Passive system for recovering cryptography keys

US 8,675,863 B2
Filed: 12/22/2009
Issued: 03/18/2014
Est. Priority Date: 12/22/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A system for use in collecting and decrypting encrypted wireless signals in a wireless communications network (WCN), comprising:

a first passive probe installed on a first interface and configured to monitor messaging possessing encryption keys;

a second passive probe, wherein the second passive probe comprises a wireless network monitor (WNM) configured to monitor transmissions between a WCN base station and a mobile device; and

a correlation processor operatively coupled to the first and second probes and configured to compare information received by each probe and to determine the encryption key as a result of the comparison, wherein the encryption key is useful to decrypt transmissions between the mobile device and the WCN base station;

wherein the correlation processor is configured to compare a challenge parameter and a challenge response parameter, and to find an encryption vector with the same challenge parameter and challenge response parameter, wherein the encryption vector contains the challenge parameter, the challenge response parameter and the encryption key for the mobile device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Modern cellular wireless communications providers strive to keep their network and subscribers secure through various means. The identity of the subscriber may be obfuscated through the use of a temporary identifier for most network transactions including signaling events, voice calls, SMS messages and data sessions. A subscriber'"'"'s unique identity may only be transmitted over the air in an encrypted form. Similarly, the content of voice calls, SMS messages and data sessions may also be encrypted when transmitted over the air and even when transferred over internal network interfaces. However, the use of encryption presents significant challenges for law enforcement communities when court ordered lawful intercept is required to monitor and locate subscribers utilizing the wireless networks for illegal and/or terrorist purposes. A technique to aid in the determination of a subscriber'"'"'s unique wireless identity and the decryption of encrypted signals would be very useful for lawful intercept. In this document we describe an architecture and technique to aid in the decryption of encrypted wireless signals for lawful intercept by determining the current encryption key. It may also be used to decrypt encrypted signals on internal interfaces of the wireless and wireline networks.

16 Citations

View as Search Results

16 Claims

1. A system for use in collecting and decrypting encrypted wireless signals in a wireless communications network (WCN), comprising:
- a first passive probe installed on a first interface and configured to monitor messaging possessing encryption keys;
  
  a second passive probe, wherein the second passive probe comprises a wireless network monitor (WNM) configured to monitor transmissions between a WCN base station and a mobile device; and
  
  a correlation processor operatively coupled to the first and second probes and configured to compare information received by each probe and to determine the encryption key as a result of the comparison, wherein the encryption key is useful to decrypt transmissions between the mobile device and the WCN base station;
  
  wherein the correlation processor is configured to compare a challenge parameter and a challenge response parameter, and to find an encryption vector with the same challenge parameter and challenge response parameter, wherein the encryption vector contains the challenge parameter, the challenge response parameter and the encryption key for the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A system as recited in claim 1, wherein said first interface is between a mobile switching center (MSC) or visitor location register (VLR) and a home location register (HLR) or authentication center (AuC).
  - 3. A system as recited in claim 1, wherein the system is configured to determine encryption keys of the WCN in accordance with at least one of:
    - Global System for Mobility (GSM), Universal Mobile Telephone System (UMTS), and Long Term Evolution (LTE).
  - 4. A system as recited in claim 1, wherein the first passive probe comprises a passive tap for obtaining a replica of signal voltages on the first interface;
    - a buffer memory for buffering replica signals;
      
      a central processor; and
      
      an outbound communications interface;
      
      wherein the central processor is configured to parse signals and pass them out through the outbound communications interface to the correlation processor.
  - 5. A system as recited in claim 4, wherein the passive tap comprises a digital access and cross-connect system (DACS).
  - 6. A system as recited in claim 1, wherein the second passive probe comprises a radio network monitor (RNM).
  - 7. A system as recited in claim 6, wherein the RNM comprises:
    - a digital uplink receiver and a digital downlink receiver;
      
      buffer memory coupled to each of the digital uplink and downlink receivers, wherein digital outputs of the uplink and downlink receivers interface to the buffer memory for storage of signals to accommodate for latency in determining the encryption key; and
      
      first and second signal processors coupled to the buffer memory, wherein at least one of the signal processors performs digital signal processing functions on the uplink and downlink signals received, said functions including at least in-phase and quadrature detection, down-conversion to baseband, filtering, fine tuning, detection and demodulation of the received signals for recovery of parameters for use in correlation in the correlation processor.
  - 8. A system as recited in claim 7, wherein at least one of the signal processors further performs decryption of encrypted signals with the encryption key from the correlation processor.
  - 9. A system as recited in claim 7, wherein the RNM further comprises a timing receiver configured to provide a time and frequency reference as well as the location of the RNM as latitude and longitude values.
  - 10. A system as recited in claim 1, wherein the correlation processor comprises:
    - a first communications interface;
      
      a first buffer memory coupled to the first communications interface;
      
      a second communications interface;
      
      a second buffer memory coupled to the second communications interface;
      
      a central processor coupled to the first and second buffer memories; and
      
      a third communications interface coupled to the central processor;
      
      wherein the correlation processor is configured to;
      
      receive signals from the first passive probe via the first communications interface;
      
      receive signals from the second passive probe via the second communications interface; and
      
      based on the received signals, determine a current encryption key for the mobile device.
  - 11. A system as recited in claim 10, wherein the correlation processor is configured to take data from each buffer memory, to compare a challenge parameter and a challenge response parameter, and to find an encryption vector with the same challenge parameter and challenge response parameter, wherein the encryption vector contains the challenge parameter, the challenge response parameter and the encryption key for the mobile device.
  - 12. A system as recited in claim 11, wherein the central processor is further configured to provide at least one of a unique identity and a temporary identity of the mobile device.
  - 13. A system as recited in claim 10, wherein the correlation processor is configured to take data from each buffer memory, to compare a challenge response parameter, and to find an encryption vector with the same challenge response parameter, wherein the encryption vector contains the challenge parameter, the challenge response parameter and the encryption key for the mobile device.
  - 14. A system as recited in claim 13, wherein the central processor is further configured to provide information including cellular location and channel information for tuning of network-based wireless location system receivers.
  - 15. A system as recited in claim 1, wherein:
    - the first interface is between a mobile switching center (MSC) or visitor location register (VLR) and a home location register (HLR) or authentication center (AuC);
      
      the system is configured to determine encryption keys of the WCN in accordance with at least one of;
      
      Global System for Mobility (GSM), Universal Mobile Telephone System (UMTS), and Long Term Evolution (LTE);
      
      the first passive probe comprises a passive tap for obtaining a replica of signal voltages on the first interface;
      
      a buffer memory for buffering replica signals;
      
      a central processor; and
      
      an outbound communications interface;
      
      wherein the central processor is configured to parse signals and pass them out through the outbound communications interface to the correlation processor; and
      
      wherein the passive tap comprises a digital access and cross-connect system (DACS) external to the first passive probe;
      
      the second passive probe comprises a radio network monitor (RNM), and wherein the RNM comprises;
      
      a digital uplink receiver and a digital downlink receiver;
      
      buffer memory coupled to each of the digital uplink and downlink receivers, wherein digital outputs of the uplink and downlink receivers interface to the buffer memory for storage of signals to accommodate for latency in determining the encryption key; and
      
      first and second signal processors coupled to the buffer memory, wherein at least one of the signal processors performs digital signal processing functions on the uplink and downlink signals received, said functions including at least in-phase and quadrature detection, down-conversion to baseband, filtering, fine tuning, detection and demodulation of the received signals for recovery of parameters for use in correlation in the correlation processor; and
      
      wherein at least one of the signal processors further performs decryption of encrypted signals with the encryption key from the correlation processor; and
      
      wherein the RNM further comprises a timing receiver configured to provide a time and frequency reference as well as the location of the RNM as latitude and longitude values; and
      
      the correlation processor comprises;
      
      a first communications interface;
      
      a first buffer memory coupled to the first communications interface;
      
      a second communications interface;
      
      a second buffer memory coupled to the second communications interface;
      
      a central processor coupled to the first and second buffer memories; and
      
      a third communications interface coupled to the central processor;
      
      wherein the correlation processor is configured to;
      
      receive signals from the first passive probe via the first communications interface;
      
      receive signals from the second passive probe via the second communications interface; and
      
      based on the received signals, determine a current encryption key for the mobile device; and
      
      wherein the correlation processor is configured to take data from each buffer memory, to compare a challenge parameter and a challenge response parameter, and to find an encryption vector with the same challenge parameter and challenge response parameter, wherein the encryption vector contains the challenge parameter, the challenge response parameter and the encryption key for the mobile device;
      
      wherein the central processor is further configured to provide at least one of a unique identity and temporary identity of the mobile device; and
      
      wherein the central processor is further configured to provide information including cellular location and channel information for tuning of network-based wireless location system receivers.
  - 16. A system as recited in claim 1, wherein:
    - the first interface is between a mobile switching center (MSC) or visitor location register (VLR) and a home location register (HLR) or authentication center (AuC);
      
      the system is configured to determine encryption keys of the WCN in accordance with at least one of;
      
      Global System for Mobility (GSM), Universal Mobile Telephone System (UMTS), and Long Term Evolution (LTE);
      
      the first passive probe comprises a passive tap for obtaining a replica of signal voltages on the first interface;
      
      a buffer memory for buffering replica signals;
      
      a central processor; and
      
      an outbound communications interface;
      
      wherein the central processor is configured to parse signals and pass them out through the outbound communications interface to the correlation processor; and
      
      wherein the passive tap comprises a digital access and cross-connect system (DACS) external to the first passive probe;
      
      the second passive probe comprises a radio network monitor (RNM), and wherein the RNM comprises;
      
      a digital uplink receiver and a digital downlink receiver;
      
      buffer memory coupled to each of the digital uplink and downlink receivers, wherein digital outputs of the uplink and downlink receivers interface to the buffer memory for storage of signals to accommodate for latency in determining the encryption key; and
      
      first and second signal processors coupled to the buffer memory, wherein at least one of the signal processors performs digital signal processing functions on the uplink and downlink signals received, said functions including at least in-phase and quadrature detection, down-conversion to baseband, filtering, fine tuning, detection and demodulation of the received signals for recovery of parameters for use in correlation in the correlation processor; and
      
      wherein at least one of the signal processors further performs decryption of encrypted signals with the encryption key from the correlation processor; and
      
      wherein the RNM further comprises a timing receiver configured to provide a time and frequency reference as well as the location of the RNM as latitude and longitude values; and
      
      the correlation processor comprises;
      
      a first communications interface;
      
      a first buffer memory coupled to the first communications interface;
      
      a second communications interface;
      
      a second buffer memory coupled to the second communications interface;
      
      a central processor coupled to the first and second buffer memories; and
      
      a third communications interface coupled to the central processor;
      
      wherein the correlation processor is configured to;
      
      receive signals from the first passive probe via the first communications interface;
      
      receive signals from the second passive probe via the second communications interface; and
      
      based on the received signals, determine a current encryption key for the mobile device; and
      
      wherein the correlation processor is configured to take data from each buffer memory, to compare a challenge response parameter, and to find an encryption vector with the same challenge response parameter, wherein the encryption vector contains the challenge response parameter and the encryption key for the mobile device;
      
      wherein the central processor is further configured to provide at least one of a unique identity and temporary identity of the mobile device; and
      
      wherein the central processor is further configured to provide information including cellular location and channel information for tuning of network-based wireless location system receivers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skyhook Holding, Inc. (Liberty Broadband Corp.)
Original Assignee
TruePosition Incorporated
Inventors
Anderson, Robert J.
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US12/645,123
Publication Number

US 20110150211A1
Time in Patent Office

1,547 Days
Field of Search

380/1
US Class Current

380/1
CPC Class Codes

H04L 63/30   for supporting lawful inter...

H04W 12/033   of the user plane, e.g. use...

H04W 12/037   of the control plane, e.g. ...

H04W 12/041   Key generation or derivation

H04W 12/80   Arrangements enabling lawfu...

Passive system for recovering cryptography keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Passive system for recovering cryptography keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links