Communication security
First Claim
Patent Images
1. A method of establishing a secure end-to-end communication channel for sending secure messages between a first device associated with a first communication network and a second device associated with a second communication network, and wherein at least one of the devices includes security data for generating such secure messages, the method comprising:
- establishing a control plane connection between the first device and an IP-based Multimedia Subsystem (IMS) core of the first network, the control plane connection being protected by a security architecture;
securely establishing key information between the first device and a key management center (KMC) of the associated first network using the control plane connection and corresponding security architecture;
transmitting the key information from the KMC to the IMS core of the first network;
transmitting the key information from the IMS core to an IMS core of the second network; and
using the key information to establish a secure end-to-end communication channel between the first device and the second device for sending secure messages therebetween, the key information being usable to enable the first network core to interpret intercepted secure messages sent between the first and second devices.
1 Assignment
0 Petitions
Accused Products
Abstract
The current IMS security architecture only protects data transmitted in the IMS control plane. Embodiments are described which provide end-to-end encryption of data transmitted in the IMS media plane but which also allow lawful interception and interpretation of such end-to-end communications under the control of the relevant IMS core (3A, 3B).
20 Citations
19 Claims
-
1. A method of establishing a secure end-to-end communication channel for sending secure messages between a first device associated with a first communication network and a second device associated with a second communication network, and wherein at least one of the devices includes security data for generating such secure messages, the method comprising:
-
establishing a control plane connection between the first device and an IP-based Multimedia Subsystem (IMS) core of the first network, the control plane connection being protected by a security architecture; securely establishing key information between the first device and a key management center (KMC) of the associated first network using the control plane connection and corresponding security architecture; transmitting the key information from the KMC to the IMS core of the first network; transmitting the key information from the IMS core to an IMS core of the second network; and using the key information to establish a secure end-to-end communication channel between the first device and the second device for sending secure messages therebetween, the key information being usable to enable the first network core to interpret intercepted secure messages sent between the first and second devices. - View Dependent Claims (2, 3, 4)
-
-
5. A communication network core for facilitating the establishment of a secure end-to-end communication session for sending secure messages on an IP-based Multimedia Subsystem (IMS) media plane between a first device and a second device, the first device being registered with the network core, and the second device being registered with another communication network core, the communication network core comprising:
-
means for establishing a first control plane connection with the first device, the first control plane connection being protected by a security architecture; an IMS core configured to establish a second control plane connection with an IMS core of the other communication network; a key management center (KMC) configured to; securely establish a key EKA between the communication network core and the first device using the first control plane connection and corresponding security architecture; establish a key EKAB between the communication network core and the other communication network core; decrypt an encrypted key EKA(K1), received by the communication network core from the first device using the first control plane connection, using the key EKA to determine a key K1; and encrypt the key K1 using the key EKAB to form an encrypted key EKAB(K1) that is transmitted to the IMS core, the IMS being configured to transmit the encrypted key EKAB (K1) to the IMS core of the other communication network core using the second control plane connection; means for establishing a media plane connection between the first device and the second device that allows the key K1 to be used to encrypt and decrypt secure messages sent between the first and second devices; and means for using the key K1, determined by the KMC, to interpret the secure messages sent between the first and second devices.
-
-
6. A method of securely communicating an end-to-end encryption and decryption key between a first device and a second device for data transmitted on an IP-based Multimedia Subsystem (IMS) media plane, the first device being registered with a first communication network and the second device being registered with a second communication network, the method comprising:
-
establishing a key EKA between the first device and a first key management center (KMC) of the first communication network; establishing a key EKB between the second device and a second KMC of the second communication network; establishing a key EKAB between the first KMC and the second KMC; at the first device, generating an end-to-end key K1 and encrypting the key K1 using the key EKA to form an encrypted key EKA(K1); transmitting the encrypted key EKA(K1) from the first device to the first KMC; at the first KMC, decrypting the encrypted key EKA(K1) using the key EKA to determine the key K1, and encrypting the key K1 using the key EKAB to form an encrypted key EKAB(K1); transmitting the encrypted key EKAB(K1) from the first communication network to the second communication network comprising; transmitting EKAB(K1) from the first KMC to a first IMS core of the first communication network; transmitting EKAB(K1) from the first IMS core to a second IMS core of the second communication network; and transmitting EKAB(K1) from the second IMS core to the second KMC; at the second KMC, decrypting the encrypted key EKAB(K1) using the key EKAB to determine the key K1, and encrypting the key K1 using the key EKB to form an encrypted key EKB(K1); transmitting the encrypted key EKB(K1) from the second KMC to the second device; and at the second device, decrypting the encrypted key EKB(K1) using the key EKB to determine the key K1. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
Specification