The present invention relates generally to providing enhanced security for Internet telephony calls and more particularly to providing a secure connection for Voice Over IP (VoIP) calls using the H.323 protocol.
The Internet explosion has spawned new means of data, voice, and video communication and Internet Protocol (IP) telephony is a fast developing field of telecommunications. The Internet, however, is faced with two significant obstacles to fast secure communications. The first obstacle is usable bandwidth. Bandwidth affects the rate at which data can be transferred. The second obstacle pertains to security. The Internet is not a direct point-to-point connection between computers. Rather, it is a network to which computers (or other devices) can connect for the purpose of communicating with one another. As such, there is increased opportunity for eavesdropping on data, voice, or video transmissions over the Internet. One method of enhancing the security of Internet based communications is to encrypt the data being transmitted before sending it out over the network and de-encrypting the data once it is received by the far end device.
The present invention addresses security issues with respect to Voice Over IP (VoIP) telephone calls. Currently, a call signaling channel is secured by using either a Transport Layer Security (TLS), a Secure Sockets Layer (SSL), or an IP Security Protocol (IPSec) on a secure well known port. These approaches, however, suffer from delays in call setup time, complex handshaking procedures, and significant protocol overhead. Moreover, current H.323 VoIP implementations do not prevent signaling information from being viewed by unscrupulous computer hackers on the IP network used for VoIP calls. For instance, when a SETUP message is sent over the IP network using H.323,the calling name and calling number is visible to sniffers or other such tools used on the Internet. What is needed is a method that increases security, simplifies VoIP handshaking procedures, and reduces call setup time without adding significant protocol overhead.
The present invention calls for an originating H.323 gateway to send a Secure Registration Request (SRR) message to a far end H.323 gateway prior to sending the SETUP message. An SRR message includes information requesting a secure connection as well as other parameters such as, for instance, a sender""s digital certificate and an encryption algorithm. The far end H.323 gateway can either accept the SRR via a Secure Connection Confirm (SCF) message or reject the SRR via a Secure Connection Reject (SCR) message. Once an SCF message is returned, all further communication between the H.323 gateways is encrypted using a public key and encryption method specified in the SRR message. The advantages of the present invention include simplicity of use and lower call setup time than TSL, SSL, or IPSec.
In accordance with a first embodiment of the invention is a method of providing secure signaling connections for packet data network telephony calls. A secure registration request message containing an encryption technique and public key is sent from an originating gateway over a packet data network to a terminating gateway. The terminating gateway returns a secure confirmation message containing a digital certificate over the packet data network to the originating gateway. Once registered, further communication between the gateways is encrypted over the packet data network using the public key and encryption technique specified in the secure registration request message.
Other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments of the invention in conjunction with the accompanying figures.