP (Session Initiation Protocol) , however, it is noted that the present invention is not limited thereon.
  • SIP Session Initiation Protocol
  • the invitation according to SIP is performed by sending two requests: A SIP INVITE request, by which the caller invites the callee to participate in a particular call or multimedia session or the like.
  • the callee answers with a SIP response.
  • the callee sends a 200 OK response to the caller.
  • the caller then sends a second SIP request, i.e., ACK request, in order to acknowledge the response of the callee.
  • ACK request i.e., ACK request
  • the caller is no longer interested in the call or session, he may send a BYE request to the callee in order to terminate the session.
  • the requests in particular the INVITE request, contain several information within fields. For example, a description of the session to which the callee is invited is included in the fields.
  • an additional field i.e., an additional parameter has to be included into the SIP INVITE request. Namely, the information needed for performing the authentication is included in the SIP
  • the RAND number which is provided by an authentication entity has to be included in the SIP INIVITE request.
  • an authentication entity e.g., AuC or a SIP server which actually performs the authentication
  • authentication extension is referred to as authentication extension in the following.
  • the W W-Authenticate Response-Header field which is already defined in SIP is used for such a field.
  • the WWW-Authenticate response-header field has to be included in 401 (Unauthorized) response messages.
  • the field value consists of at least one challenge that indicates the authentication scheme (s) and parameters applicable to the Request-URI.
  • an already defined field may include the necessary information, namely the RAND, i.e., challenge, and information regarding the authentication scheme.
  • the mobile node After receiving such a SIP INVITE request, the mobile node responses with a SIP response like, e.g., 200 OK or the like. Furthermore, the mobile node calculates the RESP_CALC value and includes this value into the SIP response .
  • a SIP response like, e.g., 200 OK or the like.
  • the Authorization Request Header field may be included into the SIP response.
  • the Authorization Request header field is included in case a user agent wishes to authenticate itself with a server, usually (but not necessarily) after receiving a 401 (Unauthorized) response.
  • the Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.
  • SIP INVITE as mentioned above, the WWW-Authenticate Response-Header field (already defined in SIP) needs to be added.
  • SIP 200 OK the Authorization Request Header field (already defined in SIP) needs to be added.
  • the 200 OK response is sent in case the SIP INVITE request has succeeded.
  • the information returned with the response depends on the method used in the request, for example INVITE: The callee has agreed to participate; the message body indicates the callee ' s capabilities.
  • the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the method specified in the Request-Line is not allowed for the address identified by the Request-URI . The response must include an Allow header field containing a list of valid methods for the indicated address.
  • 408 Request Timeout the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the called entity could not produce a response, e.g., a user location, within the time indicated in an Expires request-header field.
  • the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the callee 's end system (i.e., the mobile node) was contacted successfully but the callee is currently unavailable (e.g., not logged in or logged in in such a manner as to preclude communication with the callee) .
  • 606 Not Acceptable the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the called entity was contacted successfully but some aspects of the session description such as the requested media, bandwidth, or addressing style were not acceptable.
  • a 606 (Not Acceptable) response means that the user wishes to communicate, but cannot adequately support the session described.
  • RAND is a random parameter generated by an entity, here named AuC (Authentication Center) , that is outside the scope of this invention.
  • AuC also generates the RESP parameter, i.e., the scheduled result.
  • the above described Authorization Request Header field will contain the parameter CALC_RESP (of the same length of RESP) .
  • a call is to be initiated between a caller (calling mobile node MS, as an example for an originating entity) and a callee (called MS, as an example for a subscriber entity) via a SIP server and a SIP proxy (as examples for a network control element) .
  • a caller calling mobile node MS, as an example for an originating entity
  • MS callee
  • SIP server serving the caller
  • proxy forwards signaling.
  • the SIP server receiving an incoming mobile terminated call for a mobile node from a calling party (step SI), determines that the call needs to be authenticated (e.g. based on profiles or policies) (step S2) and retrieves (according to a mechanism outside the scope of the invention) necessary data for the authentication from an authentication center (step S3) .
  • These authentication data include first data AuthDatal which is to be forwarded to the called mobile node and second data AuthResp which is to be used by the SIP server.
  • the SIP server forwards the SIP INVITE request (containing the authentication extensions with the authentication parameters) towards the mobile node (steps S4 and S5) .
  • the SIP server determines according to network policies that it is the authentication verification point. Hence, it forwards the SIP INVITE request with the authentication extensions containing only AuthDatal and puts its URL in the VIA field.
  • any SIP server or proxy receiving an authentication extension with only AuthDatal will simply forward the message.
  • this is the case for the SIP proxy receiving the SIP INVITE request from the SIP server. That is, the SIP proxy forwards the SIP INVITE request to the mobile node unchanged.
  • the mobile node receiving the SIP INVITE request containing the RAND parameter, executes the authentication algorithm taking AuthDatal as input and producing an output value AuthData2.
  • the mobile node When the mobile node answers to the SIP INVITE request with any of the messages identified in the above points 2-16, it returns the AuthData2 parameter.
  • the user accepts the SIP INVITE request and that there are no further problems (due to which one of the above responses 3 to 16 would be sent) .
  • a 200 OK response is sent in step S6.
  • the response is forwarded transparently by the SIP proxies until it reaches the SIP server designated for the verification for the authentication.
  • this SIP proxy forwards the 200 OK response including the parameter AuthData2 of the mobile node to the SIP server in step S7.
  • the SIP server verifies the parameter AuthData2 with the parameter AuthResp which was retrieved from the authentication center in step S3.
  • the SIP server After a successful verification of the authentication, the SIP server forwards the 200 OK response of the mobile node to the caller in step S9.
  • the SIP server may send a corresponding failure message to the caller.
  • Such a message may be a 405 Not Allowed message including a parameter indicating to the caller that the authentication of the callee was unsuccessful .
  • the caller may send an SIP ACK request after receiving the 200 OK response. That is, the session is established according to normal SIP.
  • the parameter AuthDatal sent to the called mobile node in steps S4 and S5 is the parameter RAND.
  • the mobile node calculates the parameter CALC_ ⁇ _RESP, which is the parameter AuthData2 sent to the SIP server in steps S6 and S7.
  • the parameter AuthResp retrieved from the authentication center in step S3 is the parameter RESP.
  • the verification is performed by comparing the value of RESP with the value of CALCJRESP. If both values are equal, the authentication is successful, otherwise it fails.
  • the functions of the SIP proxies/servers included in the path between the caller and callee may be different. This is illustrated in the example of Fig. 2 showing a signaling flow between a caller and a callee via a SIP server and a SIP proxy, wherein in this example it is assumed that the SIP server is not the authentication verification point, but the SIP proxy.
  • the SIP server may determine according to network policies that it is not the authentication verification point. In this case, it forwards the SIP INVITE request with the authentication extensions containing AuthDatal and AuthResp.
  • Any SIP server or proxy receiving authentication extension with both RAND and RESP decides whether to forward the INVITE message with only RAND or whether to forward the INVITE message with both RAND and RESP.
  • the first alternative (forwarding the INVITE message with only RAND) happens if the mobile node is directly reachable by the SIP server or proxy without passing through any other SIP server or proxy (this can be determined by screening the list of users who have registered to this SIP server/proxy) . Otherwise, the first alternative may happen based on network policies.
  • the second alternative (forwarding the INVITE message with both RAND and RESP) happens based on network policies .
  • the SIP server determines based on the network policies that it is not the authentication verification point, but the SIP proxy. Hence, it forwards the INVITE request including AuthDatal and AuthResp to the SIP proxy 1 in step S4a.
  • the SIP proxy determines that it is the authentication verification point. Hence, it extracts the AuthResp from the INVITE message and stores it. Thereafter, it forwards the INVITE request including only AuthDatal in step S5. In addition, the SIP proxy includes its address in the VIA field in order to indicate that it is the authentication verification point.
  • step S7a the SIP proxy verifies AuthData2 with
  • the SIP 200 OK response is forwarded to the caller in steps SS8a and S9 via the SIP server.
  • Fig. 3 shows a signaling flow for a case in which neither a SIP proxy nor a SIP server performs the authentication, but wherein the authentication is performed by an authentication center.
  • both the SIP server and the SIP proxy determine based on the network policies that they are not the authentication verification point, but the authentication center. Hence, in step S3b only the AuthDatal to be sent to the called mobile node is retrieved.
  • step S8b the SIP server performs an Authentication Data Request including AuthData2 from the called mobile note to the authentication center, which in turn verifies AuthData in step S8c.
  • step S8d the authentication center sends an Authentication Data Response to the SIP server.
  • the SIP server forwards the SIP 200 OK response in step S9 to the calling party. Otherwise, the SIP server may send a failure message to the calling party, as described above.
  • Fig. 4 shows a modification of the preferred embodiment, according to which the callee may also perform a network authentication.
  • the user may also want to authenticate the network to prevent network impersonation.
  • a man in the middle may otherwise try to send requests to the valid user and re-use the authentication result to perform undesirable operations.
  • Fig. 4 basically the same situation as shown in Fig. 2 is considered. That is, it is assumed that the SIP proxy performs the verification. However, also the other situations as described above with connection to Fig. 1 and 3 are possible. Same reference signs in Fig. 4 and Fig. 2 indicate same or basically same steps, and only those steps different from those of Fig. 2 are described in the following.
  • AuthDatal i.e., the subscriber equipment
  • AuthData3 additional authentication data AuthData3. These authentication data are used for the network authentication.
  • step S10 the authentication result, AuthData2, and the additional authentication data AuthData3 are sent to the SIP proxy.
  • a suitable SIP message may be used, for example a 401 Unauthorized message. That is, a 200 OK message (as in case of Figs. 1 to 3) is not sent yet since the callee wants to perform a network authentication first.
  • step Sll the SIP proxy verifies AuthData2, and after a positive verification, the SIP proxy produces authentication data AuthData4 in response to the AuthData3, which are sent to the callee in step S12.
  • the authentication data AuthData4 may be included in a suitable SIP message.
  • step S13 the callee verifies AutData4, and only in case the verification is successful, the callee sends the SIP 200 OK response in step S14. This SIP 200 OK response is forwarded to the caller in steps S15 and S16.
  • the callee when receiving the RAND (as described above as an example for AuthDatal), the callee computes the RES (as described above as an example for AuthData2) to get authenticated by the network. But in the same time, he may also generate a RANDU (as an example for AuthData3) to authenticate the network. The callee will therefore send both the RES and the RANDU to the network. The network will authenticate the user based on the RAND and RES as described above in the description of the first embodiment.
  • the network computes network authentication data (as an example for AuthData4) based on RANDU and sends it back to the caller.
  • the SIP proxy has the necessary information for determining the network authentication data AuthData4. However, in some cases the SIP proxy may not have this information and/or capabilities. In this cases, the SIP proxy may need to contact the SIP server or Authentication Center (AuC) to compute the network authentication data. That is, in Fig. 4, the SIP server may access, during step Sll, the SIP server and/or the authentication center.
  • AuC Authentication Center
  • Fig. 5 illustrates a further modification of the preferred embodiment according to which a multiple round trips authentication scheme is applied.
  • same reference signs as in Fig. 1 denote the same steps, so that only different parts are described in the following.
  • authentication scheme is used which requires many round trips between the user and the network.
  • steps S3 to S8 of Fig. 1 may be repeated for a predetermined number of times, wherein always different AuthDatal may be supplied to the callee.
  • steps S23 to S38 which are enclosed in a dotted box. It is noted that in steps S24 to S27 SIP INVITE and SIP 200 OK messages may be used as in steps S4 to S7 for conveying the corresponding authentication data, however, also other suitable SIP messages or other kind of messages may be used.
  • a new set of authentication data AuthDatal and AuthResp is retrieved from the Authentication Center in step S23. That is, in each loop, a values for AuthDatal and AuthResp are set.
  • the SIP 200 OK response is forwarded to the caller in step S9.
  • the Authentication Center is involved to process the authentication data (i.e., after a successful result of each part- authentication, a new authentication data set is supplied) .
  • the SIP server may be supplied already in step S3 with all necessary information (i.e., all different values for AuthDatal and AuthResp in each loop) .
  • Fig. 5 may also be applied to that of Figs. 1 and 3. Moreover, it may also be combined with that of Fig. 4. That is, after the final confirmation of the authentication, also a network authentication may be performed.
  • the authentication procedure described above is not limited on the challenge-response algorithm, but other different existing authentication schemes can be applied in which authentication data are sent to a called node and authentication response data are produced by the called node.
  • Some of the existing authentication schemes may require many round trips (and not only one as described above), e.g. the user may also generate a challenge and try to authenticate the network in the same time, he provides the user authentication data.
  • UMTS AKA Authentication and key agreement as defined in 3GPP TS 33.102
  • another parameter AUTN is provided for the user.
  • the user is able to perform an authentication of the network.
  • the SIP INVITE message as described above, some text requesting the user to type his password can be included. That is, the authentication data AuthDatal as shown in the figures comprises this text. After the user has typed his password, this password may be included in the authentication data AuthData2 as described above.
  • the password may not be conveyed as plain text, but may also be ciphered such that no one in between can read the password.
  • the SIP server, SIP proxy and authentication center described above are only examples.
  • VoIP Voice over IP, i.e., Internet Protocol
  • Internet Protocol Internet Protocol
  • the invention can also be applied to GSM and UMTS network systems.
  • it may be applied m
  • SIP protocol is only taken as an example for a control protocol. Any control protocol which issues invitation messages and corresponding responses including fields into which the information necessary for performing an authentication may be included can be used.
  • the invention is not limited on mobile nodes as callers and/or callee. Instead, any type of communication device, either fixed or mobile, may be applied.

Abstract

The invention proposes a method of performing authentication of a subscriber during a subscriber equipment terminated call, comprising the steps of sending a session invitation message (S4, S5) to the subscriber equipment, the session invitation message including authentication information (AuthData1), and performing an authentication procedure in the subscriber equipment by using the authentication information. The invention also proposes a corresponding network system, network control element and subscriber entity.

Description

A MECHANISM TO ALLOW AUTHENTICATION OF SIP CALLS TERMINATED TO A MOBILE NODE
5 Field of the invention
The present invention relates to a method and a network system for performing authentication of terminated calls, in particular of terminated SIP (Session Initiation 0 Protocol) calls.
BACKGROUND OF THE INVENTION
5 In general, subscriber to corresponding services are authenticated.
There are many different authentication methods. In the following, a- Challenge Response based authentication 0 method is described in short as an example.
The network node which actually performs the authentication requests a parameter set consisting of a random number RAND (usually, 128 bit) and a scheduled 5 result (RESP) from an Authentication Center (AuC) and sends the RAND to the mobile node. In turn, the mobile node (MS, mobile station) has to calculate a result RESP_CALC from the number RAND. The calculation is performed in the mobile node by using a secret algorithm.
30 The user identity, the challenge and a key shared between the user and the authenticator are taken as inputs to an authentication algorithm, thus resulting in the expected output. The shared key must be kept private and only the user and the authenticator should know it; but the
35 authentication algorithm can be publicly known. The result RESP_CALC is transmitted to the network node performing a verification of the authentication. It checks whether the scheduled result RESP is equal to the calculated result RESP_CALC. If both results are equal, the authentication is successful, otherwise it fails.
In mobile applications, and in particular in cellular networks, the serving network (i.e. the network providing services to the mobile nodes) can typically authenticate the mobile node in three situations: when the mobile node registers with the network, when the mobile node establishes communications, and when incoming communications are terminated to the mobile node.
The invention applies to networks, such as, e.g., Voice over IP (VoIP) networks, where the SIP protocol is adopted as control protocol to setup multimedia communications, for example. In particular, the invention applies to the case of mobile VoIP networks where calls need to be delivered to mobile nodes.
The SIP protocol provides a mechanism to allow authentication of a SIP terminal when the terminal registers to a SIP server and when the terminal establishes a SIP call. Currently, SIP does not foresee any mechanism to support authentication of SIP calls delivered to the mobile node. That is, SIP, as currently defined, does not allow authentication of terminated calls.
Thus, in order to apply SIP to VoIP mobile network, authentication of mobile terminated calls need to be supported. SUMMARY OF THE INVENTION
Therefore, the object underlying the invention resides in providing a mechanism which allows an authentication of a subscriber in a mobile terminated call.
This object is solved by a method of performing authentication of a subscriber during a subscriber equipment terminated call, comprising the steps of sending a session invitation message to the subscriber equipment, the session invitation message including authentication information, and performing an authentication procedure in the subscriber equipment by using the authentication information.
Alternatively, the above object is solved by a network control element, wherein, during a subscriber equipment terminated call, the network control element is adapted to send a session invitation message to the subscriber equipment, the session invitation message including authentication information.
Furthermore, the above object is solved by a subscriber equipment which is adapted to be connected to a network, and, during a subscriber equipment terminated call, to receive a session invitation message from the network, the session invitation message including authentication information, and to perform an authentication procedure by using the authentication information.
Thus, according to the invention, information necessary for performing an authentication procedure is included in a session invitation message which is sent during a subscriber equipment terminated call to the subscriber equipment.
Therefore, no additional messages have to be created or transmitted, thus reducing the signaling load on the network.
Moreover, the above mechanism can easily be implemented, since only new parameters have to be included in fields of existing control protocol messages. That is, the invention provides a simple mechanism and can easily be implemented.
A response message as a response to the session invitation message may be sent from the subscriber equipment to the network, the response message including a result of the authentication procedure.
Thus, the calculated result of the authentication procedure is included in a response message to the session invitation. That is, also for transmitting the result of the authentication, no additional message is required, which also reduces the signaling load on the network.
The authentication procedure result may be verified in a network control element. In case of a positive authentication result, the response message of the subscriber equipment may be forwarded to the originating entity without the result of the authentication procedure .
Thus, the establishment of the call between the originating entity (i.e., caller) and the subscriber entity (i.e., callee) can easily be completed by forwarding the response message without the parameter indicating the authentication procedure result calculated by the subscriber equipment.
In case of a negative verification, a failure message may be forwarded to the originating entity. Hence, in case the subscriber equipment is not authenticated, the originating entity (i.e., the caller) is notified about this.
In the network, the SIP (Session Initiation Protocol) protocol may be adopted as a control protocol. For example, the session invitation message may be a SIP INVITE request including an authentication header field. The response message may be a SIP response message including an authorization header field.
The verification may be performed in a network control element serving the originating entity.
Alternatively, the verification may be performed in another network control element than that network control element serving the originating entity. In this case, a scheduled result for the authentication may be forwarded to the other network control element by including the scheduled result into the session invitation message. Moreover, the other network control element may extract the scheduled result from the session invitation message in the other network control element and forward the session invitation message without the scheduled result to the subscriber equipment.
In this way, also the part authentication information which is necessary to verify the authentication can be conveyed in the session invitation message (e.g., SIP INVITE request) . That is, the signaling load on the network is further reduced.
The network control element may be adapted to determine whether it has to perform the verification of the authentication or not. Thus, in response to this determination, the network control element may perform the above steps or not.
Optionally, a response message may be sent as a response to the session invitation message from the subscriber equipment to the network, the response message including a result of the authentication procedure and network authentication information which is used by the subscriber equipment to perform an authentication of the network. That is, the user, i.e., the callee has the possibility to perform an authentication of the network.
During such a network authentication, the network may determine a network authentication result in response to the network authentication information by the network, and send the network authentication result to the subscriber equipment, such that the subscriber equipment may verify the network authentication result.
Furthermore, the authentication procedure performing step and the verification step may be repeated a predetermined number of times, wherein different authentication information may be used. That is, a mutiple round trips authentication scheme may be used.
The authentication data to be sent to the subscriber equipment may comprise a invitation to the user to type a password. Hence, the authentication result may comprise the typed password. Hence, also an authentication scheme may be applied in which not only the authentication of a SIM card or the like is checked, but also of the user itself, since the user itself has to type the password.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be more readily understood with reference to the accompanying drawings in which:
Fig. 1 shows a diagram illustrating a signaling flow between a SIP server, a SIP proxy and mobile node MS according to a preferred embodiment of the invention, wherein the authentication is verified in the SIP server,
Fig. 2 shows a diagram illustrating a signaling flow between a SIP server, a SIP proxy and mobile node MS according to the preferred embodiment of the invention, wherein the authentication is verified in the SIP proxy,
Fig. 3 shows a diagram illustrating a signaling flow between a SIP server, a SIP proxy and mobile node MS according to the preferred embodiment of the invention, wherein authentication is verified in an authentication center,
Fig. 4 shows a diagram illustrating a signaling flow according to a modification of the preferred embodiment of the invention, and
Fig. 5 shows a diagram illustrating a signaling flow according to a further modification of the preferred embodiment of the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
In the following, a preferred embodiment of the invention is described in more detail with reference to the accompanying drawings .
According to the present embodiment, a mechanism is introduced which allows an authentication of terminated SIP calls by requesting the terminated node to authenticate itself as a part of the call termination procedure.
That is, during the call termination procedure, i.e., receiving a call invitation from another party and responding to this invitation, also an authentication is performed.
Such an invitation and responding may be advantageously performed by using the SIP (Session Initiation Protocol) , however, it is noted that the present invention is not limited thereon.
In particular, the invitation according to SIP is performed by sending two requests: A SIP INVITE request, by which the caller invites the callee to participate in a particular call or multimedia session or the like. The callee answers with a SIP response. In case he agrees to participate in the call, the callee sends a 200 OK response to the caller. The caller then sends a second SIP request, i.e., ACK request, in order to acknowledge the response of the callee. Otherwise, in case the caller is no longer interested in the call or session, he may send a BYE request to the callee in order to terminate the session. The requests, in particular the INVITE request, contain several information within fields. For example, a description of the session to which the callee is invited is included in the fields.
According to the present embodiment, an additional field, i.e., an additional parameter has to be included into the SIP INVITE request. Namely, the information needed for performing the authentication is included in the SIP
INVITE request. In particular, the RAND number which is provided by an authentication entity (e.g., AuC or a SIP server which actually performs the authentication) has to be included in the SIP INIVITE request. These additional authentication is referred to as authentication extension in the following.
According to the present embodiment, the W W-Authenticate Response-Header field which is already defined in SIP is used for such a field.
In SIP as currently defined, the WWW-Authenticate response-header field has to be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme (s) and parameters applicable to the Request-URI.
Thus, no new field has to be defined, but an already defined field (which, however, was used for another kind of request) may include the necessary information, namely the RAND, i.e., challenge, and information regarding the authentication scheme.
After receiving such a SIP INVITE request, the mobile node responses with a SIP response like, e.g., 200 OK or the like. Furthermore, the mobile node calculates the RESP_CALC value and includes this value into the SIP response .
Hence, also a new field has to be included into the SIP responses. Preferably, also here an already defined field may be adopted for such a field. According to the present embodiment, the Authorization Request Header field may be included into the SIP response.
According to SIP as currently defined, the Authorization Request header field is included in case a user agent wishes to authenticate itself with a server, usually (but not necessarily) after receiving a 401 (Unauthorized) response. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.
In the following, some of the possible SIP messages into which the Authorization Request Header field has to be added according to the present embodiment are described in short:
1) SIP INVITE: as mentioned above, the WWW-Authenticate Response-Header field (already defined in SIP) needs to be added.
2) SIP 200 OK: the Authorization Request Header field (already defined in SIP) needs to be added. The 200 OK response is sent in case the SIP INVITE request has succeeded. The information returned with the response depends on the method used in the request, for example INVITE: The callee has agreed to participate; the message body indicates the callee ' s capabilities.
3) 403 Forbidden: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the server understood the request, but is refusing to fulfill it. Authorization will not help, and the request should not be repeated.
4) 405 Not allowed: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the method specified in the Request-Line is not allowed for the address identified by the Request-URI . The response must include an Allow header field containing a list of valid methods for the indicated address.
5) 408 Request Timeout: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the called entity could not produce a response, e.g., a user location, within the time indicated in an Expires request-header field.
6) 409 Conflict: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the request could not be completed due to a conflict with the current state of the resource. This response is returned if the action parameter in a REGISTER request conflicts with existing registrations.
7) 410 Gone: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the requested resource is no longer available at the called entity (i.e., in the present embodiment, the mobile node MS) and no forwarding address is known.
8) 415 Unsupported Media Type: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the called entity is refusing to service the request because the message body of the request is in a format not supported by the requested resource for the requested method.
9) 420 Bad Extension: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the server did not understand the protocol extension specified in a Require header field.
10) 480 Temporarily Unavailable: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the callee 's end system (i.e., the mobile node) was contacted successfully but the callee is currently unavailable (e.g., not logged in or logged in in such a manner as to preclude communication with the callee) .
11) 482 Loop Detected: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the server received a request with a Via path containing itself.
12) 484 Address Incomplete: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the called entity received a request with a To address or Request-URI that was incomplete. - IS IS) 485 Ambiguous: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the callee address provided in the request was ambiguous.
14) 486 Busy Here: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the called entity (i.e., the callee 's end system) was contacted successfully but the callee is currently not willing or able to take additional calls.
15) 603 Decline: the Authorization Reques.t Header field (already defined in SIP) needs to be added. This response is sent in case the called entity was successfully contacted but the user explicitly does not wish to or cannot participate.
16) 606 Not Acceptable: the Authorization Request Header field (already defined in SIP) needs to be added. This response is sent in case the called entity was contacted successfully but some aspects of the session description such as the requested media, bandwidth, or addressing style were not acceptable. A 606 (Not Acceptable) response means that the user wishes to communicate, but cannot adequately support the session described.
In the following an example is given as to how a challenge response authentication procedure is adopted to authenticate the mobile node:
The above-described WWW-authenticate Response Header field contains:
i. indication of challenge response algorithm ii. a RAND parameter iii. a RESP parameter
where RAND is a random parameter generated by an entity, here named AuC (Authentication Center) , that is outside the scope of this invention. AuC also generates the RESP parameter, i.e., the scheduled result.
When the mobile node (i.e., called entity) sends any of the responses 2-16 identified above, the above described Authorization Request Header field will contain the parameter CALC_RESP (of the same length of RESP) .
In the following, the authentication procedure according to the present embodiment is described by referring to Fig. 1.
In this example, a call is to be initiated between a caller (calling mobile node MS, as an example for an originating entity) and a callee (called MS, as an example for a subscriber entity) via a SIP server and a SIP proxy (as examples for a network control element) . It is noted that both SIP server and SIP proxy may be technically structured in the same way, however, their functions are different. The server serves the caller, while the proxy forwards signaling.
1) The SIP server, receiving an incoming mobile terminated call for a mobile node from a calling party (step SI), determines that the call needs to be authenticated (e.g. based on profiles or policies) (step S2) and retrieves (according to a mechanism outside the scope of the invention) necessary data for the authentication from an authentication center (step S3) . These authentication data include first data AuthDatal which is to be forwarded to the called mobile node and second data AuthResp which is to be used by the SIP server.
2) The SIP server forwards the SIP INVITE request (containing the authentication extensions with the authentication parameters) towards the mobile node (steps S4 and S5) . According to the present embodiment, the SIP server determines according to network policies that it is the authentication verification point. Hence, it forwards the SIP INVITE request with the authentication extensions containing only AuthDatal and puts its URL in the VIA field.
Any SIP server or proxy receiving an authentication extension with only AuthDatal will simply forward the message. In the signaling diagram according to Fig. 1, this is the case for the SIP proxy receiving the SIP INVITE request from the SIP server. That is, the SIP proxy forwards the SIP INVITE request to the mobile node unchanged.
3) The mobile node (MS), receiving the SIP INVITE request containing the RAND parameter, executes the authentication algorithm taking AuthDatal as input and producing an output value AuthData2.
4) When the mobile node answers to the SIP INVITE request with any of the messages identified in the above points 2-16, it returns the AuthData2 parameter. In the signaling diagram shown in Fig. 1, it is assumed that the user accepts the SIP INVITE request and that there are no further problems (due to which one of the above responses 3 to 16 would be sent) . Thus, a 200 OK response is sent in step S6. 5) The response is forwarded transparently by the SIP proxies until it reaches the SIP server designated for the verification for the authentication. In the example of Fig. 1, only one SIP proxy is concerned, and this SIP proxy forwards the 200 OK response including the parameter AuthData2 of the mobile node to the SIP server in step S7.
6) The SIP server verifies the parameter AuthData2 with the parameter AuthResp which was retrieved from the authentication center in step S3.
After a successful verification of the authentication, the SIP server forwards the 200 OK response of the mobile node to the caller in step S9. In case of an unsuccessful authentication, the SIP server may send a corresponding failure message to the caller. Such a message may be a 405 Not Allowed message including a parameter indicating to the caller that the authentication of the callee was unsuccessful .
In case of a successful authentication, the caller may send an SIP ACK request after receiving the 200 OK response. That is, the session is established according to normal SIP.
The above steps were described with respect to general authentication. In the following, the steps are shortly described in case a challenge response is employed.
In this case, the parameter AuthDatal sent to the called mobile node in steps S4 and S5 is the parameter RAND. The mobile node calculates the parameter CALC_^_RESP, which is the parameter AuthData2 sent to the SIP server in steps S6 and S7. The parameter AuthResp retrieved from the authentication center in step S3 is the parameter RESP. Thus, in step S8 the verification is performed by comparing the value of RESP with the value of CALCJRESP. If both values are equal, the authentication is successful, otherwise it fails.
As already mentioned above, the functions of the SIP proxies/servers included in the path between the caller and callee may be different. This is illustrated in the example of Fig. 2 showing a signaling flow between a caller and a callee via a SIP server and a SIP proxy, wherein in this example it is assumed that the SIP server is not the authentication verification point, but the SIP proxy. The SIP server may determine according to network policies that it is not the authentication verification point. In this case, it forwards the SIP INVITE request with the authentication extensions containing AuthDatal and AuthResp.
Any SIP server or proxy receiving authentication extension with both RAND and RESP decides whether to forward the INVITE message with only RAND or whether to forward the INVITE message with both RAND and RESP.
The first alternative (forwarding the INVITE message with only RAND) happens if the mobile node is directly reachable by the SIP server or proxy without passing through any other SIP server or proxy (this can be determined by screening the list of users who have registered to this SIP server/proxy) . Otherwise, the first alternative may happen based on network policies. The second alternative (forwarding the INVITE message with both RAND and RESP) happens based on network policies .
In the signaling flow of Fig. 2, same or similar steps as in Fig. 1 are denoted by same reference signs, such that a repeated description thereof is omitted.
As mentioned above, in this example the SIP server determines based on the network policies that it is not the authentication verification point, but the SIP proxy. Hence, it forwards the INVITE request including AuthDatal and AuthResp to the SIP proxy 1 in step S4a.
Based on the network policies and on receiving the INVITE request includingAuthDatal and AuthResp, the SIP proxy determines that it is the authentication verification point. Hence, it extracts the AuthResp from the INVITE message and stores it. Thereafter, it forwards the INVITE request including only AuthDatal in step S5. In addition, the SIP proxy includes its address in the VIA field in order to indicate that it is the authentication verification point.
In step S7a, the SIP proxy verifies AuthData2 with
AuthResp, in the same way as it is performed by the SIP server in step S8 of Fig. 1.
In case of a positive result, the SIP 200 OK response is forwarded to the caller in steps SS8a and S9 via the SIP server.
Fig. 3 shows a signaling flow for a case in which neither a SIP proxy nor a SIP server performs the authentication, but wherein the authentication is performed by an authentication center.
In the signaling flow of Fig. 3, same or similar steps as in Fig. 1 are denoted by same reference signs, such that a repeated description thereof is omitted.
As mentioned above, in this example both the SIP server and the SIP proxy determine based on the network policies that they are not the authentication verification point, but the authentication center. Hence, in step S3b only the AuthDatal to be sent to the called mobile node is retrieved.
In step S8b, the SIP server performs an Authentication Data Request including AuthData2 from the called mobile note to the authentication center, which in turn verifies AuthData in step S8c. In step S8d, the authentication center sends an Authentication Data Response to the SIP server. In case of positive authentication, the SIP server forwards the SIP 200 OK response in step S9 to the calling party. Otherwise, the SIP server may send a failure message to the calling party, as described above.
Fig. 4 shows a modification of the preferred embodiment, according to which the callee may also perform a network authentication.
When performing user authentication, the user may also want to authenticate the network to prevent network impersonation. A man in the middle may otherwise try to send requests to the valid user and re-use the authentication result to perform undesirable operations.
In Fig. 4, basically the same situation as shown in Fig. 2 is considered. That is, it is assumed that the SIP proxy performs the verification. However, also the other situations as described above with connection to Fig. 1 and 3 are possible. Same reference signs in Fig. 4 and Fig. 2 indicate same or basically same steps, and only those steps different from those of Fig. 2 are described in the following.
Thus, after the SIP INVITE request including AuthDatal, the callee produces AuthData2 in response to the
AuthDatal. In addition, the callee (i.e., the subscriber equipment) creates additional authentication data AuthData3. These authentication data are used for the network authentication.
In step S10, the authentication result, AuthData2, and the additional authentication data AuthData3 are sent to the SIP proxy. Here, a suitable SIP message may be used, for example a 401 Unauthorized message. That is, a 200 OK message (as in case of Figs. 1 to 3) is not sent yet since the callee wants to perform a network authentication first.
In step Sll the SIP proxy verifies AuthData2, and after a positive verification, the SIP proxy produces authentication data AuthData4 in response to the AuthData3, which are sent to the callee in step S12. The authentication data AuthData4 may be included in a suitable SIP message. In step S13 the callee verifies AutData4, and only in case the verification is successful, the callee sends the SIP 200 OK response in step S14. This SIP 200 OK response is forwarded to the caller in steps S15 and S16.
As an example, when receiving the RAND (as described above as an example for AuthDatal), the callee computes the RES (as described above as an example for AuthData2) to get authenticated by the network. But in the same time, he may also generate a RANDU (as an example for AuthData3) to authenticate the network. The callee will therefore send both the RES and the RANDU to the network. The network will authenticate the user based on the RAND and RES as described above in the description of the first embodiment.
In addition, if user authentication is successful, the network computes network authentication data (as an example for AuthData4) based on RANDU and sends it back to the caller.
This is an example of possible network authentication required by the user when the network wants to authenticate him.
It is noted that in the above-described example of Fig. 4 it is assumed that the SIP proxy has the necessary information for determining the network authentication data AuthData4. However, in some cases the SIP proxy may not have this information and/or capabilities. In this cases, the SIP proxy may need to contact the SIP server or Authentication Center (AuC) to compute the network authentication data. That is, in Fig. 4, the SIP server may access, during step Sll, the SIP server and/or the authentication center.
Fig. 5 illustrates a further modification of the preferred embodiment according to which a multiple round trips authentication scheme is applied. In Fig. 5, same reference signs as in Fig. 1 denote the same steps, so that only different parts are described in the following. According to this modification authentication scheme is used which requires many round trips between the user and the network. Basically, steps S3 to S8 of Fig. 1 may be repeated for a predetermined number of times, wherein always different AuthDatal may be supplied to the callee.
This is shown in Fig. 5 by the steps S23 to S38 which are enclosed in a dotted box. It is noted that in steps S24 to S27 SIP INVITE and SIP 200 OK messages may be used as in steps S4 to S7 for conveying the corresponding authentication data, however, also other suitable SIP messages or other kind of messages may be used.
In every repetition of the loop consisting of the steps S23 to S28, a new set of authentication data AuthDatal and AuthResp is retrieved from the Authentication Center in step S23. That is, in each loop, a values for AuthDatal and AuthResp are set.
After finally the authentication of the subscriber has been confirmed, the SIP 200 OK response is forwarded to the caller in step S9.
According to the above example, also the Authentication Center is involved to process the authentication data (i.e., after a successful result of each part- authentication, a new authentication data set is supplied) . However, alternatively also the SIP server may be supplied already in step S3 with all necessary information (i.e., all different values for AuthDatal and AuthResp in each loop) .
As a further alternative, the process according to Fig. 5 may also be applied to that of Figs. 1 and 3. Moreover, it may also be combined with that of Fig. 4. That is, after the final confirmation of the authentication, also a network authentication may be performed.
The above description and accompanying drawings only illustrate the present invention by way of example. Thus, the embodiment may vary within the scope of the attached claims. For example, the above embodiment and the modifications thereof may be arbitrarily combined.
In particular, the authentication procedure described above is not limited on the challenge-response algorithm, but other different existing authentication schemes can be applied in which authentication data are sent to a called node and authentication response data are produced by the called node. Some of the existing authentication schemes may require many round trips (and not only one as described above), e.g. the user may also generate a challenge and try to authenticate the network in the same time, he provides the user authentication data.
An example for another authentication scheme, UMTS AKA (Authentication and key agreement as defined in 3GPP TS 33.102 can be executed. Here, in addition to the RAND as described above, another parameter AUTN is provided for the user. By this parameter, the user is able to perform an authentication of the network.
Moreover, also a password based authentication scheme could be used. In this case, the SIP INVITE message as described above, some text requesting the user to type his password can be included. That is, the authentication data AuthDatal as shown in the figures comprises this text. After the user has typed his password, this password may be included in the authentication data AuthData2 as described above. The password may not be conveyed as plain text, but may also be ciphered such that no one in between can read the password. Moreover, there are several locations (network entities) where the authentication data can be added/removed to support the authentication. The SIP server, SIP proxy and authentication center described above are only examples.
Furthermore, it is noted that m the embodiment described above the VoIP (Voice over IP, i.e., Internet Protocol) was only mentioned as an example. The invention is by no way limited thereon and can be applied to any kind of network system in which an authentication is performed.
For example, the invention can also be applied to GSM and UMTS network systems. For example, it may be applied m
IETF (Internet Engineering Task Force) and/or 3GPP (Third
Generation Partnership Project).
Moreover, also the SIP protocol is only taken as an example for a control protocol. Any control protocol which issues invitation messages and corresponding responses including fields into which the information necessary for performing an authentication may be included can be used.
Moreover, it is noted that the invention is not limited on mobile nodes as callers and/or callee. Instead, any type of communication device, either fixed or mobile, may be applied.

Claims

Claims
1. A method of performing authentication of a subscriber during a subscriber equipment terminated call, comprising the steps of sending a session invitation message (S4, S5) to the subscriber equipment, the session invitation message including authentication information (AuthDatal) , and performing an authentication procedure in the subscriber equipment by using the authentication information.
2. The method according to claim 1, further comprising the step of sending a response message (S6) as a response to the session invitation message from the subscriber equipment to the network, the response message including a result (AuthData2) of the authentication procedure.
3. The method according to claim 2, further comprising the step of verifying (S8; S7b; S8c) the authentication procedure result (AuthData2) in a network control element.
4. The method according to claim 3, further comprising the step of forwarding (S9) the response message of the subscriber equipment to an originating entity initiating the session invitation without the result of the authentication procedure in case of a positive verification (S8; S7b; S8c) .
5. The method according to claim 3, further comprising the step of forwarding a failure message to an originating entity initiating the session invitation in case of a negative verification (S8; S7b; S8c) .
6. The method according to claim 1, wherein in the network the SIP (Session Initiation Protocol) protocol is adopted as a control protocol .
7. The method according to claim 6, wherein the session invitation message is a SIP INVITE request including an authentication header field.
8. The method according to claim 6, wherein the response message is a SIP response message including an authorization header field.
9. The method according to claim 3, wherein the verifying step (S8) is performed in a network control element which serves as an originating entity initiating the session invitation.
10. The method according to claim 3, wherein the verifying step (S7a) is performed in a network control element which serves the subscriber equipment.
11. The method according to claim 3, wherein the verifying step (S8c) is performed in an authentication center.
12. The method according to claim 1, further comprising the step of sending a response message (S6a) as a response to the session invitation message from the subscriber equipment to the network, the response message including a result (AuthData2) of the authentication procedure and network authentication information (AuthData3) which is used by the subscriber equipment to perform an authentication of the network.
13. The method according to claim 12, further comprising the steps of determining (Sll) a network authentication result (AuthData4) in response to the network authentication information (AuthData4) by the network, sending (S12) the network authentication result (AuthData4) to the subscriber equipment, and verifying (S13) the network authentication result (AuthData4) in the subscriber equipment.
14. The method according to claim 3, wherein the authentication procedure performing step and the verification step (S8; S7b; S8c) are repeated a predetermined number of times, wherein different authentication information (AuthDatal) are used.
15. A network system comprising a subscriber equipment and at least one network control element, wherein, during a subscriber equipment terminated call, the network control element is adapted to send a session invitation message to the subscriber equipment, the session invitation message including authentication information (AuthDatal), and the subscriber equipment is adapted to perform an authentication procedure by using the authentication information.
16. The network system according to claim 17, wherein the subscriber equipment is adapted to send a response message as a response to the session invitation message to the network, the response message including a result (AuthData2) of the authentication procedure.
5 17. The network system according to claim 16, wherein the network control element is adapted to verify the authentication procedure result (AuthData2).
18. The network system according to claim 17, wherein 0 the network control element is adapted to forward the response message of the subscriber equipment to an originating entity initiating the session invitation without the result of the authentication procedure in case of a positive verification. 5
19. The network system according to claim 17, wherein the network control element is adapted to forward a failure message to an originating entity initiating the session invitation in case of a negative verification. n
20. The network system according to claim 15, wherein in the network the SIP (Session Initiation Protocol) protocol is adopted as a control protocol
5 21. The network system according to claim 20, wherein the session invitation message is a SIP INVITE request including an authentication header field.
22. The network system according to claim 20, wherein 0 the response message is a SIP response message including an authorization header field.
23. The network system according to claim 17, wherein the network control element performing the verification is adapted to serve an originating entity initiating the session invitation.
24. The network system according to claim 17, wherein the network control element performing the verification is adapted to serve the subscriber equipment.
25. The network system according to claim 17, wherein the network control element performing the verification is an authentication center.
26. The network system according to claim 15, wherein the subscriber equipment is further adapted to send a response message as a response to the session invitation message from the subscriber equipment to the network, the response message including a result (AuthData2) of the authentication procedure and network authentication information (AuthData3) which is used by the subscriber equipment to perform an authentication of the network.
27. The network system according to claim 26, wherein the network control element is further adapted to determine a network authentication result (AuthData4) in response to the network authentication information (AuthData4) and to send the network authentication result (AuthData4) to the subscriber equipment, and the subscriber equipment is adapted to verify the network authentication result (AuthData4).
28. The network system according to claim 17, wherein the network control element and the subscriber equipment are adapted to repeat the authentication procedure and the verification for a predetermined number of times, wherein different authentication information (AuthDatal) are used.
29. A network control element, wherein, during a subscriber equipment terminated call, the network control element is adapted to send a session invitation message to the subscriber equipment, the session invitation message including authentication information.
30. The network control element according to claim 29, wherein the network control element is adapted to receive a response message as a response to the session invitation message from a subscriber equipment, the response message including a result of an authentication procedure performed by the subscriber equipment.
31. The network control element according to claim 30, wherein the network control element is adapted to verify the authentication procedure result.
32. The network control element according to claim 31, wherein the network control element is adapted to forward the response message of the subscriber equipment to an originating entity initiating the session invitation without the result of the authentication procedure in case of a positive verification.
33. The network control element according to claim 31, wherein the network control element is adapted to forward a failure message to an originating entity initiating the session invitation in case of a negative verification.
34. The network control element according to claim 29, wherein in the network the SIP (Session Initiation Protocol) protocol is adopted as a control protocol,
35. The network control element according to claim 34, wherein the session invitation message is a SIP INVITE request including an authentication header field.
36. The network control element according to claim 34, wherein the response message is a SIP response message including an authorization header field.
37. The network control element according to claim 31, wherein the network control element performing the verification is adapted to serve an originating entity initiating the session invitation.
38. The network control element according to claim 31, wherein the network control element performing the verification is adapted to serve the subscriber equipment .
39. The network control element according to claim 29, wherein the network control element is adapted determine whether it has to perform a verification of the authentication or not.
40. The network according to claim 39, wherein the network control element is adapted to, in case the network control element does not have to perform the verification, forward a scheduled result (AuthResp) to a second network control element by including the scheduled result into the session invitation message.
42. The network according to claim 40, wherein the network control element is adapted, in case the network control element has to perform the verification, to receive the scheduled result (AuthResp) from another network control element, wherein the scheduled result is included in the session invitation message, to extract the scheduled result (AuthResp) from the session invitation message and to forward the session invitation message without the scheduled result (AuthResp) to the subscriber equipment, and to verify the authentication result (AuthData2) with a scheduled result (AuthResp) .
43. The network control element according to claim 29, wherein the network control element is further adapted to receive a response message from the subscriber equipment, the response message including a result (AuthData2) of the authentication procedure and network authentication information (AuthData3) which is used by the subscriber equipment to perform an authentication of the network.
44. The network system according to claim 43, wherein the network control element is further adapted to determine a network authentication result (AuthData4) in response to the network authentication information (AuthData4) and to send the network authentication result (AuthData4) to the subscriber equipment.
45. The network system according to claim 31, wherein the network control element is adapted to repeat the verification for a predetermined number of times, wherein different authentication information (AuthDatal) are used.
46. A subscriber equipment which is adapted to be connected to a network, and, during a subscriber equipment terminated call, to receive a session invitation message from the network, the session invitation message including authentication information, and to perform an authentication procedure by using the authentication information.
47. The subscriber equipment according to claim 46, wherein the subscriber equipment is adapted to send a response message as a response to the session invitation message to the network, the response message including a result of the authentication procedure.
48. The subscriber equipment according to claim 47, wherein in the network the SIP (Session Initiation Protocol) protocol is adopted as a control protocol.
49. The subscriber equipment according to claim 48, wherein the session invitation message is a SIP INVITE request including an authentication header field.
50. The subscriber equipment according to claim 49, wherein the response message is a SIP response message including an authorization header field.
51. The subscriber equipment according to claim 46, wherein the subscriber equipment is further adapted to send a response message as a response to the session invitation message from the subscriber equipment to the network, the response message including a result (AuthData2) of the authentication procedure and network authentication information (AuthData3) which is used by the subscriber equipment to perform an authentication of the network.
52. The subscriber equipment according to claim 51, wherein the subscriber equipment is further adapted to received a network authentication result (AuthData4) from the network, and the subscriber equipment is adapted to verify the network authentication result (AuthData4).
52. The network system according to claim 46, wherein the subscriber equipment is adapted to repeat the authentication procedure for a predetermined number of times .
PCT/IB2002/002718 2001-07-13 2002-07-11 A mechanism to allow authentication of sip calls terminated to a mobile node WO2003007573A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/905,463 2001-07-13
US09/905,463 US7484240B2 (en) 2001-07-13 2001-07-13 Mechanism to allow authentication of terminated SIP calls

Publications (1)

Publication Number Publication Date
WO2003007573A1 true WO2003007573A1 (en) 2003-01-23

Family

ID=25420867

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2002/002718 WO2003007573A1 (en) 2001-07-13 2002-07-11 A mechanism to allow authentication of sip calls terminated to a mobile node

Country Status (2)

Country Link
US (1) US7484240B2 (en)
WO (1) WO2003007573A1 (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7266593B2 (en) * 2001-02-23 2007-09-04 Nokia Networks Oy IP based service architecture
KR100426306B1 (en) * 2001-12-11 2004-04-08 한국전자통신연구원 Method for providing a load distributed processing among session initiation protocol servers
US7509425B1 (en) 2002-01-15 2009-03-24 Dynamicsoft, Inc. Establishing and modifying network signaling protocols
US7685315B2 (en) * 2002-10-28 2010-03-23 Nokia Corporation System and method for conveying terminal capability and user preferences-dependent content characteristics for content adaptation
US8140824B2 (en) * 2002-11-21 2012-03-20 International Business Machines Corporation Secure code authentication
KR20040069072A (en) * 2003-01-28 2004-08-04 삼성전자주식회사 Mobile phone, telecommunication system and method for automatically downloading multimedia data of the receiving part
US8661079B2 (en) * 2003-02-20 2014-02-25 Qualcomm Incorporated Method and apparatus for establishing an invite-first communication session
JP2005073236A (en) * 2003-08-06 2005-03-17 Matsushita Electric Ind Co Ltd Relay server, relay server service management method, service providing system, and program
DE202004007324U1 (en) * 2003-12-01 2004-08-12 Weckemann, Andreas Brush with bristle protection
US20050132075A1 (en) * 2003-12-15 2005-06-16 International Business Machines Corporation Authentication of mobile communication devices using mobile networks, SIP and Parlay
CN100428765C (en) * 2003-12-20 2008-10-22 海信集团有限公司 Method for mobile terminal dialing Ip telephone to appeal channel
KR100584359B1 (en) * 2004-02-02 2006-05-26 삼성전자주식회사 Method for controlling remote manless-apparatus
US20050193201A1 (en) * 2004-02-26 2005-09-01 Mahfuzur Rahman Accessing and controlling an electronic device using session initiation protocol
CN1716953B (en) * 2004-06-28 2010-09-15 华为技术有限公司 Method for identifying conversation initial protocol
US8571011B2 (en) * 2004-08-13 2013-10-29 Verizon Business Global Llc Method and system for providing voice over IP managed services utilizing a centralized data store
US20060098623A1 (en) * 2004-11-08 2006-05-11 Christian Andrew D Voice data security method and apparatus
JP4867482B2 (en) * 2006-06-06 2012-02-01 富士ゼロックス株式会社 Control program and communication system
KR101104500B1 (en) * 2006-12-21 2012-01-12 엘지전자 주식회사 Method for signalling voice call of mobile terminal
US7591013B2 (en) * 2007-07-31 2009-09-15 Cisco Technology, Inc. System and method for client initiated authentication in a session initiation protocol environment
US20090126001A1 (en) * 2007-11-08 2009-05-14 Microsoft Corporation Techniques to manage security certificates
US7990762B2 (en) * 2008-02-06 2011-08-02 Unity Semiconductor Corporation Integrated circuits to control access to multiple layers of memory
CN102144380B (en) * 2008-09-05 2014-10-29 爱立信电话股份有限公司 End-to-end address transfer
US8793782B1 (en) * 2010-05-27 2014-07-29 Crimson Corporation Enforcing a health policy in a local area network
JP5966917B2 (en) * 2012-12-26 2016-08-10 アイコム株式会社 Relay device
US9992679B1 (en) 2016-08-25 2018-06-05 Sprint Communications Company L.P. Integrated authentication codes for user devices and communication networks
CN108270747B (en) * 2016-12-30 2021-08-13 杭州华为企业通信技术有限公司 Authentication method and device
US11895162B2 (en) 2021-12-21 2024-02-06 Bank Of America Corporation System and method for implementing a cloud-to-enterprise voice application gateway

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0998095A2 (en) * 1998-07-31 2000-05-03 Lucent Technologies Inc. Method for two party authentication and key agreement
WO2000069140A1 (en) * 1999-05-10 2000-11-16 Telefonaktiebolaget Lm Ericsson (Publ) A distributed system to intelligently establish sessions between anonymous users over various networks

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5343529A (en) * 1993-09-28 1994-08-30 Milton Goldfine Transaction authentication using a centrally generated transaction identifier
US6446127B1 (en) * 1998-10-30 2002-09-03 3Com Corporation System and method for providing user mobility services on a telephony network
US6425004B1 (en) * 1999-02-24 2002-07-23 Nortel Networks Limited Detecting and locating a misbehaving device in a network domain
US6662223B1 (en) * 1999-07-01 2003-12-09 Cisco Technology, Inc. Protocol to coordinate network end points to measure network latency
US7136387B2 (en) * 1999-08-09 2006-11-14 Mci, Llc Method of and system for providing quality of service in IP telephony
US6434143B1 (en) * 1999-11-08 2002-08-13 Mci Worldcom, Inc. Internet protocol telephony voice/video message deposit and retrieval
US6477150B1 (en) * 2000-03-03 2002-11-05 Qualcomm, Inc. System and method for providing group communication services in an existing communication system
US6970452B2 (en) * 2000-03-13 2005-11-29 Curitell Communications Inc. Common subscriber managing apparatus and method based on functional modeling of a common subscriber server for use in an ALL-IP network and method therefor
US7120934B2 (en) * 2000-03-30 2006-10-10 Ishikawa Mark M System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network
JP2001337925A (en) * 2000-05-25 2001-12-07 Nec Gumma Ltd User authentication device and business transaction system using it
US7024688B1 (en) * 2000-08-01 2006-04-04 Nokia Corporation Techniques for performing UMTS (universal mobile telecommunications system) authentication using SIP (session initiation protocol) messages
US7139370B1 (en) * 2000-08-31 2006-11-21 Nortel Networks Limited Using hyperlinks to establish call sessions
US6865681B2 (en) * 2000-12-29 2005-03-08 Nokia Mobile Phones Ltd. VoIP terminal security module, SIP stack with security manager, system and security methods

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0998095A2 (en) * 1998-07-31 2000-05-03 Lucent Technologies Inc. Method for two party authentication and key agreement
WO2000069140A1 (en) * 1999-05-10 2000-11-16 Telefonaktiebolaget Lm Ericsson (Publ) A distributed system to intelligently establish sessions between anonymous users over various networks

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HANDLEY M ET AL: "SIP: Session Initiation Protocol", XP002162525 *
HANDLEY M ET AL: "Very large conferences on the Internet: the Internet multimedia conferencing architecture", COMPUTER NETWORKS, ELSEVIER SCIENCE PUBLISHERS B.V., AMSTERDAM, NL, VOL. 31, NR. 3, PAGE(S) 191-204, ISSN: 1389-1286, XP004304598 *

Also Published As

Publication number Publication date
US7484240B2 (en) 2009-01-27
US20030014668A1 (en) 2003-01-16

Similar Documents

Publication Publication Date Title
US7484240B2 (en) Mechanism to allow authentication of terminated SIP calls
US9560083B2 (en) Service denial and termination on a wireless network
EP1665722B1 (en) Exchange protocol for combinational multimedia services
US7865602B2 (en) System, method, and network elements for providing a service such as an advice of charge supplementary service in a communication network
EP1305911B1 (en) Techniques for performing umts-authentication using sip (session initiation protocol) messages
US7317695B2 (en) Conference call initiation
US20040225878A1 (en) System, apparatus, and method for providing generic internet protocol authentication
JP2004523971A (en) Call processing in SIP networks
JP2007516485A (en) Method and system for permitting access to user information in a network
US20040193920A1 (en) Service provisioning in a communication system
WO2005093996A1 (en) System and method for enforcing policies directed to session-mode messaging
EP1414212A1 (en) Method and system for authenticating users in a telecommunication system
EP1524816B1 (en) Authentication of messages in a communication system
US20050086541A1 (en) Service access
US20050159157A1 (en) Authentications in a communication system
US20040203432A1 (en) Communication system
US9258367B2 (en) Technique for managing sessions with entities in a communication network
EP2418913A1 (en) Method and system for joining group session with pre-defined joining
WO2006090238A2 (en) System, method, and network elements for providing a service such as an advice of charge supplementary service in a communication network
KR20060024205A (en) Authentication system and method in session initiation protocol

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP