Secure wiretap support for internet protocol security

US 6,438,695 B1
Filed: 10/30/1998
Issued: 08/20/2002
Est. Priority Date: 10/30/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for allowing controlled access to encrypted networked communication, said system comprising:

an intermediate device, said intermediate device including memory for storing a policy rule therein, said intermediate device adapted to download said policy rule to a desired location; and

a client coupled to said intermediate device, said client adapted to receive said policy rule when said intermediate device downloads said policy rule to said client, said policy rule causes said client to establish a first encrypted communication session with a first destination device for a monitoring purpose and a second encrypted communication session with a second destination device; and

when said client transmits encrypted communication data to said second destination device via said second encrypted communication session, said policy rule causes said client to transmit a copy of said encrypted communication data to said first destination device via said first encrypted communication session.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure wiretap support for Internet Protocol security. Specifically, one embodiment of the present invention includes a system for allowing controlled access to a networked communication. The system comprises an intermediate device that includes memory. The memory of the intermediate device is for storing a policy rule therein. The intermediate device is adapted to download the policy rules governing access to a desired location. The system further comprises a client which is coupled to the intermediate device. The client is adapted to receive the policy rule when the intermediate device downloads it to the client. As such, any communication data intended to travel between a first destination and the client is forwarded to a second destination. Therefore, the present invention provides a method and system for providing law enforcement agencies the ability to wiretap specific encrypted communications. Moreover, the present invention provides this ability while allowing the established hardware infrastructure of computer networks to remain essentially unchanged. Furthermore, the present invention does not affect the performance of the network while enabling end users to utilize any encryption algorithms for their communications. Additionally, the present invention enables encrypted communication data to remain encrypted during transmittal en route to its destination.

84 Citations

View as Search Results

40 Claims

1. A system for allowing controlled access to encrypted networked communication, said system comprising:
- an intermediate device, said intermediate device including memory for storing a policy rule therein, said intermediate device adapted to download said policy rule to a desired location; and
  
  a client coupled to said intermediate device, said client adapted to receive said policy rule when said intermediate device downloads said policy rule to said client, said policy rule causes said client to establish a first encrypted communication session with a first destination device for a monitoring purpose and a second encrypted communication session with a second destination device; and
  
  when said client transmits encrypted communication data to said second destination device via said second encrypted communication session, said policy rule causes said client to transmit a copy of said encrypted communication data to said first destination device via said first encrypted communication session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system as described in claim 1 wherein said intermediate device is a computer system.
  - 3. The system as described in claim 1 wherein said intermediate device is a policy server.
  - 4. The system as described in claim 1 wherein said policy rule causes said client to forward to said first destination device any encrypted communication data said client receives from said second destination device via said second encrypted communication session.
  - 5. The system as described in claim 1 wherein said first destination device is a destination device that provides a law enforcement agency access to said encrypted communication data.
  - 6. The system as described in claim 1 wherein said downloading of said policy rule by said intermediate device to said client is motivated by a law enforcement agency desiring access to said encrypted communication data.
  - 7. The system as described in claim 1 wherein said first encrypted communication session and said second encrypted communication session utilize different encryption keys.
  - 8. The system as described in claim 1 wherein said first encrypted communication session and said second encrypted communication session utilize the same encryption key.
  - 9. The system as described in claim 1 wherein said client comprises a computer.
  - 10. The system as described in claim 1 wherein said first destination device and said second destination device each comprise a computer.
  - 11. The system as described in claim 1 wherein said first encrypted communication session comprises an Internet Protocol security encrypted tunnel.

12. A system for allowing controlled access to encrypted networked communication, said system comprising:
- an intermediate device having memory adapted for storing a policy rule therein, said intermediate device adapted to download said policy rule to a desired location, said intermediate device adapted to configure a client such that any encrypted communication data intended to travel between a first destination device and said client is also forwarded by said client to a second destination device for monitoring.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system as described in claim 12 wherein said intermediate device is a computer system.
  - 14. The system as described in claim 12 wherein said intermediate device is a policy server.
  - 15. The system as described in claim 12 wherein said policy rule causes said client to forward to said second destination device any encrypted communication data intended to travel between said first destination device and said client.
  - 16. The system as described in claim 12 wherein said second destination device is a destination device that provides a law enforcement agency access to said encrypted communication data.
  - 17. The system as described in claim 12 wherein said client comprises a computer.
  - 18. The system as described in claim 12 wherein said encrypted communication data is an encryption key.

19. A method for allowing controlled access to encrypted network communication, said method comprising:
- (a) storing a policy rule in memory of an intermediate device; and
  
  (b) downloading said policy rule to a client device;
  
  (c) said policy rule causing said client device to establish a first encrypted communication session with a first destination device for a monitoring purpose;
  
  (d) said policy rule causing said client device to establish a second encrypted communication session with a second destination device; and
  
  (e) in response to said client device transmitting encrypted communication data to said second destination device via said second encrypted communication session, said policy rule causing said client device to transmit a copy of said encrypted communication data to said first destination device via said first encrypted communication session.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The method as described in claim 19 wherein (a) comprises storing said policy rule in memory of a computer system.
  - 21. The method as described in claim 19 wherein (a) comprises storing said policy rule in memory of a policy server.
  - 22. The method as described in claim 19 wherein said policy rule further causing said client device to forward to said first destination device any encrypted communication data intended to travel between said second destination device and said client device.
  - 23. The method as described in claim 19 wherein said first destination device provides a law enforcement agency access to said encrypted communication data.
  - 24. The method as described in claim 19 wherein step (b) comprises downloading said policy rule because of motivation by a law enforcement agency desiring access to said encrypted communication data.
  - 25. The method as described in claim 19 wherein said first encrypted communication session and said second encrypted communication session utilize different encryption keys.
  - 26. The method as described in claim 19 wherein said first encrypted communication session and said second encrypted communication session utilize the same encryption key.
  - 27. The method as described in claim 19 wherein said client device comprises a computer.
  - 28. The method as described in claim 19 wherein said first destination device and said second destination device each comprise a computer.
  - 29. The method as described in claim 19 wherein said first encrypted communication session comprises an Internet Protocol security encrypted tunnel.

30. In a computer system having a processor coupled to a bus, a computer readable medium coupled to said bus and having stored therein a computer program that when executed by said processor causes said computer system to implement a method for allowing controlled access to encrypted network communication, said method comprising the steps of:
- a) storing a policy rule in memory of an intermediate device; and
  
  b) downloading said policy rule to a client such that any encrypted communication data intended to travel between a first destination device and said client is also forwarded to a second destination device by said client.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. The computer readable medium as described in claim 30 wherein said intermediate device comprises a computer system.
  - 32. The computer readable medium as described in claim 30 wherein said intermediate device comprises a policy server.
  - 33. The computer readable medium as described in claim 30 wherein said policy rule causes said client to forward to said second destination any communication data intended to travel between said first destination and said client.
  - 34. The computer readable medium as described in claim 30 wherein said policy rule causes said client to forward to said second destination any encrypted communication data that travels between said first destination device and said client.
  - 35. The computer readable medium as described in claim 30 wherein said second destination device provides a law enforcement agency access to said encrypted communication data.
  - 36. The computer readable medium as described in claim 30 wherein (b) is motivated by a law enforcement agency desiring access to said encrypted communication data.
  - 37. The computer readable medium as described in claim 30 wherein said first destination device comprises a computer.
  - 38. The computer readable medium as described in claim 30 wherein said second destination device comprises a computer.
  - 39. The computer readable medium as described in claim 30 wherein said encrypted communication data comprises an encryption key.
  - 40. The computer readable medium as described in claim 30 wherein said first destination device and said second destination device each comprise a computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Maufer, Thomas A.
Primary Examiner(s)
Wright, Norman M.

Application Number

US09/183,449
Time in Patent Office

1,390 Days
Field of Search

713/200, 713/201, 713/202, 379/33, 379/35, 379/59, 380/21, 380/24, 380/23
US Class Current

726/11
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/30   for supporting lawful inter...

Secure wiretap support for internet protocol security

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Secure wiretap support for internet protocol security

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links