Method and apparatus for transporting encrypted media streams over a wide area network

US 7,308,101 B2
Filed: 01/22/2004
Issued: 12/11/2007
Est. Priority Date: 01/22/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving a call request over a packet switched network at a first gateway that is located between the packet switched network and a circuit switched network;

comparing a phone number included in the call request with entries in a local dial plan located at the first gateway;

sending one or more signals from the first gateway to a source endpoint when the phone number included in the request matches one of the entries in the local dial plan, the signals directing the source endpoint to encrypt media packets for the requested call using a protocol for encrypting real-time media;

receiving the encrypted media packets from the source endpoint responsive to sending the signals;

when a transfer path for the requested call includes a leg traversing the circuit switched network, determining whether a remote second gateway that is located on the transfer path and between the circuit switched network and the same or another packet switched network is configured for end-to-end secure transport;

establishing an Internet Protocol (IP) link that traverses the circuit switched network when the second gateway is configured for end-to-end secure transport, the IP link extending from the first gateway to the second gateway;

reformatting the encrypted media packets for transport over the IP link when the second gateway is configured for end-to-end secure transport, said reformatting occurring without decrypting an encrypted payload attached to the encrypted media packets; and

transferring the reformatted encrypted media packets over the established IP link.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network processing device identifies call requests that require secure media connections and that also require transport over both a packet switched network and a circuit switched network. The network processing device establishes an IP link over the circuit switched network and directs endpoints for the media connection to use Internet Protocol (IP) media encryption. The same IP encrypted media is then transported end-to-end over both the packet switched network and the IP link in the circuit switched network.

66 Citations

View as Search Results

21 Claims

1. A method comprising:
- receiving a call request over a packet switched network at a first gateway that is located between the packet switched network and a circuit switched network;
  
  comparing a phone number included in the call request with entries in a local dial plan located at the first gateway;
  
  sending one or more signals from the first gateway to a source endpoint when the phone number included in the request matches one of the entries in the local dial plan, the signals directing the source endpoint to encrypt media packets for the requested call using a protocol for encrypting real-time media;
  
  receiving the encrypted media packets from the source endpoint responsive to sending the signals;
  
  when a transfer path for the requested call includes a leg traversing the circuit switched network, determining whether a remote second gateway that is located on the transfer path and between the circuit switched network and the same or another packet switched network is configured for end-to-end secure transport;
  
  establishing an Internet Protocol (IP) link that traverses the circuit switched network when the second gateway is configured for end-to-end secure transport, the IP link extending from the first gateway to the second gateway;
  
  reformatting the encrypted media packets for transport over the IP link when the second gateway is configured for end-to-end secure transport, said reformatting occurring without decrypting an encrypted payload attached to the encrypted media packets; and
  
  transferring the reformatted encrypted media packets over the established IP link.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1 further including:
    - decrypting the payload locally at the first gateway when the remote second gateway is not configured for end-to-end secure transport;
      
      formatting media included in the encrypted media packets into a Public Switched Telephone Network (PSTN) format when the remote second gateway is not configured for end-to-end secure transport; and
      
      transferring the formatted media over the circuit switched network for re-encryption at the remote second gateway.
  - 3. The method according to claim 1 including establishing a data channel over the circuit switched network and using a Point to Point Protocol over the data channel to establish the IP link.
  - 4. A method according to claim 3 including establishing the data channel over an Integrated Services Digital Network (ISDN) channel of the circuit switched network.
  - 5. A method according to claim 1 including:
    - authenticating the second gateway;
      
      sending a first encrypted key associated with the source endpoint over the circuit switched network to the authenticated second gateway;
      
      receiving a second encrypted key over the circuit switched network from the authenticated second gateway;
      
      decrypting the second key and forwarding the decrypted second key over the packet switched network to the source endpoint;
      
      encrypting the payload at the source endpoint using the first key according to the signals; and
      
      decrypting the payload at the source endpoint using the second key.
  - 6. A method according to claim 1 including encrypting the payload only once, said encryption occurring at the source endpoint, and decrypting the payload only once, said decryption occurring at a destination endpoint.
  - 7. A method according to claim 1 including:
    - encrypting the payload using a Secure Real-time Transport Protocol (SRTP);
      
      establishing a Point to Point Protocol (PPP) connection over an Integrated Services Digital Network (ISDN) channel in the circuit switched network; and
      
      sending the SRTP encrypted payload over the PPP connection.

8. A network processing device, comprising:
- a processor configured to establish an Internet Protocol (IP) link for transferring received encrypted IP packets over a circuit switched network, the IP link extending across the circuit switched network and between the network processing device and a remote gateway that is located between a packet switched network and the same or another circuit switched network;
  
  the processor configured to identify one or more IP headers included in the received IP packets, to remove the IP headers while preserving encryption on one or more Secure Real-time Transport Protocol (SRTP) headers and a corresponding payload, to locally generate on or more new IP headers, to attach the generated IP headers to the encrypted SRTP headers and the encrypted corresponding payload, to forward the IP packets having the locally generated IP headers, the encrypted STRP headers and the encrypted corresponding payload over the IP link;
  
  wherein the IP packets are forwarded over the IP link without decrypting the payload.
- View Dependent Claims (9, 10, 11, 12, 13, 17)
- - 9. A network processing device according to claim 8 wherein the processor compresses the forwarded IP packets using a first data compression codec having greater data compression capability than a second data compression codec used by the processor for other traffic that is decrypted before forwarding over a data link in the circuit switched network.
  - 10. A network processing device according to claim 8 including a memory containing a dial plan for identifying phone numbers that can be transferred between the packet switched network and the circuit switched network without decrypting the received IP packets.
  - 11. A network processing device according to claim 8 including memory for storing a shared key shared with the remote gateway, the processor receiving a first key from a first endpoint, encrypting the first key using the shared key and sending the encrypted first key to the remote gateway.
  - 12. A network processing device according to claim 11 wherein the processor receives a second encrypted key from the remote gateway, the processor decrypting the second encrypted key using the shared key and then forwarding the second decrypted key to the first endpoint.
  - 13. A network processing device according to claim 8 wherein the processor conducts a Point to Point Protocol over an Integrated Services Digital Network (ISDN) channel for establishing the IP link over the circuit switched network.
  - 17. The network processing device according to claim 8 where the processor is further configured to:
    - receive a pre-configuring out-of-band communication that provides a secret that is shared with the remote gateway;
      
      receive a first key sent from a calling endpoint and usable for decrypting the IP packets;
      
      encrypt the first key using the secret;
      
      send the encrypted first key to the remote gateway;
      
      receive a second key that corresponds to a value stored on a called endpoint and that is encrypted by the remote gateway using the secret;
      
      decrypt the received encrypted second key using the secret; and
      
      send the decrypted second key to the calling endpoint.

14. A method comprising:
- receiving encrypted packets from a packet switched network;
  
  establishing an Internet Protocol (IP) link for transferring received encrypted packets over a circuit switched network;
  
  identifying one or more addressing headers included in the received encrypted packets;
  
  removing the addressing headers while preserving encryption on one or more Secure Real-time Transport Protocol (SRTP) headers and a corresponding payload;
  
  attaching new addressing headers to the encrypted SRTP headers and the encrypted corresponding payload;
  
  forwarding the packets having the new addressing headers, the encrypted SRTP headers and the encrypted corresponding payload over the IP link; and
  
  wherein the packets are forwarded over the IP link without decrypting the payload.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 further comprising:
    - comparing a phone number included in a call request with a dial plan, the call request being associated with the packets and received before the packets; and
      
      sending a signal that is configured to cause an originating endpoint to perform encryption using SRTP when the phone number corresponds with the dial plan.
  - 16. The method of claim 14 wherein the packets include voice data such that the voice data is securely transported across both the circuit switched network and the packet switched network without intermediary decryption.

18. A system, comprising:
- means for receiving encrypted packets from a packet switched network;
  
  means for establishing an Internet Protocol (IP) link for transferring received encrypted packets over a circuit switched network;
  
  means for identifying one or more addressing headers included in the received encrypted packets;
  
  means for removing the addressing headers while preserving encryption on one or more secure real time protocol headers and a corresponding payload;
  
  means for attaching new addressing headers to the encrypted secure real time protocol headers and the encrypted corresponding payload; and
  
  means for forwarding the packets having the new addressing headers, the encrypted secure real time protocol headers and the encrypted corresponding payload over the IP link;
  
  wherein the packets are forwarded over the IP link without decrypting the payload.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18 wherein the packets represent video to be played out at the destination endpoint.
  - 20. The system of claim 18 wherein the new addressing headers are attached at a first gateway located between a circuit switched network and a packet switched network and the packets are forwarded to a second gateway located between the same or another circuit switched network and the same or another packet switched network.
  - 21. The system of claim 20 wherein the first gateway is configured to determine whether the second gateway supports an End-to-End Secure Real-time Transport Protocol (EE-SRTP) protocol by accessing a dial plan stored locally on the first gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wing, Daniel G.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/763,471
Publication Number

US 20050163316A1
Time in Patent Office

1,419 Days
Field of Search

380/257, 370/355, 370/352
US Class Current

380/257
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 65/1101   Session protocols

H04L 65/70   Media network packetisation

H04L 9/0838   Key agreement, i.e. key est...

Method and apparatus for transporting encrypted media streams over a wide area network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for transporting encrypted media streams over a wide area network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others