POLICY ROUTING-BASED LAWFUL INTERCEPTION IN COMMUNICATION SYSTEM WITH END-TO-END ENCRYPTION

US 20120287922A1
Filed: 08/18/2011
Published: 11/15/2012
Est. Priority Date: 05/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method for intercepting encrypted communications exchanged between a first computing device and a second computing device in a communication network, wherein the interception is performed by a third computing device in the communication network, the method comprising:

the third computing device obtaining one or more packets having a packet address associated with one of the first computing device and the second computing device, wherein the one or more packets are obtained by the third computing device, in response to at least one interception routing policy being implemented in at least one element in the communication network, such that the one or more obtained packets may be decrypted so as to obtain data contained therein;

the third computing device preserving the packet address of the one or more obtained packets; and

the third computing device forwarding the one or more packets toward a packet-destination one of the first computing device and the second computing device such that the packet-destination one of the first computing device and the second computing device is unable to detect from the one or more packets that the one or more packets were intercepted by the third computing device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for lawfully intercepting information in communication environments with end-to-end encryption. For example, a method for intercepting encrypted communications exchanged between a first computing device and a second computing device in a communication network, wherein the interception is performed by a third computing device in the communication network, comprises the following steps. The third computing device obtains one or more packets having a packet address associated with one of the first computing device and the second computing device. The one or more packets are obtained by the third computing device, in response to at least one interception routing policy being implemented in at least one element in the communication network, such that the one or more obtained packets may be decrypted so as to obtain data contained therein. The third computing device preserves the packet address of the one or more obtained packets. The third computing device forwards the one or more packets toward a packet-destination one of the first computing device and the second computing device such that the packet-destination one of the first computing device and the second computing device is unable to detect from the one or more packets that the one or more packets were intercepted by the third computing device.

Citations

24 Claims

1. A method for intercepting encrypted communications exchanged between a first computing device and a second computing device in a communication network, wherein the interception is performed by a third computing device in the communication network, the method comprising:
- the third computing device obtaining one or more packets having a packet address associated with one of the first computing device and the second computing device, wherein the one or more packets are obtained by the third computing device, in response to at least one interception routing policy being implemented in at least one element in the communication network, such that the one or more obtained packets may be decrypted so as to obtain data contained therein;
  
  the third computing device preserving the packet address of the one or more obtained packets; and
  
  the third computing device forwarding the one or more packets toward a packet-destination one of the first computing device and the second computing device such that the packet-destination one of the first computing device and the second computing device is unable to detect from the one or more packets that the one or more packets were intercepted by the third computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the element of the communication network in which the interception routing policy is implemented comprises a device connected in a local area network in which the third computing device is connected.
  - 3. The method of claim 2, wherein the element comprises a switching element.
  - 4. The method of claim 3, wherein the interception routing policy is implemented in the switching element by modifying a forwarding table in the switching element to cause the one or more packets having the packet address associated with one of the first computing device and the second computing device to be forwarded to the third computing device.
  - 5. The method of claim 4, further comprising the third computing device decrypting the one or more packets.
  - 6. The method of claim 4, further comprising the third computing device copying the one or more packets before forwarding the one or more packets toward the packet-destination one of the first computing device and the second computing device.
  - 7. The method of claim 6, further comprising the third computing device forwarding the one or more copied packets to another entity for decryption.
  - 8. The method of claim 1, wherein the element of the communication network in which the interception routing policy is implemented comprises a device that is remote from the third computing device.
  - 9. The method of claim 8, wherein the element comprises a routing element through which one of the first computing device and the second computing device accesses the communication network.
  - 10. The method of claim 9, further comprising the third computing device, with knowledge of a security association for a packet-source one of the first computing device and the second computing device, decrypting the one or more routed packets to obtain the data contained therein.
  - 11. The method of claim 10, further comprising the third computing device, with knowledge of a security association for the packet-destination one of the first computing device and the second computing device, re-encrypting the one or more routed packets before forwarding the one or more packets.
  - 12. The method of claim 9, further comprising the third computing device establishing a virtual private network (VPN) tunnel with the routing element.
  - 13. The method of claim 12, wherein the interception routing policy is implemented in the routing element by instructing the routing element to encapsulate the one or more packets having the packet address associated with one of the first computing device and the second computing device, and to route the one or more encapsulated packets through the established VPN tunnel to the third computing device.
  - 14. The method of claim 13, further comprising the third computing device establishing a second virtual private network (VPN) tunnel with a second routing element, the second routing element being a routing element through which the other of the first computing device and the second computing device accesses the communication network.
  - 15. The method of claim 14, wherein the one or more packets are re-encrypted by the third computing device after the data contained therein is obtained, encapsulated, and routed through the second established VPN tunnel to the other of the first computing device and the second computing device.
  - 16. The method of claim 1, wherein the third computing device comprises a lawful interception server (US).
  - 17. The method of claim 16, wherein the LIS comprises a signaling element and at least one bearer element.
  - 18. The method of claim 16, wherein the element of the communication network in which the interception routing policy is implemented is the LIS.

19. An apparatus for intercepting encrypted communications exchanged between a first computing device and a second computing device in a communication network, the apparatus comprising:
- a memory; and
  
  a processor coupled to the memory and operative to;
  
  obtain one or more packets having a packet address associated with one of the first computing device and the second computing device, wherein the one or more packets are obtained, in response to at least one interception routing policy being implemented in at least one element in the communication network, such that the one or more obtained packets may be decrypted so as to obtain data contained therein;
  
  preserve the packet address of the one or more obtained packets; and
  
  forward the one or more packets toward a packet-destination one of the first computing device and the second computing device such that the packet-destination one of the first computing device and the second computing device is unable to detect from the one or more packets that the one or more packets were intercepted.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The apparatus of claim 19, wherein the element of the communication network in which the interception routing policy is implemented comprises a device connected in a local area network in which the processor is connected.
  - 21. The apparatus of claim 20, wherein the element comprises a switching element and wherein the interception routing policy is implemented in the switching element by modifying a forwarding table in the switching element to cause the one or more packets having the packet address associated with one of the first computing device and the second computing device to be forwarded to the processor.
  - 22. The apparatus of claim 19, wherein the element of the communication network in which the interception routing policy is implemented comprises a device that is remote from the processor.
  - 23. The apparatus of claim 22, wherein the element comprises a routing element through which one of the first computing device and the second computing device accesses the communication network and the processor establishes a virtual private network (VPN) tunnel with the routing element.
  - 24. The apparatus of claim 19, wherein the memory and the processor are part of a lawful interception server (LIS).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Piece Future Pte., Ltd.
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Heck, John Frederick, Sundaram, Ganapathy S., Varney, Douglas William

Granted Patent

US 9,544,334 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/351
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/306   intercepting packet switche...

H04L 65/1016   IP multimedia subsystem [IMS]

POLICY ROUTING-BASED LAWFUL INTERCEPTION IN COMMUNICATION SYSTEM WITH END-TO-END ENCRYPTION

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY ROUTING-BASED LAWFUL INTERCEPTION IN COMMUNICATION SYSTEM WITH END-TO-END ENCRYPTION

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links