Communication security

US 8,705,743 B2
Filed: 08/24/2006
Issued: 04/22/2014
Est. Priority Date: 08/25/2005
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a secure end-to-end communication channel for sending secure messages between a first device associated with a first communication network and a second device associated with a second communication network, and wherein at least one of the devices includes security data for generating such secure messages, the method comprising:

establishing a control plane connection between the first device and an IP-based Multimedia Subsystem (IMS) core of the first network, the control plane connection being protected by a security architecture;

securely establishing key information between the first device and a key management center (KMC) of the associated first network using the control plane connection and corresponding security architecture;

transmitting the key information from the KMC to the IMS core of the first network;

transmitting the key information from the IMS core to an IMS core of the second network; and

using the key information to establish a secure end-to-end communication channel between the first device and the second device for sending secure messages therebetween, the key information being usable to enable the first network core to interpret intercepted secure messages sent between the first and second devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The current IMS security architecture only protects data transmitted in the IMS control plane. Embodiments are described which provide end-to-end encryption of data transmitted in the IMS media plane but which also allow lawful interception and interpretation of such end-to-end communications under the control of the relevant IMS core (3A, 3B).

20 Citations

View as Search Results

19 Claims

1. A method of establishing a secure end-to-end communication channel for sending secure messages between a first device associated with a first communication network and a second device associated with a second communication network, and wherein at least one of the devices includes security data for generating such secure messages, the method comprising:
- establishing a control plane connection between the first device and an IP-based Multimedia Subsystem (IMS) core of the first network, the control plane connection being protected by a security architecture;
  
  securely establishing key information between the first device and a key management center (KMC) of the associated first network using the control plane connection and corresponding security architecture;
  
  transmitting the key information from the KMC to the IMS core of the first network;
  
  transmitting the key information from the IMS core to an IMS core of the second network; and
  
  using the key information to establish a secure end-to-end communication channel between the first device and the second device for sending secure messages therebetween, the key information being usable to enable the first network core to interpret intercepted secure messages sent between the first and second devices.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein the messages are sent in a media plane.
  - 3. The method according to claim 1, wherein at least one of the devices comprises a mobile cellular communications terminal.
  - 4. The method according to claim 1, wherein the key information comprises key means for decrypting communications sent from the first device to the second device over the media plane, the key means being sent over the control plane in encrypted form.

5. A communication network core for facilitating the establishment of a secure end-to-end communication session for sending secure messages on an IP-based Multimedia Subsystem (IMS) media plane between a first device and a second device, the first device being registered with the network core, and the second device being registered with another communication network core, the communication network core comprising:
- means for establishing a first control plane connection with the first device, the first control plane connection being protected by a security architecture;
  
  an IMS core configured to establish a second control plane connection with an IMS core of the other communication network;
  
  a key management center (KMC) configured to;
  
  securely establish a key E_KAbetween the communication network core and the first device using the first control plane connection and corresponding security architecture;
  
  establish a key E_KABbetween the communication network core and the other communication network core;
  
  decrypt an encrypted key E_KA(K1), received by the communication network core from the first device using the first control plane connection, using the key E_KAto determine a key K1; and
  
  encrypt the key K1 using the key E_KABto form an encrypted key E_KAB(K1) that is transmitted to the IMS core, the IMS being configured to transmit theencrypted key E_KAB(K1) to the IMS core of the other communication network core using the second control plane connection;
  
  means for establishing a media plane connection between the first device and the second device that allows the key K1 to be used to encrypt and decrypt secure messages sent between the first and second devices; and
  
  means for using the key K1, determined by the KMC, to interpret the secure messages sent between the first and second devices.

6. A method of securely communicating an end-to-end encryption and decryption key between a first device and a second device for data transmitted on an IP-based Multimedia Subsystem (IMS) media plane, the first device being registered with a first communication network and the second device being registered with a second communication network, the method comprising:
- establishing a key E_KAbetween the first device and a first key management center (KMC) of the first communication network;
  
  establishing a key E_KBbetween the second device and a second KMC of the second communication network;
  
  establishing a key E_KABbetween the first KMC and the second KMC;
  
  at the first device, generating an end-to-end key K1 and encrypting the key K1 using the key E_KAto form an encrypted key E_KA(K1);
  
  transmitting the encrypted key E_KA(K1) from the first device to the first KMC;
  
  at the first KMC, decrypting the encrypted key E_KA(K1) using the key E_KAto determine the key K1, and encrypting the key K1 using the key E_KABto form an encrypted key E_KAB(K1);
  
  transmitting the encrypted key E_KAB(K1) from the first communication network to the second communication network comprising;
  
  transmitting E_KAB(K1) from the first KMC to a first IMS core of the first communication network;
  
  transmitting E_KAB(K1) from the first IMS core to a second IMS core of the second communication network; and
  
  transmitting E_KAB(K1) from the second IMS core to the second KMC;
  
  at the second KMC, decrypting the encrypted key E_KAB(K1) using the key E_KABto determine the key K1, and encrypting the key K1 using the key E_KBto form an encrypted key E_KB(K1);
  
  transmitting the encrypted key E_KB(K1) from the second KMC to the second device; and
  
  at the second device, decrypting the encrypted key E_KB(K1) using the key E_KBto determine the key K1.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 7. The method recited in claim 6, wherein the method is performed using a control plane connection.
  - 8. The method recited in claim 6, wherein the method is integrated with call establishment signaling between the first device and the second device.
  - 9. The method recited in claim 6, wherein establishing the key E_KAbetween the first device and the first KMC comprises using a generic authentication architecture (GAA) procedure in which the first KMC acts as a network application function (NAF).
  - 10. The method according to claim 9 wherein the GAA procedure is used to authenticate the first device with the first communication network using authentication information, and establishing the key E_KAbetween the first device and the first KMC further comprises reusing the authentication information to derive the key E_KA.
  - 11. The method according to claim 10, wherein the authentication information used in the GAA procedure comprises authentication information stored on a Subscriber Identity Module-SIM associated with the first device.
  - 12. The method recited in claim 6, wherein establishing the key E_KBbetween the second device and the second KMC comprises using a generic authentication architecture (GAA) procedure in which the second KMC acts as a network application function (NAF).
  - 13. The method recited in claim 6, wherein transmitting the encrypted key E_KA(K1) from the first device to the first KMC comprises:
    - transmitting the encrypted key E_KA(K1) from the first device to the first IMS core; and
      
      transmitting E_KA(K1) from the first IMS core to the first KMC.
  - 14. The method recited in claim 6, wherein transmitting the encrypted key E_KB(K1) from the second KMC to the second device comprises:
    - transmitting E_KB(K1) from the second KMC to the second IMS core; and
      
      transmitting the encrypted key E_KB(K1) from the second IMS core to the second device.
  - 15. The method recited in claim 6, further comprising:
    - at the second device, generating an end-to-end key K2 and encrypting the key K2 using the key E_KBto form an encrypted key E_KB(K2);
      
      transmitting the encrypted key E_KB(K2) from the second device to the second KMC;
      
      at the second KMC, decrypting the encrypted key E_KB(K2) using the key E_KBto determine the key K2, and encrypting the key K2 using the key E_KABto form an encrypted key E_KAB(K2);
      
      transmitting the encrypted key E_KAB(K2) from the second communication network to the first communication network;
      
      at the first KMC, decrypting the encrypted key E_KAB(K2) using the key E_KABto determine the key K2, and encrypting the key K2 using the key E_KAto form an encrypted key E_KA(K2);
      
      transmitting the encrypted key E_KA(K2) from the first KMC to the first device; and
      
      at the first device, decrypting the encrypted key E_KA(K2) using the key E_KAto determine the key K2.
  - 16. A method of establishing a secure end-to-end communication channel for transmitting and receiving secure messages on an IP-based Multimedia Subsystem (IMS) media plane between a first device and a second device, the first device being registered with a first communication network and the second device being registered with a second communication network, the method comprising:
    - securely communicating end-to-end encryption and decryption keys between the first device and the second device as recited in claim 15;
      
      at the first device, encrypting data using the key K1 and transmitting the encrypted data to the second device on the IMS media plane;
      
      at the second device, receiving the encrypted data from the first device on the IMS media plane and using the key K1 to decrypt the data;
      
      at the second device, encrypting data using the key K2 and transmitting the encrypted data to the first device on the IMS media plane; and
      
      at the first device, receiving the encrypted data from the second device on the IMS media plane and using the key K2 to decrypt the data.
  - 17. A method of establishing a secure end-to-end communication channel for transmitting and receiving secure messages on an IP-based Multimedia Subsystem (IMS) media plane between a first device and a second device, the first device being registered with a first communication network and the second device being registered with a second communication network, the method comprising:
    - securely communicating an end-to-end encryption and decryption key between the first device and the second device as recited in claim 6;
      
      at the first device, encrypting data using the key K1 and transmitting the encrypted data to the second device on the IMS media plane; and
      
      at the second device, receiving the encrypted data from the first device on the IMS media plane and using the key K1 to decrypt the data.
  - 18. The method recited in claim 17, wherein a key recovery field is sent in a message on the IMS media plane from the first device to the second device, the key recovery field being usable by the first KMC to interpret the message.
  - 19. A method of interception and interpretation of secure messages transmitted on an IP-based Multimedia Subsystem (IMS) media plane between a first device and a second device, the first device being registered with a first communication network and the second device being registered with a second communication network, the method comprising:
    - establishing a secure end-to-end communication channel for transmitting and receiving secure messages between the first device and the second device as recited in claim 17; and
      
      at the first or second IMS core, using the key K1 determined at the respective first or second KMC to decrypt secure messages sent between the first and second devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vodafone Group PLC
Original Assignee
Vodafone Group PLC
Inventors
Howard, Peter Thomas
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US12/064,595
Publication Number

US 20090220091A1
Time in Patent Office

2,798 Days
Field of Search

380/277, 380/255, 713/171, 726/3
US Class Current

380/277
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 63/306   intercepting packet switche...

H04L 65/1016   IP multimedia subsystem [IMS]

H04L 9/0827   involving distinctive inter...

H04L 9/083   involving central third par...

H04W 80/10   adapted for application ses...

Communication security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Communication security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links