EP1547346A2 - Verfahren und system zur identitätsprüfung eines telefonanrufsenders über das internet und telfongerät für diese system - Google Patents

Verfahren und system zur identitätsprüfung eines telefonanrufsenders über das internet und telfongerät für diese system

Info

Publication number
EP1547346A2
EP1547346A2 EP03798947A EP03798947A EP1547346A2 EP 1547346 A2 EP1547346 A2 EP 1547346A2 EP 03798947 A EP03798947 A EP 03798947A EP 03798947 A EP03798947 A EP 03798947A EP 1547346 A2 EP1547346 A2 EP 1547346A2
Authority
EP
European Patent Office
Prior art keywords
terminal
call
address
request frame
control code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP03798947A
Other languages
English (en)
French (fr)
Inventor
Mickael Allain
Yacine Zoughlami
Michel L'hostis
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
France Telecom SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom SA filed Critical France Telecom SA
Publication of EP1547346A2 publication Critical patent/EP1547346A2/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • the invention relates to the field of Internet telephony.
  • NoIP voice over Internet protocols such as the protocol originating from the International Telecommunications Union (ITU), known as H.323, the SIP protocol (Session Initiation Protocol) from the IETF, ..., as well as all types of residential or corporate telephone network architectures.
  • ITU International Telecommunications Union
  • SIP protocol Session Initiation Protocol
  • Internet telephony services use a certain number of authentication mechanisms for the calling subscriber in order to prevent, in particular, being charged for calls made by unauthorized third parties.
  • These authentication techniques can consist of encryption mechanisms by asymmetric cryptography, which use a certificate exchange by public keys and private keys. This technique is based on one-way mathematical functions, that is, functions that are easy to calculate but extremely difficult to reverse.
  • the subscriber has a private key. He discloses a public key to his interlocutor. Although the subscriber's private key and public key are closely related, the public key disclosure does not provide any information about the private key. Knowing the subscriber's public key notably allows a remote party to encrypt a message intended for the subscriber.
  • Another subscriber authentication mechanism is based on the use of a username and password. Thus, to establish communication, it is necessary to provide a username and password. If these are recognized by an operator's call server, then the establishment of a communication becomes possible.
  • These authentication mechanisms are relatively easy to implement with softphones. However, this is not the case. even for telephone terminals used in internet networks. Indeed, not all of these terminals have the possibility of entering a password or of implementing encryption by asymmetric cryptography.
  • asymmetric cryptography requires, to be truly effective, to obtain a certificate from a certified body, which is hardly compatible with a deployment of a voice service on the Internet on a large scale, i.e. - say for several million subscribers.
  • the object of the invention is therefore to overcome these drawbacks and to provide a method and an installation for checking the identity of a sender of a telephone call on an Internet network, making it possible to control the identity of a sender using a VoIP type telephone terminal, that is to say an Internet telephony terminal, and which is compatible with a development of Internet telephony on a very large scale.
  • this method further comprises a step of comparing parameters extracted from the decrypted control code with corresponding information extracted from the call establishment request frame.
  • This information which is stored in the database, includes, according to yet another characteristic of this method, a terminal identification address.
  • the information is transferred from the terminal to the database during a first call made by the terminal.
  • This first call can consist of a call made immediately after the installation of the subscriber's telephone terminal.
  • the parameters extracted from the call establishment request frame include the terminal's IP address and the terminal's call number.
  • the control code can be produced from an encrypted function of the ⁇ terminal identification address and the IP address of the latter.
  • the parameters extracted from the call establishment request frame include the IP address of a gateway connecting a private network to a telecommunications network and the terminal call number.
  • the control code is then produced from an encrypted function of the terminal identification address and the gateway IP address.
  • the terminal's IP address is transmitted by an Internet service provider to a control module associated with the gateway.
  • an installation for controlling the identity of the sender of a telephone call on an Internet network comprising a call management server adapted to cause the establishment of a communication between terminals respectively calling and called telecommunication, according to parameters contained in a communication establishment request frame sent by the calling terminal.
  • the management server includes means for decrypting an encrypted control code inserted in the communication establishment request frame, the code containing parameters relating to the identity of the calling telecommunications terminal, and means for comparing the 'at least one parameter extracted from the control code decrypted by the decryption means with a corresponding code stored in- a database hosted in the server to authorize the establishment of the communication according to the result of the comparison.
  • the installation further comprises means for comparing parameters extracted from the decrypted control code with corresponding information.
  • a telecommunication terminal for control installation as defined above, characterized in that it comprises a control module suitable for the insertion of an encrypted control code in a communication establishment request frame.
  • This control module includes means for developing an encrypted function of the terminal identification address and the terminal IP address.
  • the control module comprises means for developing an encrypted function of the identification address of the terminal and the IP address of a gateway for connecting a local network to a telecommunications network. public.
  • FIG. 1 schematically illustrates the structure of a telecommunications network providing access to a telephony service Internet, provided with an installation for controlling a transmitter of a telephone call and making it possible to implement a control method in accordance with the invention
  • FIG. 2 is a detail view of a portion of the network of Figure 1, illustrating a call establishment request sequence
  • FIG. 3 is a flowchart illustrating the main phases of the control method according to the invention.
  • FIG. 1 there is shown the general architecture of a telecommunications network 10 allowing access to a telephone service on the Internet.
  • the network comprises, on the subscriber side, a set of equipment usable by subscribers for establishing telephone communications with remote subscribers.
  • FIG. 1 two distinct configurations have been shown, namely a configuration C1 and a configuration C2.
  • the first configuration C1 is arranged around a private local network, or LAN network. It includes a set of telecommunication terminals 12, for example constituted by telephones
  • NoIP connected to the LAN 14.
  • Computer terminals such as 16, constituted for example by microcomputers, can also be connected to the network 14, as is conventional in a private computer network.
  • a gateway 24 interconnects the private network, and in particular the LAN network 14 to a public network 20 of a telecommunications operator providing a NoIP telephony service, by means of a modem 22.
  • the gateway comprises a control module ensuring, as will be described in detail below, a control of the identity of the sender of a telephone call, that is to say a module capable of controlling that no attempt to spoof the LAN local telephone number has been made by third parties.
  • the telephony equipment is constituted by telecommunication terminals, such as 26, in which is integrated the control module. Each terminal 26 communicates with the operator's public network 20 via a modem 28.
  • the network comprises, on the one hand, a server 30 providing access to the Internet network and, on the other hand, a call server 32 which exercises, jointly with the control modules, control the identity of the originator of a call and which establishes telephone communications for a subscriber calling according to the result of the control of the transmitter and according to a configuration of services offered by the operator.
  • the call server 32 as well as the gateway control module (configuration; C1) or of the terminals (configuration C2) . include all the hardware and software means to control the identity of the originator of a call to verify that a subscriber number has not been usurped by a third party, as will be described in detail by the ' after.
  • the call server 32 is associated with a database 34 in which are loaded information relating to the subscribers, such as the identification address of the terminal, also known by the name "MAC address".
  • information relating to the subscribers such as the identification address of the terminal, also known by the name "MAC address”.
  • such information is loaded into memory in each terminal 12, during its manufacture. They are transferred to the database 34, under the control of the "call server 32, during the first call made from each terminal, that is to say immediately after the installation of the terminal of a subscriber
  • the Internet service provider server 30 transmits to the control module of the gateway 24 or to the terminal 26, in the case where the module is integrated into the latter, a public IP address, and this, whenever this address is changed.
  • this terminal For the establishment of a NoIP communication on the Internet network 20 from a terminal such as 12, this terminal prepares and then transmits to the call server 32 a frame for requesting establishment of 'call.
  • This frame includes a set of fields each conveying information necessary for the establishment of the communication, such as the IP address of the calling terminal or the IP address of the gateway, and the number of the caller and the called party. .
  • control module 24 inserts into the call establishment request frame an encrypted message prepared from the address
  • the call server 32 proceeds to a decryption of the control code inserted in the frame, to a recovery of the MAC code of identification and the IP address of the calling gateway or terminal, then, on the one hand, a comparison of the MAC address retrieved from the frame sent by the calling terminal with the corresponding MAC address stored in the database data 34 and, on the other hand, the IP address resulting from the decryption of the control code with the IP address conveyed in clear by the frame. In case of correspondence between these data, the call is authorized.
  • the call request begins with a first phase 36 during which the terminal 12 transmits the call establishment request frame to the control module.
  • This performs a configuration of a specific field in the frame of the control code.
  • the control module 24 inserts into the "h323id" field an encrypted function of the MAC address of the IP telephone and of the IP address of the control module.
  • the frame is then transmitted to the call server 32 (step 3. 8).
  • This comprises a gatekeeper 40, which shares with the control module a dynamic link library or DLL so as to decrypt the control code.
  • control module can be carried out by any type of encryption of the conventional type.
  • encryption techniques that can be used within the framework of the present description are within the reach of a person skilled in the art and will therefore not be described in detail below. . - •
  • the call management server 32 implements service software 44 (step 41), which carries out the actual control, called the call originator so as to authorize the establishment of the call in case of correspondence between the data conveyed by the control code and the data stored in the database 34, on the one hand, and the data conveyed in clear by the communication establishment request frame,
  • the service software then transmits the result of the processing to the gatekeeper (step 42). Instructions suitable for authorizing a call can then be transmitted to the control module (step 43) and to the terminal (step 45) in the absence of an attempted fraud.
  • a check of the checking function is carried out. If this function is deactivated, communication is authorized (step 47).
  • the call server performs a decryption of the control code, that is to say, when the H.323 standard is used, to a decryption of the h323id field so as to extract the identification address of the terminal and the IP address of this terminal or the gateway IP address.
  • the call server and in particular the service software performs a comparison of the IP address extracted from the control code with the IP address conveyed in clear by the establishment request frame call. In the event that these addresses do not match, the call request is rejected (step 50). In case of correspondence between these IP addresses, during the step
  • the call server 32 checks if a MAC address is present in the database.
  • the MAC address obtained after decryption is stored in the database (step 54) and the appeal is allowed.
  • the call server 32 performs a comparison of this MAC address with the MAC address resulting from the decryption. If there is a match between these addresses, the call is authorized (step 47). Otherwise, the appeal is dismissed.
  • the service software verifies that the IP address of the control module is correct.
  • a user subscribed or not, retrieving an IP address from a subscriber to make communications, will not be able to establish a communication. Indeed, after decryption of the control code, the IP address will not correspond to that of the line from which the call is made.
  • the service software verifies that the MAC address of the terminal from which the call is made corresponds to the address

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP03798947A 2002-10-01 2003-09-24 Verfahren und system zur identitätsprüfung eines telefonanrufsenders über das internet und telfongerät für diese system Withdrawn EP1547346A2 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR0212132 2002-10-01
FR0212132A FR2845226B1 (fr) 2002-10-01 2002-10-01 Procede et installation de controle de l'identite de l'emetteur d'un appel telephonique sur un reseau internet et terminal de telephonie pour une telle installation
PCT/FR2003/002808 WO2004032430A2 (fr) 2002-10-01 2003-09-24 Procede et installation de controle de l’identite de l’emetteur d’un appel telephonique sur un reseau internet et terminal de telephonie pour une telle installation

Publications (1)

Publication Number Publication Date
EP1547346A2 true EP1547346A2 (de) 2005-06-29

Family

ID=31985374

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03798947A Withdrawn EP1547346A2 (de) 2002-10-01 2003-09-24 Verfahren und system zur identitätsprüfung eines telefonanrufsenders über das internet und telfongerät für diese system

Country Status (5)

Country Link
US (1) US20060147038A1 (de)
EP (1) EP1547346A2 (de)
AU (1) AU2003299173A1 (de)
FR (1) FR2845226B1 (de)
WO (1) WO2004032430A2 (de)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7924987B2 (en) * 2005-10-19 2011-04-12 At&T Intellectual Property I., L.P. Methods, apparatus and data structures for managing distributed communication systems
US8238327B2 (en) * 2005-10-19 2012-08-07 At&T Intellectual Property I, L.P. Apparatus and methods for subscriber and enterprise assignments and resource sharing
US7643472B2 (en) 2005-10-19 2010-01-05 At&T Intellectual Property I, Lp Methods and apparatus for authorizing and allocating outdial communication services
US20070086433A1 (en) * 2005-10-19 2007-04-19 Cunetto Philip C Methods and apparatus for allocating shared communication resources to outdial communication services
US20070116234A1 (en) * 2005-10-19 2007-05-24 Marco Schneider Methods and apparatus for preserving access information during call transfers
US7839988B2 (en) 2005-10-19 2010-11-23 At&T Intellectual Property I, L.P. Methods and apparatus for data structure driven authorization and/or routing of outdial communication services
US8769706B2 (en) * 2007-07-26 2014-07-01 International Business Machines Corporation System and method for user to verify a network resource address is trusted

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1127835C (zh) * 1999-04-09 2003-11-12 通用器材公司 有线电话适配器与相连信令控制器之间的密钥管理
JP4068780B2 (ja) * 2000-02-24 2008-03-26 富士通株式会社 VoIP通信システムにおける通信状態通知装置,通信状態表示装置,通信状態通知方法及び通信状態通知プログラムを記録した媒体
DE10108825A1 (de) * 2001-02-23 2002-09-05 Siemens Ag Gesplittete Sicherheitsarchitektur für Voice over Internetprotocol
US20030097584A1 (en) * 2001-11-20 2003-05-22 Nokia Corporation SIP-level confidentiality protection
JP3746713B2 (ja) * 2001-12-28 2006-02-15 株式会社日立製作所 インターネット電話システムおよび情報処理装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2004032430A2 *

Also Published As

Publication number Publication date
WO2004032430A2 (fr) 2004-04-15
WO2004032430A3 (fr) 2004-09-23
FR2845226A1 (fr) 2004-04-02
AU2003299173A1 (en) 2004-04-23
AU2003299173A8 (en) 2004-04-23
US20060147038A1 (en) 2006-07-06
FR2845226B1 (fr) 2004-12-10

Similar Documents

Publication Publication Date Title
EP1022922B1 (de) Authentifizierungsverfahren zwischen einem Teilnehmer und einem Dienstleister, der durch einen Netzbetreiber erreichbar ist, mittels Bereitstellung eines gesicherten Kanals
US7860800B2 (en) Policy control and billing support for call transfer in a session initiation protocol (SIP) network
WO2005046278A2 (fr) Méthode de gestion de la sécurité d'applications avec un module de sécurité
EP0463384A1 (de) Zugriffsverfahren für schnurlosen Telefondienst
FR2874295A1 (fr) Procede d'authentification securisee pour la mise en oeuvre de services sur un reseau de transmission de donnees
EP3588903A1 (de) Verfahren, vorrichtung und server zur gesicherten übertragung einer konfiguration an ein endgerät
FR2960734A1 (fr) Procede et dispositifs de communications securisees dans un reseau de telecommunications
US20050227670A1 (en) Methods and systems for providing voice over internet protocol communications via an intranet
FR2851712A1 (fr) Dispositif de gestion de communications par selection de terminaux et de medium de communication
EP1547346A2 (de) Verfahren und system zur identitätsprüfung eines telefonanrufsenders über das internet und telfongerät für diese system
EP2873211B1 (de) Verfahren zum speichern mindestens einer öffentlichen adresse eines ims-netzes, und entsprechende anwendung
EP3219077B1 (de) Verfahren und system zur verwaltung von benutzeridentitäten, die während der kommunikation zwischen zwei webbrowsern implementiert werden sollen
EP3808060B1 (de) Nachrichtenverarbeitung in einem voice-over-ip-netz
EP1400090B1 (de) Vorrichtung und verfahren zur bereitstellung gesicherter kommunikation in einem computernetzwerk
FR2844943A1 (fr) Procede de production d'un premier identifiant isolant un utilisateur se connectant a un reseau telematique
JP2004280595A (ja) コールバックvpnシステム及び接続方法
FR2882487A1 (fr) Procede de routage d'appel dans un terminal bi-mode
EP1992104B1 (de) Authentifizierung einer computervorrichtung auf benutzerebene
FR2842381A1 (fr) Procede et dispositif pour connexion a un systeme electronique par l'intermediaire d'un fournisseur d'acces a un reseau de communication
EP1401167A1 (de) Architektur zur Bereitstellung einer Multimedia-Sitzung über ein Netzwerk
EP2100430A2 (de) Telekommunikationsverfahren und system mit zugang zum selben informationssatz für mindestens zwei verschiedene benutzer
FR2887727A1 (fr) Procede de personnalisation de la carte de visite d'un appele selon l'identite d'un appelant
WO2008037912A2 (fr) Acces d 'un service a l 'aide d 'un serveur d 'authentification

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

17P Request for examination filed

Effective date: 20050414

DAX Request for extension of the european patent (deleted)
RIN1 Information on inventor provided before grant (corrected)

Inventor name: L'HOSTIS, MICHEL

Inventor name: ZOUGHLAMI, YACINE

Inventor name: ALLAIN, MICKAEL

RIN1 Information on inventor provided before grant (corrected)

Inventor name: L'HOSTIS, MICHEL

Inventor name: ZOUGHLAMI, YACINE

Inventor name: ALLAIN, MICKAEL

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20100401