Method and Apparatus for Identifying and Monitoring VOIP Media Plane Security Keys for Service Provider Lawful Intercept Use
First Claim
1. A method of obtaining session information in a network comprising a plurality of end points coupled by at least one network element includes the step of:
- establishing a secure communication channel with a first end-point by the at least one network element;
forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having at least one characteristic;
retrieving a characteristic of the session from the first end-point using the secure channel; and
storing the characteristic of the session.
15 Assignments
0 Petitions
Accused Products
Abstract
A mechanism is described that enables encrypted end-point communications in a VoIP network to be accessed by a service provider. The mechanism includes a session information retrieval component which gathers session information such as encryption keys for each session that traverses a network element. The encryption keys may be used to decrypt data to make it available for lawful interception. A media stream monitoring component monitors media streams and verifies that the identified keys for each session are valid, to ensure continuity in compliance with LI regulations. Advantageously a security alert component may be used to controls further session operation for those sessions identified as potential security risks. With such an arrangement, the service provider can satisfy the legal requirement to provide interception, verify that the accuracy of the legal interception support and take appropriate steps to handle security risks.
-
Citations
22 Claims
-
1. A method of obtaining session information in a network comprising a plurality of end points coupled by at least one network element includes the step of:
-
establishing a secure communication channel with a first end-point by the at least one network element; forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having at least one characteristic; retrieving a characteristic of the session from the first end-point using the secure channel; and storing the characteristic of the session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A network element comprising:
-
session sampling logic for periodically sampling media exchanged in a peer-to-peer session between two end-points; and analysis logic, coupled to the session sampling logic, for; monitoring media exchanged between the two end-points; and determining whether the encryption methods used on the media are known; and marking sessions having unknown encryption methods as potential security risks. - View Dependent Claims (17, 18, 19)
-
-
20. A method of maintaining an ability to access end user communications in a network includes the steps of:
-
detecting a session between two end-points, the session including a control plane and a media plane; storing a key used to encrypt the media plane of the session; sampling media data exchanged during the session; and decrypting the sampled data using the stored key to determine whether the media plane of the session is accessible. - View Dependent Claims (21, 22)
-
Specification