The foregoing aspects and many of the attendant advantages of this invention will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:
Generally described, the present invention relates to a method and system for establishing and/or maintaining a secured communication channel in a multi-tier service environment. More specifically, the present invention relates to a method and system for performing a series of authentication processes to grant access to a secured service over the communication channel without loss of the communication channel connection. For example, the identity of a caller may be authenticated using multiple types of information which may be transmitted as part of a VoIP conversation. A VoIP conversation includes one or more data streams of information related to a conversation, such as contextual information and voice/multimedia information, exchanged over a conversation channel. In order to authenticate, contextual information relating to a particular authentication may be exchanged in conjunction with its corresponding “structured hierarchies.” “Structured hierarchies,” as used herein, are predefined organizational structures for arranging contextual information to be exchanged between two or more VoIP devices. For example, structured hierarchies may be eXtensible Markup Language (XML) namespaces. Although the present invention will be described with relation to illustrative structured hierarchies and an IP telephony environment, one skilled in the relevant art will appreciate that the disclosed embodiments are illustrative in nature and should not be construed as limiting.
With reference to
Generally described, the IP telephony environment 100 may include an IP data network 108 such as the Internet, an intranet network, a wide area network (WAN), a local area network (LAN), and the like. The IP telephony environment 100 may further include VoIP service providers 126, 132 providing VoIP services to VoIP clients 124, 125, 134. A VoIP call conversation may be exchanged as a stream of data packets corresponding to voice information, media information, and/or contextual information. As will be discussed in greater detail below, the contextual information includes metadata (information of information) relating to the VoIP conversation, the devices being used in the conversation, the contact point of the connected VoIP clients, and/or individuals that are identified by the contact point (e.g., employees of a company).
The IP telephony environment 100 may also include third-party VoIP service providers 140. The VoIP service providers 126, 132, and 140 may provide various calling features, such as incoming call-filtering, text data, voice and media data integration, and the integrated data transmission as part of a VoIP call conversation. VoIP clients 104, 124, 125, and 134 may create, maintain, and provide information relating to predetermined priorities for incoming calls.
VoIP service providers 132 may be coupled to a private network such as a company LAN 136, providing IP telephone services (e.g., internal calls within the private network, external calls outside of the private network, and the like) and multimedia data services to several VoIP clients 134 communicatively connected to the company LAN 136. In one embodiment, one or more ISPs 106, 122 may be configured to provide Internet access to VoIP clients 104, 124, and 125 so that the VoIP clients 104, 124, and 125 can maintain conversation channels established over the Internet. The VoIP clients 104, 124, and 125 connected to the ISP 106, 122 may use wired and/or wireless communication lines.
Further, each VoIP client 104, 124, 125, and 134 may establish and maintain a secured communication channel via appropriate authentication. For example, VoIP client 124 and VoIP client 125 can be authenticated via a third-party authentication server 126 when a communication channel is established. In addition, during a conversation, multi-tier authentication may be implemented to provide secure services over the communication channel. Each secured service may require different authentication protocol, contextual information, and the like. Upon request of a secured service by either VoIP client 124 or VoIP client 125, an individual user, a system, and/or device of VoIP clients will be mutually authenticated. In a peer-to-peer environment, VoIP client 104, 124, 125, and 134 may authenticate a communication channel or a secured service generally utilizing offline third-party authentication server(s) 126. For example, some VoIP clients 104, 124, 125, and 134 may have agreed to use a particular third-party authentication server(s) for their peer-to-peer authentication. In this example, credentials, certificates, tokens, etc. (which is previously validated by the third-party authentication server) may be exchanged as part of contextual information over a communication channel.
Each VoIP client 104, 124, 125, and 134 can communicate with Plain Old Telephone Service (POTS) 115 communicatively connected to a PSTN 112 or PBX 113. A PSTN interface 114 such as a PSTN gateway may provide access between POTS/PSTN and the IP data network 108. Conventional voice devices, such as land line, may request a connection with the VoIP client and the appropriate VoIP device associated with the VoIP client will be used to establish a connection. In one example, an individual associated with the VoIP client may specify which devices are to be used in connecting a call based on a variety of conditions (e.g., connection based on the calling party, the time of day, etc.).
It is understood that the above-mentioned configuration in the environment 100 is merely exemplary. It will be appreciated by one of ordinary skill in the art that any suitable configurations with various VoIP entities can be part of the environment 100. For example, VoIP clients 134 coupled to LAN 136 may be able to communicate with other VoIP clients 104, 124, 125, and 134 with or without VoIP service providers 132 or an ISP 106, 122. Further, an ISP 106, 122 can also provide VoIP services to its client.
Referring now to
The unique VoIP identifier may be used similarly to a telephone number in the PSTN. However, instead of dialing a typical telephone number to ring a specific PSTN device, such as a home phone, the unique VoIP identifier is used to reach a contact point, such as an individual or company, which is associated with the VoIP client. Based on the arrangement of the client, the appropriate device(s) will be connected to reach the contact point. In one embodiment, each VoIP device included in the VoIP client may also have its own physical address in the network or a unique device number. For example, if an individual makes a phone call to a POTS client using a personal computer (VoIP device), the VoIP client identification number in conjunction with an IP address of the personal computer will eventually be converted into a telephone number recognizable in PSTN.
The multimedia input/output component 302 may be configured to input and/or output multimedia data (including audio, video, and the like), user biometrics, text, application file data, etc. The multimedia input/output component 302 may include any suitable user input/output components such as a microphone, a video camera, a display screen, a keyboard, user biometric recognition devices, and the like. The multimedia input/output component 302 may also receive and transmit multimedia data via the network interface component 304. The network interface component 304 may support interfaces such as Ethernet interfaces, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, radio frequency (air interfaces), and the like. The VoIP device 300 may comprise a hardware component 306 including permanent and/or removable storage such as read-only memory devices (ROM), random access memory (RAM), hard drives, optical drives, and the like. The storage may be configured to store program instructions for controlling the operation of an operating system and/or one or more applications and to store contextual information related to individuals (e.g., voice profiles, user biometrics information, etc.) associated with the VoIP client in which the device is included. In one embodiment, the hardware component 306 may include a VoIP interface card which allows a non-VoIP client device to transmit and receive a VoIP conversation.
The device 300 may further include a software application component 310 for the operation of the device 300 and a VoIP Service application component 308 for supporting various VoIP services. The VoIP service application component 308 may include applications such as data packet assembler/disassembler applications, a structured hierarchy parsing application, audio Coder/Decoder (CODEC), video CODEC and other suitable applications for providing VoIP services. The CODEC may use voice profiles to filter and improve incoming audio.
With reference to
A variety of protocols may be selected for use in exchanging information between VoIP clients, VoIP devices, and/or VoIP service providers. For example, when Session Initiation Protocol (SIP) is selected for a signaling protocol, session control information and messages will be exchanged over a SIP signaling path/channel and media streams will be exchanged over Real-Time Transport Protocol (RTP) path/channel. For the purpose of discussion, a communication channel, as used herein, generally refers to any type of data or signal exchange path/channel. Thus, it will be appreciated that, depending on the protocol, a connection set-up phase and a connection termination phase may require additional steps in the conversation flow 400.
For ease of explanation, consider an example in which the first VoIP client 406 and the second VoIP client 408 each include only one VoIP device. Accordingly, the discussion provided herein will refer to connection of the two VoIP devices. The individual using the device of the first VoIP client 406 may select or enter the unique identifier of the client that is to be called. Provider 1402 receives the request from the device of the first VoIP client 408 and determines a terminating service provider (e.g., Provider 2404 of the second VoIP client 408) based on the unique client identifier included in the request. The request is then forwarded to Provider 2404. This call initiation will be forwarded to the device of the second VoIP client.
In an illustrative embodiment, as or before the devices of the first VoIP client 406 and the second VoIP client 408 begin to exchange data packets, contextual information may be exchanged. As will be discussed in greater detail below, the contextual information may be packetized in accordance with a predefined structure that is associated with the conversation. Any device associated with the first VoIP client 406, the service provider of the first VoIP client 406, or a different device/service provider may determine the structure based on the content of the contextual information. In one embodiment, the exchanged contextual information may include information relating to the calling VoIP client 406, the device, and the VoIP client 408 being called. For example, the contextual information sent from the called VoIP client 406 may include a priority list of incoming calls from various potential calling VoIP clients, including VoIP client 406.
Available media types, rules of the calling client, the client being called, and the like, may also be part of the contextual information that is exchanged during the connection set-up phase. The contextual information may be processed and collected by one of the devices of the first VoIP client 406, one of the devices of the second VoIP client 408, and/or by the VoIP service providers (e.g., Provider 1402 and Provider 2404), depending on the nature of the contextual information. In one embodiment, the VoIP service providers 402, 404 may add/delete some information to/from the client's contextual information before forwarding the contextual information.
In response to a request to initiate a conversation channel, the second VoIP client 408 may accept the request for establishing a conversation channel or execute other appropriate actions such as rejecting the request via Provider 2404. The appropriate actions may be determined based on the obtained contextual information.
As will be discussed in greater detail, in one embodiment, the first VoIP client and the second VoIP client may exchange contextual information relating to authentication capabilities. If the first VoIP client and the second VoIP client have great disparity in their authentication capabilities such that the disparity cannot be resolved or acceptable for security reasons, the communication set-up session will be terminated. Otherwise, the first VoIP client and the second VoIP client will exchange contextual information required to authenticate a communication channel. Upon authentication, a conversation channel between the device of the first VoIP client 406 and a device of the second VoIP client 408 can then be established.
When a conversation channel is established, a device of the first VoIP client 406 and a device of the second VoIP client 408 start communicating with each other by exchanging data packets. As will be described in greater detail below, the data packets, including conversation data packets and contextual data packets, are communicated over the established conversation channel between the connected devices.
Conversation data packets carry data related to a conversation, for example, a voice data packet or multimedia data packet. Contextual data packets carry information relating to data other than the conversation data. During a conversation, contextual information relating multi-tier authentication between the first VoIP client 406 and the second VoIP client 408 may be exchanged. In one embodiment, a series of authentication processes may be performed over a communication channel while the communication channel connection is not interrupted or terminated by such authentication. As such, the first VoIP client 406 and the second VoIP client 408 can request, authenticate, decline, and/or provide a secured service without loss of the communication channel connection. Further, either the first VoIP client 406 or the second VoIP client 408 can request to terminate the conversation channel. Some contextual information may be exchanged between the first VoIP client 406 and the second VoIP client 408 after the termination.
In one embodiment of the present invention, a structured hierarchy may be predefined for communicating contextual information over a VoIP conversation channel. The contextual information may include any information relating to VoIP clients, VoIP devices, conversation channel connections (e.g., call basics), conversation context (e.g., call context), and the like. More specifically, the contextual information may include client preference, client rules, client's location (e.g., user location, device location, etc.), biometrics information, the client's confidential information, VoIP device's functionality, VoIP service provider's information, media type, media parameters, calling number priority, keywords, information relating to application files, or the like. The contextual information may be processed and collected at each VoIP client and/or the VoIP service providers depending on the nature of the contextual data. In one aspect, the VoIP service providers may add, modify and/or delete the VoIP client's contextual data before forwarding the contextual information. For example, client's confidential information will be deleted by the VoIP service provider associated with that client unless the client authorizes such information to be transmitted. In some cases, a minimal amount of contextual information is transmitted outside of an intranet network.
With reference to
In another embodiment, each VoIP client may have a set of predefined structured hierarchies stored in a local storage of any devices or a dedicated local storage which all devices can share. The predefined structured hierarchies may be declared and agreed upon between VoIP clients before contextual information is exchanged. In this manner, the need to provide the structure of the contextual data packets may be eliminated and thus the amount of transmitted data packets corresponding to the contextual data is reduced. Further, by employing the predefined structured hierarchies, data packets can be transmitted in a manner which is independent of hardware and/or software.
Upon retrieving the identified structured hierarchy, VoIP Client 608 is expecting to receive a data stream such that data packets corresponding to the data stream are defined according to the identified structured hierarchies. VoIP Client 606 can begin sending contextual information represented in accordance with the identified structured hierarchies. In one embodiment, VoIP Client 608 starts a data binding process with respect to the contextual information. For example, instances of the identified structured hierarchies may be constructed with the received contextual information.
Referring to
Upon detecting the triggering event, First Client 606 may request a challenge for Second Client 608 to the third-party authentication node 626. Subsequently, First Client 606 may receive information relating to the challenge from the third-party authentication node 626. Based on the received information, First Client 606 generates contextual information including the challenge and transmits the contextual information to Second Client 608 over a secured communication channel. As mentioned above, structured hierarchies corresponding to the contextual information are identified by First Client 606. Information regarding the identified structured hierarchy may be transmitted to Second Client 608. As will be discussed in greater detail below, the information regarding the identified structured hierarchy may include information about which structured hierarchies are used to carry the corresponding contextual information, how to identify the structured hierarchies, and the like. As such, the information regarding the identified structured hierarchies and the corresponding contextual information, including the challenge, are sent to Second Client 608. Upon receipt of the contextual information, Second Client 608 may identify a set of rules defining how to process the contextual information. The contextual information may be processed in accordance with the identified structured hierarchies. Second Client 608 may generate a response using the received challenge from the processed contextual information. In a particular embodiment, a hash function (e.g., Message Digest algorithm-5 (MD5), etc.) may be utilized to generate the response with private security information (e.g., password, etc.) in Second Client 608. Second Client 608 sends contextual information including the generated response to First Client 606.
Referring to
In an alternative embodiment, First Client 606 and Second Client 608 may support a peer-to-peer authentication protocol, thereby eliminating a need to communicate with the third-party authentication node online. In this embodiment, a device of First Client 606 can authenticate a device of second Client 608. Generally, a digital certificate, credential information, or the like may be exchanged for authentication.
As discussed above, the information regarding the identified structured hierarchies corresponding to the contextual information may be received by Second Client 608. Upon receipt of the information regarding the identified structured hierarchies, Second Client 608 may look up predefined structured hierarchies to select the identified structured hierarchies for the contextual information. In one embodiment, the structured hierarchies may be defined by Extensible Markup Language (XML). However, it is to be appreciated that the structured hierarchies can be defined by any language suitable for implementing and maintaining extensible structured hierarchies. Generally described, XML is well known as a cross-platform, software and hardware independent tool for transmitting information. Further, XML maintains its data as a hierarchically structured tree of nodes, each node comprising a tag that may contain descriptive attributes. XML is also well known for its ability to allow extendable (i.e., vendor customizable) patterns that may be dictated by the underlying data being described without losing interoperability. Typically, an XML namespace URI is provided to uniquely identify a namespace. In some instances, the namespace may be used as a pointer to a centralized location containing default information (e.g., XML Schema) about the document type the XML is describing.
In an illustrative embodiment, VoIP client 606 may identify a XML namespace for contextual information. When multiple contexts are aggregated, appropriate XML namespaces can be declared as an attribute at the corresponding tags. It is to be understood that XML namespaces, attributes, and classes illustrated herein are provided merely as an example of structured hierarchies used in conjunction with various embodiments of the present invention. After VoIP client 608 receives the XML namespace information, the VoIP client 606 transmits a set of data packets containing contextual information defined in accordance with the identified XML namespace or namespaces to VoIP client 608. When a namespace is present at a tag, its child elements share the same namespace in pursuant to the XML scope rule defined by XML 1.0 specification. As such, VoIP client 608 and VoIP client 606 can transmit contextual information without including prefixes in all the child elements, thereby reducing the amount of data packets transmitted for the contextual information.
With reference to
With reference to
With reference to
With reference to
With reference to
Beginning at block 902, a sending computing device sends a signal initiating a secure digital voice communication channel to a recipient computing device. At block 904, a communication session is first established to furtherance the call set up phase between the sending computing device and the recipient computing device. Over the communication session, the sending computing device and the recipient computing device exchange contextual information relating to a communication channel establishment. More specifically, contextual information relating to authentication capabilities may be exchanged as illustrated at block 906. Since each device and client may have different authentication capabilities and associated information, there may be some disparities in authentication capabilities between the recipient computing device and the sending computing device. In one embodiment, at block 908, both devices may try to resolve the disparity by exchanging relevant contextual information. When the disparities are not acceptable or negotiable, the call initiation signal will be rejected by either the recipient computing device or the sending computing device. For example, the recipient computing device may require certain authentication information such as user fingerprint information and login-password information from the sending computing device, which is not available in the sending computing device. In this example, the recipient computing device and the sending device may exchange the requirement for authentication, the scope of the available authentication information, and the like. The recipient computing device may negotiate with the sending computing device requesting other information. In one embodiment, the recipient computing device may ease its requirements if there has been a previous communication channel establishment with the sending client.
At block 910, the recipient client and/or the recipient computing device may be authenticated in accordance with a mutually agreed authentication protocol. An example of the authentication protocol includes Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, Extended Authentication Protocol (EAP), and the like. As described above, in one embodiment, the recipient computing device may request a third-party authentication node (third-party authentication server) to authenticate the sending computing device for a secure digital voice communication channel establishment. For example, when a challenge-response authentication protocol is utilized, the recipient computing device may obtain a challenge for the sending computing device from the third-party authentication server and forward the response received from the sending computing device to the third-party authentication server. The third-party authentication server may verify the response against the challenge and subsequently send the result of the verification. If it is determined that the response corresponds to the challenge, the third-party authentication server will send a confirmation of authentication. Otherwise, the third-party authentication server will send a notification of authentication failure. Likewise, the recipient computing device may be authenticated for a secure digital voice communication channel. The recipient computing device may provide required authentication information to the sending computing device which will authenticate the recipient computing device.
At block 912, upon authentication based on the mutually agreed authentication protocol, a secure digital voice communication channel is established between the recipient computing device and the sending computing device. The sending computing device and the recipient computing device may start exchanging a conversation including contextual, voice, and/or media information over the secured digital voice communication channel. The routine 900 terminates at block 914.
It is to be understood that the embodiments explained in conjunction with the routine 900 are provided merely for example purposes. It is contemplated that the routine 900 can also be performed by the device of a sending client, a service provider, or a third-party service provider that is capable of receiving contextual information and has authority or delegation to authenticate a digital voice communication channel. It is contemplated that the authentication can be done via an online third-party authentication server, via exchange of credentials obtained from an offline third-party authentication server, or the like.
For the purpose of discussion, assume a scenario where an authenticatee client has two types of bank accounts, one for personal and one for business, with a particular bank. The authenticatee client has established a secure digital voice communication channel with an authenticator client (e.g., a bank teller, an Interactive Voice Response System (IVRS), etc., of the particular bank) for banking services on its personal accounts. During a conversation, the authenticatee client requests to see a previous bank statement belonging to its business account. However, the particular bank maintains different levels of authentication for personal and business accounts. For example, the bank may require different authentication protocols and different credentials for granting access to business accounts. Thus, the request to see the previous bank statement of its business account may trigger a new authentication process. In one embodiment, the authenticator client may reuse previously obtained authentication information or contextual information for this authentication process. In one embodiment, the authenticator client may request additional information (e.g., digital signature, user biometrics information, etc.) required to validate the authenticatee client to access the business account. The authenticatee client may collect the additional information accordingly and provide the collected information as part of the contextual information over the digital voice communication channel. The authenticator client validates the authenticatee client with the additional information and/or the previously obtained contextual information. Upon authentication, the authenticatee client can access its business account over the digital voice communication channel while the authenticatee client and the authenticator client continue conversation on the personal account. If the authentication fails, the authenticatee client may be notified about the failure and be asked for proper additional information. Upon receipt of the additional information, the authenticator may perform the authentication process one more time.
Beginning at block 1002, the authenticator client may monitor for any events which may trigger a new authentication process while the devices of the authenticator client and the authenticatee client are exchanging data packets relating to a conversation. At block 1004, the authenticator client may detect at least one event (authenticator trigger event) which may trigger a new authentication process. In one embodiment, the authenticatee client may request a secured service which requires a different level of authentication from previous authentication over the digital voice communication channel. For example, the authenticatee client may request to access a secured database of the authenticator client to which a few individual users are allowed to access. In this example, the authenticator client may need extra information such as individual user's biometric information, credentials from a trusted third-party, or the like. In one embodiment, the authentication protocol employed for a particular service may require new authentication periodically. After a predetermined period, the existing authentication may expire, which will generate an event which triggers a new authentication process.
At block 1006, for each detected triggering event, its corresponding authentication protocol may be determined. Contextual information relating to authentication may be obtained. The contextual information may include necessary authentication information which the secured service may require for authentication. For example, the contextual information may include authentication protocol information, authentication capabilities, and the like. In an alternative embodiment, digital watermark in voice signals may be used as a vehicle to exchange authentication information between the authenticatee client and the authenticator client when the device of the authenticatee client is not capable of generating or transmitting contextual data packets. At block 1008, the obtained contextual information (authentication packets) may be transmitted to the authenticatee client to further the authentication process. Likewise, the authenticatee client may collect contextual information relating to a response to the authenticator client's contextual information and send the collected contextual information to the authenticator client. It is to be understood that based on the authentication protocol, different contextual information will be collected or generated. At block 1010, the authenticator performs authentication process. In one embodiment, the authenticator client may request a third-party authentication server to perform the authentication process for the secured service. For example, the authenticator client may request a third-party authentication server for confirming authentication of the authenticatee's response. The received authenticatee client's contextual information may be processed and forwarded to a third-party authentication server. At block 1012, upon authentication (or receiving a confirmation from the third-party authentication server) the authenticator client may grant the authenticatee access to the secured service. The routine 1000 terminates at block 1014.
It is to be understood that the embodiments explained in conjunction with the routine 1000 are provided merely for example purposes. It is contemplated that the routine 1000 can also be performed by the authenticatee client, a service provider, or a third-party service provider that is capable of receiving contextual information and has authority or delegation to authenticate a digital voice communication channel. It is further contemplated that the authentication can be done via an online third-party authentication server, via exchange of credentials obtained from an offline third-party authentication server, or the like.
In one embodiment, the authenticator client may be capable of performing a post-authentication process once the authenticatee client has been authenticated for at least one level of authentication but failed to be authenticated for another level of authentication. In this embodiment, contextual information relating to the authentication may be stored on the authenticator client for future authentication processes. Upon post-authentication, the authenticatee client may be granted access to the service at a later time. In another embodiment, the authenticator client may be capable of performing a post-authentication process on a batch of requests from several authenticatee clients.
While illustrative embodiments have been illustrated and described, it will be appreciated that various changes can be made therein without departing from the spirit and scope of the invention.