METHOD AND APPARATUS TO ENABLE LAWFUL INTERCEPT OF ENCRYPTED TRAFFIC
First Claim
1. A method of securing a media stream between first and second endpoints of a packet data network, while still allowing lawful intercept, comprising:
- a) endpoints negotiating a media session key for encrypting said media stream;
b) endpoints encrypting said media stream with said media session key to produce an encrypted media stream; and
c) at least one of said endpoints creating and transmitting an encrypted message which contains the media session key encrypted with a first additional key for which the corresponding decryption key is known by a lawful intercept (LI) agency.
6 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are described for communicating the session keys used to encrypt media stream to allow a lawful intercept agency to decrypt the media stream. Assuming the endpoints negotiate the session keys themselves, the send an encrypted format key message which is encrypted with an encryption key for which only the LI agency knows the corresponding decryption key. However, to avoid abuse by the LI agency, or even to avoid the perception that LI agencies can intercept private calls without due process, the media session key is further encrypted with at least one additional key, with the corresponding decryption key(s) being unknown to the LI agency.
34 Citations
20 Claims
-
1. A method of securing a media stream between first and second endpoints of a packet data network, while still allowing lawful intercept, comprising:
-
a) endpoints negotiating a media session key for encrypting said media stream; b) endpoints encrypting said media stream with said media session key to produce an encrypted media stream; and c) at least one of said endpoints creating and transmitting an encrypted message which contains the media session key encrypted with a first additional key for which the corresponding decryption key is known by a lawful intercept (LI) agency. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A data network multimedia apparatus for transmitting encrypted media while still allowing for lawful intercept (LI) comprising:
-
a. a call signaling module for establishing a call with another endpoint; b. a key negotiation module for negotiating a media session key with said another endpoint; c. an encryption module for encrypting media traffic with said negotiated media session key; d. a LI module for creating and transmitting an encrypted message which contains the media session key encrypted with a first additional key for which the corresponding decryption key is known by a lawful intercept (LI) agency. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A Network Intercept Apparatus for intercepting a composite encrypted media stream transmitted via a data network, said composite encrypted media stream including encrypted media stream packets encrypted with a media session key and tracer packets which include an encrypted media session key which is encrypted with an additional key, said apparatus comprising:
-
a data network interface which provides a logical and physical interface to the data network; a target mirroring module which replicates an encrypted media stream targeted for lawful intercept (LI) and separates said tracer packets from said encrypted media stream packets; a tracer packet processing module which isolates said encrypted media session key from within the tracer packet and performs decryption of the media session key using the additional key and reassembles each tracer packet to include the decrypted media session key; and a LI Media Stream Packet Processing Module which receives the outputs from both the Tracer Packet Processing Module and the Target Mirroring Module and re-inserts the reassembled tracer packets within the replicated encrypted media stream. - View Dependent Claims (18, 19, 20)
-
Specification