Method and apparatus for identifying and monitoring VoIP media plane security keys for service provider lawful intercept use

US 8,934,609 B2
Filed: 06/21/2006
Issued: 01/13/2015
Est. Priority Date: 06/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method of obtaining session information in a network comprising a plurality of end-points coupled by at least one network element, the method comprising:

establishing a secure communication channel with a first end-point by the at least one network element;

forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having a characteristic;

retrieving the characteristic of the session from the first end-point using the secure channel;

storing the characteristic of the session, wherein the characteristic of the session is a key that is used to encrypt media of the session;

periodically capturing blocks of media exchanged between the first end-point and the second end-point;

attempting to decrypt the blocks of media using the key;

analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid, wherein analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid includes analyzing the blocks of media for which decryption was attempted to determine whether the blocks of media for which decryption was attempted remain encrypted by employing a spectral analyzer separate from the first and second end-points to perform a randomness test on signal frequencies within the blocks of media to determine whether the blocks of media include random data; and

logging information associated with the session if it is determined that the media remains encrypted after performing spectral analysis for use by legal interceptors.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism is described that enables encrypted end-point communications in a VoIP network to be accessed by a service provider. The mechanism includes a session information retrieval component which gathers session information such as encryption keys for each session that traverses a network element. The encryption keys may be used to decrypt data to make it available for lawful interception. A media stream monitoring component monitors media streams and verifies that the identified keys for each session are valid, to ensure continuity in compliance with LI regulations. Advantageously a security alert component may be used to controls further session operation for those sessions identified as potential security risks. With such an arrangement, the service provider can satisfy the legal requirement to provide interception, verify that the accuracy of the legal interception support and take appropriate steps to handle security risks.

20 Citations

View as Search Results

16 Claims

1. A method of obtaining session information in a network comprising a plurality of end-points coupled by at least one network element, the method comprising:
- establishing a secure communication channel with a first end-point by the at least one network element;
  
  forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having a characteristic;
  
  retrieving the characteristic of the session from the first end-point using the secure channel;
  
  storing the characteristic of the session, wherein the characteristic of the session is a key that is used to encrypt media of the session;
  
  periodically capturing blocks of media exchanged between the first end-point and the second end-point;
  
  attempting to decrypt the blocks of media using the key;
  
  analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid, wherein analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid includes analyzing the blocks of media for which decryption was attempted to determine whether the blocks of media for which decryption was attempted remain encrypted by employing a spectral analyzer separate from the first and second end-points to perform a randomness test on signal frequencies within the blocks of media to determine whether the blocks of media include random data; and
  
  logging information associated with the session if it is determined that the media remains encrypted after performing spectral analysis for use by legal interceptors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the characteristic of the session is associated with a manipulation of media data that is exchanged between the first end-point and the second end-point.
  - 3. The method of claim 2, wherein the manipulation of media data includes encryption of the media data, and wherein the characteristic is a key that is used to encrypt the media data.
  - 4. The method of claim 2, wherein the manipulation of media data includes translation of audio signals to digital signals, and wherein the characteristic is a codec associated with the media data.
  - 5. The method of claim 2, wherein the manipulation of media data includes compression of the media data, and wherein the characteristic identifies a type and degree of compression applied to the media data.
  - 6. The method of claim 1, wherein the step of forwarding requests and responses uses the Session Initiation Protocol.
  - 7. The method of claim 1, wherein the step of forwarding requests and responses uses the H.323 protocol.
  - 8. The method of claim 1, wherein the first end-point and second end-point communicate using a Voice over Internet Protocol network.
  - 9. The method according to claim 3, wherein the key is obtained via a negotiation between the first end-point, the second end-point and the network element.
  - 10. The method according to claim 3 wherein the key is obtained via a secure negotiation between the first end-point and the second end-point.
  - 11. The method of claim 1, wherein the step of analyzing includes performing at least one of a Chi Square spectral analysis, a Monobit analysis, a Poker analysis, a Runs analysis and a Long Runs analysis of the decrypted blocks of media.
  - 12. The method of claim 1, further including the steps of:
    - receiving a request from a legal interceptor for access to the session;
      
      forwarding characteristic information associated with the session to the legal interceptor.
  - 13. The method of claim 1, wherein the characteristic of the session includes codec information associated with the media, and wherein the method further includes the step of:
    - periodically capturing blocks of media exchanged between the first end-point and the second end-point; and
      
      processing the blocks of media using the codec and spectral analysis to determine whether the blocks of media are encrypted.

14. A network element comprising:
- at least one computer for;
  
  establishing a secure communication channel with a first end-point by the at least one network element;
  
  forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having a characteristic;
  
  retrieving the characteristic of the session from the first end-point using the secure channel;
  
  storing the characteristic of the session, wherein the characteristic of the session is a key that is used to encrypt media of the session;
  
  session sampling logic implemented by the at least one computer for periodically sampling media exchanged in the session between the first and second end-points; and
  
  analysis logic, coupled to the session sampling logic, for;
  
  monitoring media exchanged between the first and second end-points;
  
  determining whether the encryption methods used on the media are known, wherein determining whether encryption methods used on the media are known includes attempting to decrypt the media using the key and analyzing the media for which decryption was attempted to determine whether the media for which decryption was attempted remains encrypted by employing a spectral analyzer separate from the first and second end-points to perform a randomness test on signal frequencies within the media to determine whether the media includes random data; and
  
  marking sessions having unknown encryption methods as potential security risks,wherein the analysis logic further includes logging logic for logging session information of sessions determined to be at risk for use by legal interceptors.
- View Dependent Claims (15, 16)
- - 15. The network element of claim 14 further including notification logic for notifying legal interceptors of sessions identified to be potential security risks.
  - 16. The network element of claim 14, further comprising a key table for storing, for each session between each one of a plurality of end-points coupled to the network element, a value of a key used to encrypt media of the associated session, and wherein the analysis logic includes decryption logic for decrypting the periodically sampled media using the associated key and spectral analysis logic for determining whether the decrypted periodically sampled media remains encrypted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Genband US LLC (Ribbon Communications, Inc.)
Original Assignee
Genband US LLC (Ribbon Communications, Inc.)
Inventors
Lee, Michael
Primary Examiner(s)
Jagannathan, Melanie
Assistant Examiner(s)
Ansari, Najeebuddin

Application Number

US11/425,436
Publication Number

US 20070297418A1
Time in Patent Office

3,128 Days
Field of Search

370/395, 370/471, 370352-356, 380/30, 380/277, 380/275, 380/285, 380/286, 379/35, 379/32.01, 379/112.01, 379/213.01, 709224-227
US Class Current

379/35
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/00   Network architectures or ne...

H04L 63/04   for providing a confidentia...

H04L 63/06   for supporting key manageme...

H04L 63/30   for supporting lawful inter...

H04L 63/306   intercepting packet switche...

H04L 65/1083   In-session procedures

Method and apparatus for identifying and monitoring VoIP media plane security keys for service provider lawful intercept use

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for identifying and monitoring VoIP media plane security keys for service provider lawful intercept use

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links