Search

US-12621357-B2 - Methods and apparatus to preserve original attestation/signature information for diverted calls

US12621357B2US 12621357 B2US12621357 B2US 12621357B2US-12621357-B2

Abstract

Communications methods and apparatus for preserving STIR/SHAKEN original attestation/signature information for diverted Session Initiation Protocol (SIP) messages and/or calls. An exemplary method embodiment includes the steps of: receiving, at a first Session Border Controller (SBC), a diverted Session Initiation Protocol (SIP) INVITE message corresponding to a first call, the diverted SIP INVITE message not including an Identity header; obtaining an original Identity header or information from the original Identity header corresponding to the first call using one or more of the following: information included in the diverted SIP INVITE message, information included in a Session Description Protocol message included in the diverted SIP INVITE message, an SBC trunk group, or a source Internet Protocol (IP) address transport protocol port of an IP packet carrying the diverted SIP Invite message; and generating an Identity header based on the original Identity header or information from the original identity header.

Inventors

  • Tolga Asveren
  • Pradeep Bala

Assignees

  • RIBBON COMMUNICATIONS OPERATING COMPANY, INC.

Dates

Publication Date
20260505
Application Date
20230626
Priority Date
20191227

Claims (20)

  1. 1 . A communications method comprising: encrypting, at a first Session Border Controller (SBC), an original Identity header or attestation information from the original Identity header corresponding to a first call; placing, by the first SBC, the encrypted original Identity header or the encrypted attestation information from the original Identity header corresponding to the first call in a proprietary parameter of a Session Initiation Protocol (SIP) INVITE message; communicating, from the first SBC, the SIP INVITE message to an endpoint device; subsequent to said communicating, from the first SBC, the SIP INVITE message to the endpoint device, receiving, at a second SBC, a diverted SIP INVITE message corresponding to the first call, said diverted SIP INVITE message not including an Identity header; obtaining the original Identity header or the attestation information from the original Identity header corresponding to the first call from information included in the diverted SIP INVITE message; and generating an Identity header based on the original Identity header or the attestation information from the original Identity header corresponding to the first call obtained from the information included in the diverted SIP INVITE message; and wherein said original Identity header is a SIP Identity header which includes: originating identity of the first call, destination information for the first call, and said attestation information; and wherein at least some of the information included in the SIP Identity header has been digitally signed or encrypted.
  2. 2 . The communications method of claim 1 , wherein said information included in the diverted SIP INVITE message includes the encrypted original Identity header or the encrypted attestation information from the original Identity header corresponding to the first call.
  3. 3 . The communications method of claim 1 , wherein said generated Identity header is generated based on information contained in the original Identity header, said information contained in the original Identity header being said attestation information, said attestation information being an attestation level indicating a specific level of confidence in the correctness of the originating identity of the first call; and wherein said generated Identity header includes the same originating identity for the first call and the same attestation level which is included in the original Identity header.
  4. 4 . The communications method of claim 1 , wherein the original Identity header or the attestation information from the original Identity header corresponding to the first call is encrypted by the first SBC using a shared key known to the second SBC.
  5. 5 . The communications method of claim 1 , wherein said Identity header not included in the diverted SIP INVITE message, said original Identity header, and said generated Identity header are SIP Identity headers including a Secure Handling of Asserted information using toKENS (SHAKEN) Personal ASSertion Token (PASSporT).
  6. 6 . A communications system comprising: a first Session Border Controller (SBC) including: memory; one or more Input/Output Interfaces; and a first processor, said first processor controlling the first SBC to perform the following operations: encrypting an original Identity header or attestation information from the original Identity header corresponding to a first call; placing the encrypted original Identity header or the encrypted attestation information from the original Identity header corresponding to the first call in a proprietary parameter of a Session Initiation Protocol (SIP) INVITE message; and communicating the SIP INVITE message to an endpoint device; and a second SBC including: memory; one or more Input/Output Interfaces; and a second processor, said second processor controlling the second SBC to perform the following operations: receiving, at the second SBC, a diverted SIP INVITE message corresponding to the first call subsequent to the first SBC communicating the SIP INVITE message to the endpoint device, said diverted SIP INVITE message not including an Identity header; obtaining the original Identity header or the attestation information from the original Identity header corresponding to the first call from information included in the diverted SIP INVITE message; and generating an Identity header based on the original Identity header or the attestation information from the original Identity header corresponding to the first call obtained from the information included in the diverted SIP INVITE message; and wherein said original Identity header is a SIP Identity header which includes: originating identity of the first call, destination information for the first call, and said attestation information; and wherein at least some of the information included in the SIP Identity header has been digitally signed or encrypted.
  7. 7 . The communications system of claim 6 , wherein said information included in the diverted SIP INVITE message includes the encrypted original Identity header or the encrypted attestation information from the original Identity header corresponding to the first call.
  8. 8 . The communications system of claim 6 , wherein said generated Identity header is generated based on information contained in the original Identity header, said information contained in the original Identity header being said attestation information, said attestation information being an attestation level indicating a specific level of confidence in the correctness of the originating identity of the first call; and wherein said generated Identity header includes the same originating identity for the first call and the same attestation level which is included in the original Identity header.
  9. 9 . The communications system of claim 6 , wherein the original Identity header or the attestation information from the original Identity header corresponding to the first call is encrypted by the first SBC using a shared key known to the second SBC.
  10. 10 . A non-transitory machine readable medium including first processor executable instructions and second processor executable instructions, said first processor executable instructions when executed by a processor of a first Session Border Controller (SBC) controls the first SBC to: encrypt an original Identity header or attestation information from the original Identity header corresponding to a first call; place the encrypted original Identity header or the encrypted attestation information from the original Identity header corresponding to the first call in a proprietary parameter of a Session Initiation Protocol (SIP) INVITE message; and communicate the SIP INVITE message to an endpoint device; and wherein said second processor executable instructions when executed by a processor of a second SBC controls the second SBC to: receive, at the second SBC, a diverted Session Initiation Protocol (SIP) SIP INVITE message corresponding to the first call subsequent to the first SBC communicating the SIP INVITE message to the endpoint device, said diverted SIP INVITE message not including an Identity header; obtain the original Identity header or the attestation information from the original Identity header corresponding to the first call from information included in the diverted SIP INVITE message; and generate an Identity header based on the original Identity header or the attestation information from the original identity header corresponding to the first call obtained from the information included in the diverted SIP INVITE message; and wherein said original Identity header is a SIP Identity header which includes: originating identity of the first call, destination information for the first call, and said attestation information; and wherein at least some of the information included in the SIP Identity header has been digitally signed or encrypted.
  11. 11 . The method of claim 1 , wherein said first SBC and said second SBC are the same SBC.
  12. 12 . The method of claim 1 , wherein the endpoint device is an Internet Protocol-Private Branch Exchange (IP-PBX).
  13. 13 . The method of claim 1 , wherein the first SBC, the second SBC, and the endpoint device are part of a first service provider network; wherein the diverted SIP INVITE message received at the second SBC is received from the endpoint device, said diverted SIP INVITE message having been generated by the endpoint device based on the SIP INVITE message communicated to the endpoint device from the first SBC; and wherein said diverted SIP INVITE message includes: (i) the proprietary parameter in which the encrypted original Identity header or the encrypted attestation information from the original Identity header corresponding to the first call was placed by the first SBC, and (ii) a To header including a destination address located in a second service provider network.
  14. 14 . The method of claim 13 , further comprising: generating, by the second SBC, a second diverted SIP INVITE message based on the received diverted SIP INVITE message, said second diverted SIP INVITE message including the generated Identity header; and communicating, by the second SBC, the second diverted SIP INVITE message to the destination address located in the second service provider network.
  15. 15 . The method of claim 14 , further comprising: generating, by the first SBC, the SIP INVITE message communicated to the endpoint device based on a SIP INVITE message received by the first SBC from a third service provider network, said SIP INVITE message received from the third service provider network including the original Identity header.
  16. 16 . The communications system of claim 6 , wherein said first SBC and said second SBC are the same SBC.
  17. 17 . The communications system of claim 6 , wherein the endpoint device is an Internet Protocol-Private Branch Exchange (IP-PBX).
  18. 18 . The communications system of claim 6 , wherein the first SBC, the second SBC, and the endpoint device are part of a first service provider network; wherein the diverted SIP INVITE message received at the second SBC is received from the endpoint device, said diverted SIP INVITE message having been generated by the endpoint device based on the SIP INVITE message communicated to the endpoint device from the first SBC; and wherein said diverted SIP INVITE message includes: (i) the proprietary parameter in which the encrypted original Identity header or the encrypted attestation information from the original Identity header corresponding to the first call was placed by the first SBC, and (ii) a To header including a destination address located in a second service provider network.
  19. 19 . The communications system of claim 18 , wherein the second processor further controls the second SBC to perform the following additional operations: generating, by the second SBC, a second diverted SIP INVITE message based on the received diverted SIP INVITE message, said second diverted SIP INVITE message including the generated Identity header; and communicating, by the second SBC, the second diverted SIP INVITE message to the destination address located in the second service provider network.
  20. 20 . The communications system of claim 6 , wherein said Identity header not included in the diverted SIP INVITE message, said original Identity header, and said generated Identity header are SIP Identity headers including a Secure Handling of Asserted information using toKENS (SHAKEN) Personal ASSertion Token (PASSporT).

Description

RELATED APPLICATION The present application is a continuation of U.S. patent application Ser. No. 17/134,325 which was filed on Dec. 26, 2020 and published as United States Patent Application Publication Number: US 2021-0203700 A1 on Jul. 1, 2021 and which claims the benefit of Indian Provisional Patent Application Serial Number: 201941054108 which was filed on Dec. 27, 2019. Each of the foregoing patent applications and publications are hereby expressly incorporated by reference in their entirety. FIELD OF INVENTION The present invention relates to systems, apparatus and methods for preserving original attestation/signature information for diverted Session Initiation Protocol (SIP) messages and/or calls. BACKGROUND OF THE INVENTION Providing secure/high fidelity calling party information is important for various services, e.g., voice calls. This information may be, and sometimes is, used by end user devices and/or end users to accept/reject calls, by core network elements/devices to classify a session or call as a robocall or for further analysis to determine robocall determination criteria. STIR (which stands for Secure Telephone Identity Revisited) and SHAKEN (which stands for Secure Handling of Asserted information using toKENs) are telecommunications industry standards designed to enable service providers to cryptographically sign calls in the Session Initiation Protocol (SIP) header. STIR/SHAKEN provides a way for the calling party information to be securely transferred through several hops (network equipment devices, e.g., routers). This is achieved by using a SIP Identity header with a shaken claim set. The claim set includes calling/called party information and is accompanied by a signature generated by the service operator which has authenticated the calling party. An Identity (shaken) header is valid for a calling party/called party pair and any change in the respective SIP header fields, e.g., From, To, Request-URI header fields would cause the signature verification to fail. Call diversion is a common scenario in communication networks where the called party forwards the call to another party. This results in information in the SIP INVITE Request-URI header field to be changed but the information in the To/From header fields stay intact, that is the To and From headers are not changed. There is a need to provide fidelity for this operation as well and that is provided with Identity (div). A div claim includes information about this diversion process by including original calling/called party information as well as the new target. Verification is performed on an Identity (shaken) and one or more Identity (div) headers to make sure that the claims add up to a complete chain from original calling/called party to the final target. There could be multiple Identity (div) headers if the call is diverted several times. During the diversion process, the role of Identity (shaken) as the starting anchor is critical. The Identity header is usually not provided to end point devices, e.g., phones, enterprise IP-PBXs, tablets, computers, mobile devices, etc., and it is more likely than not that the Identity header won't be reflected back for the diverted call. This causes operators, e.g., service operators, of the diverting entity, e.g., network equipment devices, to fabricate or generate an Identity (shaken) with a low attestation value even if the original Identity (shaken) value was at the highest attestation level. The attestation level provides the degree of fidelity or trustworthiness. This corresponds to the [1], [4], [5] path shown in diagram 100 of FIG. 1 for the diverted SIP INVITE message. Obviously, this is not an ideal situation as the original attestation level is lost. In FIG. 1, SP-a refers to the Service Provider A, SP-b refers to Service Provider B and SP-c 104 refers to Service Provider C. SPc-104 includes retargeting In-Network Application Server 108, Retargeting End User Device 1 110, Retargeting End-User Device 2 112, STI-AS (STI-authentication server) 114. In FIG. 1, TN refers to telephone number with TN-a being the telephone number corresponding to an endpoint device from which the SIP INVITE message originated, TN-b refers to the telephone number for the endpoint device to which the SIP INVITE message was sent, and TN-c refers to the telephone number for the endpoint device to which the SIP INVITE message was diverted. In the [1], [4], [5] path of FIG. 1, at path point [1] the SIP INVITE TN-b message is received by an Session Border Controller (SBC) 1 located in the Service Provider B network from a network device in the Service Provider A network. The Request-URI content for the SIP INVITE request received at path point [1] is “TN-b”. The To header content is “TN-b”, the From header content is “TN-a” and the Identity header content is “shaken PASSporT{attest=full, orig/dest=a/b}”. The Identity header content being generated and inserted into the message by a network equipment device