Lawful interception of end-to-end encrypted data traffic

US 7,382,881 B2
Filed: 12/06/2002
Issued: 06/03/2008
Est. Priority Date: 12/07/2001
Status: Active Grant

First Claim

Patent Images

1. A method of facilitating the lawful interception of a data session between two or more terminals, wherein said session uses encryption to secure traffic, the method comprising:

storing a key allocated to at least one of said two or more terminals, at the at least one terminal and at a node within a network through which said session is conducted or at a node coupled to that network;

prior to the communication of a session setup request from a calling terminal to a called terminal, exchanging a seed value between the at least one terminal and said node;

using the key and the seed value at the at least one terminal to generate a pre-master key, the pre-master key subsequently becoming known to each other terminal involved in the data session and using a key exchange procedure to transmit a first cross-parameter from the said at least one terminal to another terminal and to transmit a second cross-parameter from the other terminal to the said at least one terminal; and

directly or indirectly using said pre-master key to encrypt and decrypt traffic associated with said session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of facilitating the lawful interception of an IP session between two or more terminals 12,13, wherein session uses encryption to secure traffic. The method includes storing a key allocated to at least one of terminals 12,13 or to at least one of the subscribers using one of the terminals 12,13, at the terminal 12,13 and at a node 5,8 within a network 1,6 through which session is conducted, or a node coupled to that network. Prior to the creation of session, a seed value is exchanged between the terminal 12,13 at which the key is stored and node 5,8. The key and the seed value are used at both the terminal 12,13 and the node 5,8 to generate a pre-master key. The pre-master key becomes known to each of the terminals 12,13 involved in the IP session and to the network node 5,8. The pre-master key is used, directly or indirectly, to encrypt and decrypt traffic associated with IP session.

Citations

38 Claims

1. A method of facilitating the lawful interception of a data session between two or more terminals, wherein said session uses encryption to secure traffic, the method comprising:
- storing a key allocated to at least one of said two or more terminals, at the at least one terminal and at a node within a network through which said session is conducted or at a node coupled to that network;
  
  prior to the communication of a session setup request from a calling terminal to a called terminal, exchanging a seed value between the at least one terminal and said node;
  
  using the key and the seed value at the at least one terminal to generate a pre-master key, the pre-master key subsequently becoming known to each other terminal involved in the data session and using a key exchange procedure to transmit a first cross-parameter from the said at least one terminal to another terminal and to transmit a second cross-parameter from the other terminal to the said at least one terminal; and
  
  directly or indirectly using said pre-master key to encrypt and decrypt traffic associated with said session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said node generates the pre-master key for use in lawful interception of the data session.
  - 3. The method of claim 1, wherein said key exchange procedure is a Diffie-Hellman exchange.
  - 4. The method of claim 3 further comprising detecting at said node, or at another node through which session traffic passes, the exponentiation of a second key sent to the at least one terminal from a peer terminal during the Diffie-Hellman exchange, and generating the pre-master key using detected exponentiated second key and the second key of the said at least one terminal.
  - 5. The method of claim 1, further comprising applying a key derivation function to said key and the seed value to derive an exponentiation of the second key then being generated for use in the Diffie-Hellman exchange.
  - 6. The method of claim 1, wherein the steps of exchanging the seed value between the terminal and the network node, and of generating the pre-master key are carried out each time a new data session is to be established.
  - 7. The method of claim 1, wherein the steps of exchanging the seed value between the terminal and the network node, and of generating the pre-master key are carried out for every data session regardless of whether or not lawful interception is required.
  - 8. The method of claim 1 wherein the pre-master key is used by the terminals involved in the data session to generate one or more traffic encryption keys, the traffic encryption keys being used to encrypt the traffic associated with the data session.
  - 9. The method of claim 1, wherein said node is a node of the home network with which the user of said at least one terminal has a subscription.
  - 10. The method of claim 1, wherein said at least one terminal is attached to a foreign network, and the seed value is sent to the terminal via the foreign network.
  - 11. The method of claim 1, further comprising generating the second key at said node of the home network, sending the key to the foreign network together with the seed value, and sending the seed value but not said second key to the terminal.
  - 12. The method of claim 1, wherein said data session is an IP data session.

13. A method of facilitating the lawful interception of a data session between two or more terminals, wherein said session uses encryption to secure traffic and at least one of the terminals is a mobile wireless device, the method comprising:
- storing a first key allocated to said at least one terminal, at the at least one terminal and at a node within the at least one terminal'"'"'s home network;
  
  using the first key to authenticate the at least one terminal when the at least one terminal registers with the home network or a visited network;
  
  using the first key and a seed value sent from the home network to the at least one terminal to encrypt traffic end-to-end during said data session;
  
  generating a second key at the mobile terminal using the seed value and the first key; and
  
  performing a Diffie-Hellman exchange using said second key.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein said step of using the key to authenticate the terminal uses the authentication and key agreement (AKA), protocol, this protocol also making use of the key to secure data sent over a radio link.
  - 15. The method of claim 13, wherein said step of using the key to authenticate the terminal comprises using the key to generate a challenge value at said node and a response value at the terminal, comparing the challenge and response values, and authenticating the terminal only if the values match.
  - 16. The method of claim 13 comprising sending the key and the seed value to a lawful interception authority, wherein user traffic to be intercepted is forwarded to the lawful interception authority from the access network, and the authority can use the received key and seed value to decrypt the forwarded traffic.
  - 17. The method of claim 16, further comprising sniffing one or more parameters associated with a key exchange protocol between said terminals in the access network, and forwarding these to the lawful interception authority with said key and seed value.

18. A method of securing data transmitted between a plurality of terminals, each of which is attached to a communications network, at least one of the terminals having allocated to it a home network, the method comprising:
- sending a seed value from the home network to the at least one terminal, via the corresponding communications network, as part of a call signalling level authentication procedure; and
  
  using said seed value at the at least one terminal to generate one or more traffic encryption keys for use in the end-to-end encryption of traffic associated with a call between terminals; and
  
  forwarding said seed value to a lawful interception authority to allow that authority to compute the traffic decryption keys, whereby when a call is setup encrypted traffic can be forwarded to the authority for decryption.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The method of claim 18, wherein said at least one terminal is a mobile wireless terminal attached to a mobile communications network.
  - 20. The method of claim 18, comprising storing a secret key at said at least one terminal and in the home network, and sending that key or a key derived therefrom from the home network to said communication network for use in said authentication procedure, the sent key also being used by the wireless terminal to generate said traffic encryption keys.
  - 21. The method of claim 18, wherein the step of generating one or more traffic encryption keys comprises performing a key exchange procedure between the terminals.
  - 22. The method of claim 18, wherein Session Initiation Protocol is used to setup and control calls between terminals.
  - 23. The method of claim 18, further comprising sending said seed value from a S-CSCF node of said home network to the at least one terminal, via a P-CSCF node of said communication network.
  - 24. The method of claim 18, wherein said call signaling level authentication procedure is an IMS AKA procedure.

25. A method of communicating data between a first terminal and a second terminal on an end-to-end security basis, the first terminal being served by a first network, and the second terminal being served by a second network, the method comprising:
- a first authentication and key agreement sub-procedure involving transmitting a first set of values from the first terminal'"'"'s designated home operator to the first network and on the basis thereof deriving at least one first encryption parameter to be used by the first terminal;
  
  a second authentication and key agreement sub-procedure involving transmitting a second set of values from the second terminal'"'"'s designated home operator to the second network and on the basis thereof deriving at least one second encryption parameter to be used by the second terminal;
  
  a key exchange sub-procedure involving transmitting a first cross-parameter from the first terminal to the second terminal and transmitting a second cross-parameter from the second terminal to the first terminal, anda communication phase where the first terminal and the second terminal exchange information via a connection being end-to-end encrypted in the first terminal on the basis of the at least one first encryption parameter and the second cross-parameter, and in the second terminal on the basis of the at least one second encryption parameter and the first cross-parameter.
- View Dependent Claims (26)
- - 26. The method of communicating data according to claim 25, comprising intercepting the information exchange between the first terminal and the second terminal in at least one ofthe first network, based on the first encryption parameter and the second cross-parameter, andthe second network, based on the second encryption parameter and the first cross-parameter.

27. A first terminal for communicating data with at least one other terminal on an end-to-end security basis, the first terminal being served by a first network, the at least one other terminal being served by a second network, the first terminal comprising:
- a first encryption unit, adapted to request a first set of values from the first terminal'"'"'s designated home operator and receive at least one first encryption parameter;
  
  a memory for storing a key allocated to at least one of said terminals, at the first terminal and at a node within a network through which said session is conducted or at a node coupled to the network;
  
  means for exchanging a seed value between the first terminal at which the key is stored and said node prior to the communication of a session setup request from the first terminal to the at least one other terminal;
  
  means for generating a pre-master key using the key and the seed value at the terminal, wherein the pre-master key subsequently also becomes known to each other terminal involved in the data session;
  
  means for using the pre-master key to directly or indirectly decrypt data at the node within the network or at another node to which the pre-master key is sent;
  
  a key exchange unit, adapted to transmit a first cross-parameter to the at least one other terminal and receive a second cross-parameter from the at least one other terminal; and
  
  a data transceiver for exchanging information with the at least one other terminal via a connection being end-to-end encrypted on the basis of the at least one first encryption parameter and the second cross-parameter.

28. A method of facilitating the lawful interception of a data session between two or more terminals, wherein said session uses encryption to secure traffic, the method comprising:
- storing a key allocated to at least one of said terminals, at the terminal and at a node within a network through which said session is conducted or at a node coupled to that network;
  
  prior to the communication of a session setup request from a calling terminal to a called terminal exchanging a seed value between the terminal at which the key is stored and said node;
  
  using the key and the seed value at the terminal to generate a pre-master key, wherein the pre-master key subsequently also becomes known to each other terminal involved in the data session;
  
  generating the pre-master key at said node and using the pre-master key to directly or indirectly decrypt data at that node or at another node to which the pre-master key is sent;
  
  directly or indirectly using said pre-master key to encrypt and decrypt traffic associated with said session; and
  
  using a key exchange procedure to transmit a first cross-parameter from the said at least one terminal to another terminal and to transmit a second cross-parameter from the other terminal to the said at least one terminal.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method of claim 28, wherein said node generates the pre-master key for use in lawful interception of the data session.
  - 30. The method of claim 28, wherein said key exchange procedure is a Diffie-Hellman exchange.
  - 31. The method of claim 30, further comprising applying a key derivation function to said key and the seed value to derive a second key, an exponentiation of the second key then being generated for use in the Diffie-Hellman exchange.
  - 32. The method of claim 28, wherein the steps of exchanging the seed value between the terminal and the network node, and of generating the pre-master key are carried out each time a new data session is to be established.
  - 33. The method of claim 28, wherein the steps of exchanging the seed value between the terminal and the network node and of generating the pre-master key are carried out for every data session regardless of whether or not lawful interception is required.

34. The method of 28, wherein the pre-master key is used by the terminals involved in the data session to generate one or more traffic encryption keys, the one or more traffic encryption keys being used to encrypt the traffic associated with the data session.

35. The method of 28, wherein said node is a node of the home network with which the user of said at least one terminal has a subscription.

36. The method of 28, wherein said at least one terminal is attached to a foreign network, and the seed value is sent to the terminal via the foreign network.
- View Dependent Claims (37)
- - 37. The method of claim 36 further comprising, generating the second key at said node of the home network, sending the key to the foreign network together with the seed value, and sending the seed value but not said second key to the terminal.

38. The method of 28, wherein said data session is an IP data session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Krister, Boman, Uusitalo, Ilkka, Naslund, Mats, Blom, Rolf, Ahonen, Pasi
Primary Examiner(s)
Song; Hosuk

Application Number

US10/497,568
Publication Number

US 20050063544A1
Time in Patent Office

2,006 Days
Field of Search

713/168, 713/171, 380/44, 380/262, 380/281, 380/277, 380/284
US Class Current

380/262
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/306   intercepting packet switche...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0869   involving random numbers or...

Lawful interception of end-to-end encrypted data traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Lawful interception of end-to-end encrypted data traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links