METHOD AND APPARATUS TO ENABLE LAWFUL INTERCEPT OF ENCRYPTED TRAFFIC

US 20090182668A1
Filed: 12/31/2008
Published: 07/16/2009
Est. Priority Date: 01/11/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of securing a media stream between first and second endpoints of a packet data network, while still allowing lawful intercept, comprising:

a) endpoints negotiating a media session key for encrypting said media stream;

b) endpoints encrypting said media stream with said media session key to produce an encrypted media stream; and

c) at least one of said endpoints creating and transmitting an encrypted message which contains the media session key encrypted with a first additional key for which the corresponding decryption key is known by a lawful intercept (LI) agency.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are described for communicating the session keys used to encrypt media stream to allow a lawful intercept agency to decrypt the media stream. Assuming the endpoints negotiate the session keys themselves, the send an encrypted format key message which is encrypted with an encryption key for which only the LI agency knows the corresponding decryption key. However, to avoid abuse by the LI agency, or even to avoid the perception that LI agencies can intercept private calls without due process, the media session key is further encrypted with at least one additional key, with the corresponding decryption key(s) being unknown to the LI agency.

34 Citations

View as Search Results

20 Claims

1. A method of securing a media stream between first and second endpoints of a packet data network, while still allowing lawful intercept, comprising:
- a) endpoints negotiating a media session key for encrypting said media stream;
  
  b) endpoints encrypting said media stream with said media session key to produce an encrypted media stream; and
  
  c) at least one of said endpoints creating and transmitting an encrypted message which contains the media session key encrypted with a first additional key for which the corresponding decryption key is known by a lawful intercept (LI) agency.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as claimed in claim 1, wherein step (c) comprises further encrypting said media session key using at least one additional key with a corresponding decryption key not known by said LI agency.
  - 3. The method as claimed in claim 2, wherein said at least one additional key comprises a second additional key, said second additional key having a corresponding second decryption key known by a service provider of at least one of said endpoints, and step (c) comprises encrypting said media session key with each of first and second additional keys such that both said LI agency and said service provider must co-operate by each separately decrypting said encrypted format key message in order to obtain said media stream key.
  - 4. The method as claimed in claim 3, wherein said encrypted format key message is transmitted via a signaling channel.
  - 5. The method as claimed in claim 3, wherein step (c) comprises inserting said encrypted format key message within the payload of a tracer packet and transmitting said tracer packet in the same media plane which carries said media stream.
  - 6. The method as claimed in claim 5, wherein said tracer packet contains additional information useful for proving data integrity of the media stream.
  - 7. The method as claimed in claim 6, wherein, said tracer packet is inserted after every n media stream packets are transmitted within the media plane.
  - 8. The method as claimed in claim 3, wherein said encrypted media stream is stored for subsequent decryption by said LI agency.
  - 9. The method as claimed in claim 3 wherein the end user device for said endpoints is configured to ignore tracer packets in the media stream.
  - 10. The method as claimed in claim 3, wherein said at least one additional key comprises a second additional key, and at least one privacy key, said second additional key having a corresponding second decryption key known by a service provider of at least one of said endpoints, and said at least one privacy key having a corresponding privacy decryption key known only by a privacy agency, and step (c) comprises encrypting said media session key with each of first and second additional keys and said at least one privacy key such that each of said privacy agency, LI agency and said service provider must co-operate by each separately decrypting said encrypted format key message in order to obtain media stream key.
  - 11. The method as claimed in claim 10 wherein said privacy agency is a court appointed agent whose key is needed to prevent unlawful intercept by a LI without a court order

12. A data network multimedia apparatus for transmitting encrypted media while still allowing for lawful intercept (LI) comprising:
- a. a call signaling module for establishing a call with another endpoint;
  
  b. a key negotiation module for negotiating a media session key with said another endpoint;
  
  c. an encryption module for encrypting media traffic with said negotiated media session key;
  
  d. a LI module for creating and transmitting an encrypted message which contains the media session key encrypted with a first additional key for which the corresponding decryption key is known by a lawful intercept (LI) agency.
- View Dependent Claims (13, 14, 15, 16)
- - 13. A data network multimedia apparatus as claimed in claim 12 wherein said LI module comprises an additional key generating module and a media session key encryption module for encoding said media session key in an encrypted format key message using said first additional key.
  - 14. A data network multimedia apparatus as claimed in claim 13wherein said additional key generating module further comprises a database storing said first additional key and a privacy key;
    - wherein said media session key encryption module is configured to encrypt said media session key multiple times sequentially using each of said first additional and privacy keys; and
      
      wherein said privacy key has a corresponding privacy decryption key known by a privacy agency, such that each of said privacy agency and said LI agency must co-operate by each separately decrypting said encrypted format key message in order to obtain media stream key.
  - 15. A data network multimedia apparatus as claimed in claim 13wherein said additional key generating module further comprises a database storing said first additional key, a second additional key and said privacy key;
    - wherein said media session key encryption module is configured to encrypt said media session key multiple times sequentially using each of said first and second additional keys and said privacy key; and
      
      wherein said second additional key has a corresponding second decryption key known only by a service provider for said data network multimedia apparatus, and said privacy key has a corresponding privacy decryption key known only by a privacy agency, such that each of said privacy agency, LI agency and said service provider must co-operate by each separately decrypting said encrypted format key message in order to obtain media stream key.
  - 16. A data network multimedia apparatus as claimed in claim 13 wherein said LI module further comprises a packet generator for inserting said encrypted format key message within the payload of a tracer packet and transmitting said tracer packet in the same media plane which carries said media stream.

17. A Network Intercept Apparatus for intercepting a composite encrypted media stream transmitted via a data network, said composite encrypted media stream including encrypted media stream packets encrypted with a media session key and tracer packets which include an encrypted media session key which is encrypted with an additional key, said apparatus comprising:
- a data network interface which provides a logical and physical interface to the data network;
  
  a target mirroring module which replicates an encrypted media stream targeted for lawful intercept (LI) and separates said tracer packets from said encrypted media stream packets;
  
  a tracer packet processing module which isolates said encrypted media session key from within the tracer packet and performs decryption of the media session key using the additional key and reassembles each tracer packet to include the decrypted media session key; and
  
  a LI Media Stream Packet Processing Module which receives the outputs from both the Tracer Packet Processing Module and the Target Mirroring Module and re-inserts the reassembled tracer packets within the replicated encrypted media stream.
- View Dependent Claims (18, 19, 20)
- - 18. A Network Intercept apparatus as claimed in claim 17 wherein said encrypted media session key is encrypted with at least one further key, and said tracer packet module only partially decrypts said media session key with said additional key to produce a partially decrypted media session key which is still partially encrypted with said at least one further key.
  - 19. A Network Intercept apparatus as claimed in claim 18 wherein said at least one further key is a key for which an LI agency possesses a corresponding decryption key, and wherein said LI Media Stream Packet Processing changes the IP address of all packets in the replicated encrypted media stream to route the replicated encrypted media stream to said LI agency.
  - 20. A Network Intercept apparatus as claimed in claim 19, wherein said Network Intercept apparatus forms part of a carrier edge router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
LEE, Michael

Application Number

US12/347,212
Publication Number

US 20090182668A1
Time in Patent Office

Days
Field of Search
US Class Current

705/50
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/306   intercepting packet switche...

H04L 9/0841   involving Diffie-Hellman or...

METHOD AND APPARATUS TO ENABLE LAWFUL INTERCEPT OF ENCRYPTED TRAFFIC

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS TO ENABLE LAWFUL INTERCEPT OF ENCRYPTED TRAFFIC

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links