Method and apparatus for identifying and monitoring VoIP media plane security keys for service provider lawful intercept use
First Claim
1. A method of obtaining session information in a network comprising a plurality of end-points coupled by at least one network element, the method comprising:
- establishing a secure communication channel with a first end-point by the at least one network element;
forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having a characteristic;
retrieving the characteristic of the session from the first end-point using the secure channel;
storing the characteristic of the session, wherein the characteristic of the session is a key that is used to encrypt media of the session;
periodically capturing blocks of media exchanged between the first end-point and the second end-point;
attempting to decrypt the blocks of media using the key;
analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid, wherein analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid includes analyzing the blocks of media for which decryption was attempted to determine whether the blocks of media for which decryption was attempted remain encrypted by employing a spectral analyzer separate from the first and second end-points to perform a randomness test on signal frequencies within the blocks of media to determine whether the blocks of media include random data; and
logging information associated with the session if it is determined that the media remains encrypted after performing spectral analysis for use by legal interceptors.
13 Assignments
0 Petitions
Accused Products
Abstract
A mechanism is described that enables encrypted end-point communications in a VoIP network to be accessed by a service provider. The mechanism includes a session information retrieval component which gathers session information such as encryption keys for each session that traverses a network element. The encryption keys may be used to decrypt data to make it available for lawful interception. A media stream monitoring component monitors media streams and verifies that the identified keys for each session are valid, to ensure continuity in compliance with LI regulations. Advantageously a security alert component may be used to controls further session operation for those sessions identified as potential security risks. With such an arrangement, the service provider can satisfy the legal requirement to provide interception, verify that the accuracy of the legal interception support and take appropriate steps to handle security risks.
20 Citations
16 Claims
-
1. A method of obtaining session information in a network comprising a plurality of end-points coupled by at least one network element, the method comprising:
-
establishing a secure communication channel with a first end-point by the at least one network element; forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having a characteristic; retrieving the characteristic of the session from the first end-point using the secure channel; storing the characteristic of the session, wherein the characteristic of the session is a key that is used to encrypt media of the session; periodically capturing blocks of media exchanged between the first end-point and the second end-point; attempting to decrypt the blocks of media using the key; analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid, wherein analyzing the blocks of media for which decryption was attempted to determine whether the key provided by the first end-point is valid includes analyzing the blocks of media for which decryption was attempted to determine whether the blocks of media for which decryption was attempted remain encrypted by employing a spectral analyzer separate from the first and second end-points to perform a randomness test on signal frequencies within the blocks of media to determine whether the blocks of media include random data; and logging information associated with the session if it is determined that the media remains encrypted after performing spectral analysis for use by legal interceptors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A network element comprising:
-
at least one computer for; establishing a secure communication channel with a first end-point by the at least one network element; forwarding session initiation requests and responses between the first end-point and the second end-point to establish a session for an exchange of media between the first end-point and the second end-point, the session having a characteristic; retrieving the characteristic of the session from the first end-point using the secure channel; storing the characteristic of the session, wherein the characteristic of the session is a key that is used to encrypt media of the session; session sampling logic implemented by the at least one computer for periodically sampling media exchanged in the session between the first and second end-points; and analysis logic, coupled to the session sampling logic, for; monitoring media exchanged between the first and second end-points; determining whether the encryption methods used on the media are known, wherein determining whether encryption methods used on the media are known includes attempting to decrypt the media using the key and analyzing the media for which decryption was attempted to determine whether the media for which decryption was attempted remains encrypted by employing a spectral analyzer separate from the first and second end-points to perform a randomness test on signal frequencies within the media to determine whether the media includes random data; and marking sessions having unknown encryption methods as potential security risks, wherein the analysis logic further includes logging logic for logging session information of sessions determined to be at risk for use by legal interceptors. - View Dependent Claims (15, 16)
-
Specification