Intercepting a communication session in a telecommunication network

US 8,175,277 B2
Filed: 04/28/2005
Issued: 05/08/2012
Est. Priority Date: 04/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for intercepting a secure communication session, comprising:

distributing one or more keys from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint, the keys comprising a media session key for accessing a media stream and a control session key for accessing a control stream;

establishing a secure channel between the key distribution point and a first intercepting endpoint using an authentication protocol;

determining, by one or more hardware processors of the key distribution point, that the first intercepting endpoint is authorized to intercept the secure communication session by determining that an interception rule stored in memory authorizes the first intercepting endpoint for the control session key but not the media session key;

determining, by one or more hardware processors, that the first intercepting endpoint is restricted from receiving a caller identity corresponding to the first endpoint; and

in response to determining that the first intercepting endpoint is authorized, transmitting, from the key distribution point to the first intercepting endpoint, only the control session key but not the media session key and not the caller identity to the first intercepting endpoint, the key providing the first intercepting endpoint with access to intercept the secure communication session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Intercepting a secure communication session includes distributing a key from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint. A secure channel is established between the key distribution point and an intercepting point. The intercepting endpoint may be determined to be authorized to intercept the secure communication session. The key is provided to the intercepting endpoint only if the intercepting endpoint is authorized to intercept the secure communication session, where the key provides the intercepting endpoint with access to intercept the secure communication session.

Citations

16 Claims

1. A method for intercepting a secure communication session, comprising:
- distributing one or more keys from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint, the keys comprising a media session key for accessing a media stream and a control session key for accessing a control stream;
  
  establishing a secure channel between the key distribution point and a first intercepting endpoint using an authentication protocol;
  
  determining, by one or more hardware processors of the key distribution point, that the first intercepting endpoint is authorized to intercept the secure communication session by determining that an interception rule stored in memory authorizes the first intercepting endpoint for the control session key but not the media session key;
  
  determining, by one or more hardware processors, that the first intercepting endpoint is restricted from receiving a caller identity corresponding to the first endpoint; and
  
  in response to determining that the first intercepting endpoint is authorized, transmitting, from the key distribution point to the first intercepting endpoint, only the control session key but not the media session key and not the caller identity to the first intercepting endpoint, the key providing the first intercepting endpoint with access to intercept the secure communication session.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - determining that a second interception rule authorizes a second intercepting endpoint for the media session key but not the control session key;
      
      providing the media session key but not the control session key to the second intercepting endpoint.
  - 3. The method of claim 1, wherein:
    - determining that the first intercepting endpoint is authorized to intercept the secure communication session further comprises determining that the interception rule authorizes the first intercepting endpoint to intercept a communication session between the first endpoint and the second endpoint; and
      
      providing the key to the first intercepting endpoint further comprises providing the key that allows the first intercepting endpoint to intercept the secure communication session between the first endpoint and the second endpoint.
  - 4. The method of claim 1, wherein:
    - determining that the first intercepting endpoint is authorized to intercept the secure communication session further comprises determining that the interception rule authorizes the first intercepting endpoint access on specified dates; and
      
      providing the key to the first intercepting endpoint further comprises providing the key only if the first intercepting endpoint is requesting access on the specified dates.
  - 5. The method of claim 1, further comprising recording information describing the interception of the secure communication session.

6. A system for intercepting a secure communication session, comprising:
- one or more hardware processors executing a key manager operable to distribute one or more keys in order to establish a secure communication session between a first endpoint and a second endpoint, the keys comprising a media session key for accessing a media stream and a control session key for accessing a control stream; and
  
  the one or more hardware processors executing an interception manager coupled to the key manager and operable to;
  
  establish a secure channel between the key manager and a first intercepting endpoint using an authentication protocol;
  
  determine that the first intercepting endpoint is authorized to intercept the secure communication session by determining that an interception rule stored in memory authorizes the first intercepting endpoint for the control session key but not the media session key;
  
  determine that the first intercepting endpoint is restricted from receiving a caller identity corresponding to the first endpoint; and
  
  in response to determining that the first intercepting endpoint is authorized, transmit, from the key manager to the first intercepting endpoint, only the control session key but not the media session key and not the caller identity to the first intercepting endpoint, the key providing the first intercepting endpoint with access to intercept the secure communication session.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, the one or more hardware processors executing the interception manager further operable to:
    - determine that a second interception rule authorizes a second intercepting endpoint for the media session key but not the control session key;
      
      provide the media session key but not the control session key to the second intercepting endpoint.
  - 8. The system of claim 6, the one or more hardware processors executing the interception manager further operable to:
    - determine that the first intercepting endpoint is authorized to intercept the secure communication session by determining that the interception rule authorizes the first intercepting endpoint to intercept a communication session between the first endpoint and the second endpoint; and
      
      provide the key to the first intercepting endpoint by providing the key that allows the first intercepting endpoint to intercept the secure communication session between the first endpoint and the second endpoint.
  - 9. The system of claim 6, the one or more hardware processors executing the interception manager further operable to:
    - determine that the first intercepting endpoint is authorized to intercept the secure communication session by determining that the interception rule authorizes the first intercepting endpoint access on specified dates; and
      
      provide the key to the first intercepting endpoint by providing the key only if the first intercepting endpoint is requesting access on the specified dates.
  - 10. The system of claim 6, the one or more hardware processors executing the interception manager further operable to record information describing the interception of the secure communication session.

11. A non-transitory computer storage medium comprising software logic for intercepting a secure communication session, the software logic when executed by one or more processors operable to:
- distribute one or more keys from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint, the keys comprising a media session key for accessing a media stream and a control session key for accessing a control stream;
  
  establish a secure channel between the key distribution point and a first intercepting endpoint using an authentication protocol;
  
  determine, by one or more processors of the key distribution point, that the first intercepting endpoint is authorized to intercept the secure communication session by determining that an interception rule stored in memory authorizes the first intercepting endpoint for the control session key but not the media session key;
  
  determine that the first intercepting endpoint is restricted from receiving a caller identity corresponding to the first endpoint; and
  
  in response to determining that the first intercepting endpoint is authorized, transmit, from the key distribution point to the first intercepting endpoint, only the control session key but not the media session key and not the caller identity to the first intercepting endpoint, the key providing the first intercepting endpoint with access to intercept the secure communication session.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer storage medium of claim 11, the software logic further operable to:
    - determine that a second interception rule authorizes a second intercepting endpoint for the media session key but not the control session key;
      
      providing the media session key but not the control session key to the second intercepting endpoint.
  - 13. The non-transitory computer storage medium of claim 11, the software logic further operable to:
    - determine that the first intercepting endpoint is authorized to intercept the secure communication session by determining that the interception rule authorizes the first intercepting endpoint to intercept a communication session between the first endpoint and the second endpoint; and
      
      provide the key to the first intercepting endpoint by providing the key that allows the first intercepting endpoint to intercept the secure communication session between the first endpoint and the second endpoint.
  - 14. The non-transitory computer storage medium logic of claim 11, the software logic further operable to:
    - determine that the first intercepting endpoint is authorized to intercept the secure communication session by determining that the interception rule authorizes the first intercepting endpoint access on specified dates; and
      
      provide the key to the first intercepting endpoint by providing the key only if the first intercepting endpoint is requesting access on the specified dates.
  - 15. The non-transitory computer storage medium of claim 11, the software logic further operable to record information describing the interception of the secure communication session.

16. A method for intercepting a secure communication session, comprising:
- distributing one or more keys from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint, the keys comprising a media session key for accessing a media stream and a control session key for accessing a control stream, the call session communicating a media stream;
  
  establishing a secure channel between the key distribution point and a first intercepting endpoint using an authentication protocol;
  
  determining, by one or more hardware processors of the key distribution point, that the first intercepting endpoint is authorized to intercept the secure communication session, the first intercepting endpoint determined to be authorized by;
  
  accessing an interception rule stored in memory, the interception rule corresponding to the first intercepting endpoint, the interception rule defining whether the first intercepting endpoint is authorized, the interception rule defining one or more conditions under which the first intercepting endpoint is authorized, the interception rule defining a time period during which the first intercepting endpoint is authorized;
  
  determining that the first intercepting endpoint is authorized if the first intercepting endpoint satisfies the interception rule; and
  
  determining that the interception rule authorizes the first intercepting endpoint for the control session key but not the media session key;
  
  determining that the first intercepting endpoint is restricted from receiving a caller identity corresponding to the first endpoint; and
  
  providing only the control session key but not the media session key and not the caller identity to the first intercepting endpoint,providing the media session key but not the control session key to a second intercepting endpoint if a second interception rule authorizes the second intercepting endpoint for the media session key but not the control session key;
  
  in response to determining that the first intercepting endpoint is authorized, transmitting, from the key distribution point to the first intercepting endpoint, the key that allows the first intercepting endpoint to intercept the secure communication session between the first endpoint and the second endpoint if the interception rule authorizes the first intercepting endpoint to intercept a communication session between the first endpoint and the second endpoint;
  
  providing the key only if the first intercepting endpoint is requesting access on dates authorized by the intercepting rule; and
  
  recording information describing the interception of the secure communication session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bell, Robert T., Kandasamy, Subbiah, Wing, Daniel G.
Primary Examiner(s)
Shan, April

Application Number

US11/116,644
Publication Number

US 20060245595A1
Time in Patent Office

2,567 Days
Field of Search

380/286, 380/278, 380/283, 713/168, 713/201, 713/171, 726/14
US Class Current

380/278
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/102   Entity profiles

H04L 63/30   for supporting lawful inter...

H04L 63/306   intercepting packet switche...

H04L 9/0827   involving distinctive inter...

H04L 9/083   involving central third par...

Intercepting a communication session in a telecommunication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Intercepting a communication session in a telecommunication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links