Surveillance implementation in managed VOP networks

US 20050174937A1
Filed: 02/10/2005
Published: 08/11/2005
Est. Priority Date: 02/11/2004
Status: Active Grant

First Claim

Patent Images

1. A method of electronic surveillance in a network comprising the steps of:

analyzing said network, relative to one or a plurality of targeted devices, to identify suitable access points for electronic signal interception based on the system configuration and operation parameters of said network;

operatively connecting suitable interception devices to said network at said suitable access points;

performing productive electronic surveillance by intercepting electronic packet messages via said interception devices, wherein said packet messages comprise one of configuration files, security association messages, call management signals and associated call contents, and wherein said intercepting comprises;

receiving without altering said packet messages, and transmitting replications of said packet messages to suitable processing devices for surveillance processing;

performing surveillance processing of intercepted packet messages to determine additional said suitable access points and the method of decrypting said packet messages.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A procedure for accomplishing surveillance within a managed VoP network when end-user encryption/decryption and NAT are in place. The procedure comprises first analyzing the network from call signaling and message standpoints, leading to the identification of suitable surveillance access points (SAPs) for packet interception. A Delivery Function (DF) facilitated by the network service provider provides the means to intercept (without alteration) and replicate packets transmitted across the SAPs. The packets are then transmitted via the DF for collection within a Collection Function (CF), which is managed by a Law Enforcement Agency (LEA), for analysis by the LEA. This analysis provides, among other benefits, the opportunity to decrypt the intercepted packets and to identify additional suitable SAPs. In demonstrating the procedure, several embodiments of network surveillance models are described. Each one identifies the location of SAPs for that model. In each model, different information is collected and different processes are followed.

140 Citations

20 Claims

1. A method of electronic surveillance in a network comprising the steps of:
- analyzing said network, relative to one or a plurality of targeted devices, to identify suitable access points for electronic signal interception based on the system configuration and operation parameters of said network;
  
  operatively connecting suitable interception devices to said network at said suitable access points;
  
  performing productive electronic surveillance by intercepting electronic packet messages via said interception devices, wherein said packet messages comprise one of configuration files, security association messages, call management signals and associated call contents, and wherein said intercepting comprises;
  
  receiving without altering said packet messages, and transmitting replications of said packet messages to suitable processing devices for surveillance processing;
  
  performing surveillance processing of intercepted packet messages to determine additional said suitable access points and the method of decrypting said packet messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein said network comprises a provider-managed, packet-switched, electronic signal transmission facility being utilized in a transport mode by said targeted devices for voice-over-packet (VoP) transmission under conditions of end-to-end encryption by said targeted devices and one of network address translation (NAT) and Dynamic Host Configuration Protocol (DCHP) for mapping private local area network (LAN) addresses to public internet addresses.
  - 3. The method of claim 1 wherein said network comprises a provider-managed, packet-switched, electronic signal transmission facility being utilized in a tunnel mode by said targeted devices for voice-over-packet (VoP) transmission under conditions of end-to-end encryption by said targeted devices and one of network address translation (NAT) and Dynamic Host Configuration Protocol (DCHP) for mapping private local area network (LAN) addresses to public internet addresses.
  - 4. The method of claim 1 wherein said network comprises a provider-managed, packet-switched, electronic signal transmission facility being utilized in a clear mode by said targeted devices for voice-over-packet (VoP) transmission under conditions of no end-to-end encryption by said targeted devices.
  - 5. The method of claim 1 wherein said targeted devices comprise one of end-user internet protocol (IP) telephones, plain old telephone system (POTS) telephones operating through gateways and personal computers transmitting voice-over-packet (VoP) signals across said network via one of a transport mode, tunnel mode and clear mode and which are the object of said electronic surveillance.
  - 6. The method of claim 1 wherein said suitable access points comprise physical locations on said network where said intercepting devices may be operatively connected for the purpose of said productive electronic surveillance.
  - 7. The method of claim 1 wherein said interception devices comprise electronic signal handling devices which are able to:
    - read electronic signals passing by said suitable access points, without alteration of said signals; and
      
      to transmit replications of said signals to said suitable processing device.
  - 8. The method of claim 1 wherein said productive electronic surveillance comprises intercepting said call management signals as security association parameters are being negotiated between a said targeted device and another device during an associated call set-up such that negotiated ports of origination and destination for the transmission of said associated call contents together with the protocol in which said ports are specified may be ascertained from said call management signals.
  - 9. The method of claim 1 wherein said productive electronic surveillance comprises intercepting said packet messages within and with the cooperation of address translation (AT) devices which perform network address translation (NAT), wherever they exist on said network relative to said targeted devices, such that said AT devices are able to provide to said interception devices security keys supplied by said targeted devices to said AT devices for use by said AT devices to decrypt said packet messages, and to provide to said interception devices said targeted devices'"'"' private LAN addresses as translated from their NAT-assigned public internet address.
  - 10. The method of claim 1 wherein said productive electronic surveillance comprises intercepting said packet messages between said target devices and first branch points in said network, wherein said first branch points allow said packet messages to take different paths through said network, wherever “
    - Dynamic Host Configuration Protocol (DHCP)”
      
      is being utilized in lieu of network address translation (NAT) to assign public internet addresses to private local area network (LAN) addresses of said targeted devices.
  - 11. The method of claim 10 wherein said branch points comprise a cable modem termination system (CMTS) when said network is cable-provider based.
  - 12. The method of claim 1 wherein said configuration files comprise one of encryption key certificates and encryption keys and encryption protocols negotiated between said targeted devices and a configuration server created during the start-up stage of said targeted devices.
  - 13. The method of claim 1 wherein said security association messages comprise authentication and encryption keys, protocols and parameters that will be used to encrypt signaling messages as negotiated between call servers and said targeted devices.
  - 14. The method of claim 1 wherein said call management signals comprise electronic messages sent between a said targeted device and one of a network call server and proxy server for the purposes of voice-over-packet (VOP) call set-up, and wherein ports of origination and destination for all pending said associated call contents are identified together with the protocol in which said ports are specified.
  - 15. The method of claim 1 wherein said call management signals comprise electronic media authentication and encryption keys, protocols and methods sent between two said targeted devices through a call server.
  - 16. The method of claim 1 wherein said associated call contents comprise the encrypted voice content of a voice-over-packet (VoP) call for which said call management signals have been generated.
  - 17. The method of claim 1 wherein said security association messages comprise packets sent between two said targeted devices wherein said packets contain private information related to a security association between said two said targeted devices enabling call contents to be exchanged using a specific protocol wherein said private information related to a security association will determine the authentication and encryption keys, protocols and parameters to be used in communication between said two said targeted devices.
  - 18. The method of claim 1 wherein said suitable processing devices are equipped to support a wide variety of transmission protocols, security protocols, encryption methods and their associated parameters.
  - 19. The method of claim 1 wherein said suitable processing devices are equipped with fast processors to perform encryption when said targeted devices are using hardware for encryption.
  - 20. The method of claim 1 wherein said surveillance processing comprises analyzing said packet messages, intercepted during said productive electronic surveillance, wherein said analyzing comprises deciphering for content and meaning for surveillance purposes, said call management signals and said associated call contents for the purposes of obtaining one or a plurality of:
    - the identity of users of said targeted devices;
      
      the location of said targeted devices;
      
      the intended destination of messages sent from said targeted devices;
      
      the origination location of incoming messages to said targeted devices; and
      
      other details of messages sent and received by said targeted devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telogy Networks, Inc. (Texas Instruments, Inc.)
Original Assignee
Telogy Networks, Inc. (Texas Instruments, Inc.)
Inventors
Scoggins, Shwu-Yan Chang, Greenstreet, Debbie E.

Granted Patent

US 7,587,757 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/230
CPC Class Codes

H04L 61/25   of the same type

H04L 63/0428   wherein the data content is...

H04L 63/30   for supporting lawful inter...

H04M 3/2281   Call monitoring, e.g. for l...

H04M 7/006   Networks other than PSTN/IS...

Surveillance implementation in managed VOP networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

140 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Surveillance implementation in managed VOP networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

140 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others