GB2390270A - Escrowing with an authority only part of the information required to reconstruct a decryption key - Google Patents

Escrowing with an authority only part of the information required to reconstruct a decryption key Download PDF

Info

Publication number
GB2390270A
GB2390270A GB0214911A GB0214911A GB2390270A GB 2390270 A GB2390270 A GB 2390270A GB 0214911 A GB0214911 A GB 0214911A GB 0214911 A GB0214911 A GB 0214911A GB 2390270 A GB2390270 A GB 2390270A
Authority
GB
United Kingdom
Prior art keywords
key
session
node
terminal
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB0214911A
Other versions
GB0214911D0 (en
Inventor
Iikka Mikael Uusitalo
Pasi Matti Kalevi Ahonen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Priority to GB0214911A priority Critical patent/GB2390270A/en
Publication of GB0214911D0 publication Critical patent/GB0214911D0/en
Publication of GB2390270A publication Critical patent/GB2390270A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/75Media network packet handling
    • H04L65/765Media network packet handling intermediate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/80Arrangements enabling lawful interception [LI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Abstract

The present invention facilitates the legal interception of an encrypted IP session between two or more terminals 12, 13. A terminal 12 and its GGSN node 5 share a first input key component, however a second input key component is known only to the terminal 12. The terminal generates a key by applying a pseudo-random function (PRF), such as a keyed hash, to the first and second key input components. The key may be directly or indirectly used by the terminal to encrypt and decrypt messages. The node 5 effectively acts as an escrow authority which has only part of the information required to reconstruct the key. However the key may be reconstructed by the node (or an entity authorised to access the node) in a brute force / plain text exhaustive attack, in which all possible values of the second key input component are tried. The terminal may be required to send to the node a clear text and encrypted version of the same message to help in the reconstruction of the key. In one embodiment the first key input component is generated at both the terminal and the node by applying the PRF to a seed value exchanged between the two terminals and to a previously stored secret value shared by the terminal and the node.

Description

d e 1 2390270
LEGAL llMTERCEPTION OF 1P TRAFFIC Field of the Invention
5 The present invention relates to a method and apparatus for facilitating legal interception of IP traffic.
Background to the Invention
10 it is now possible to establish various forms of connection over the internet including data connections as well as voice and video telephony connections. As the speed and extent of the Intemet increases, the use of voice and video telephony can be expected to grow. Whilst current technology tends to restrict IP multimedia sessions to computer terminals coupled to the Internet, tomorrow's technology will provide for IP multimedia 15 sessions between small dedicated telephony terminals, and other mobile devices such as PDAs, palmtop computers etc. In order to allow such devices to gain widespread acceptance, a key issue which must be addressed is that of security. The two main security concerns are the avoidance of 20 unauthorized eavesdropping, and the need to authenticate terminals involved in a communication (i.e. to ensure that the terminal which a "subscriber" connects to is the terminal which the subscriber intends to connect to and vice versa). However, these concerns are not unique to IP multimedia, and are common to many different forms of IP communication. Several protocols exist for securing data traffic using encryption 25 and/or authentication.
One such security protocol is known as IPSec (IETF RFC2401). In order to allow IPSec packets to be properly encapsulated and decapsulated it is necessary to associate security services and a key between the traffic being transmitted and the remote node 30 which is the intended recipient of the traffic. The construct used for this purpose is a "Security Association" (SA). A second security protocol is known as SRTP (Secure Real-Time Protocol) - see draft-ietf-avt-srtp-02.txt (available at
: http://search.ietf.org/internet-drafts/draft-ietf-avt-srtp-02.txt). It is expected that the third generation mobile network architecture known as 3GPP will adopt SRTP as the protocol for securing IP traffic, in particular to secure real time user data, such as speech. It is expected that IPSec will be also be used, for example to protect signalling 5 between networks. Of course, other protocols may be used in other mobile network i architectures. In the Intemet draft "draft-ietf-msecmikey-OO.txt7' (available from http://search.ietf.org/intemetdrafis/drafl-ictf-msec-mikeY-OO.txt), a key management 10 scheme known as Multimedia Internet KEYing (MIKEY) is described for use in real time applications. The scheme provides for the creation of a Security Association (SA) and the distribution of a Pre-Master Key (PMK). The PMK is used to derive a Traffic Encrypting Key (TEK) for each crypto session. More specifically, the TEK is used as the key input to the chosen security protocol, e.g. SRTP for 3GPP, or lPSec.
Traditional circuit switched telephone networks make provision for the legal interception of telephone calls. Such interception must be instigated by the appropriate authorities and is an important weapon against fraud and other crimes. Understandably,i it is desirable to make provision for the legal interception of IP sessions (whether pure 20 data, VolP, video, etc). However, this presents a potential problem as the IP security protocols which will be used have been designed to provide terminal-to-terminal security involving strong encryption.
If the MIKEY proposal is implemented, security mechanisms will rely upon the use of a 25 Pre-Master Key (PMK) which is agreed upon by the parties to an 1P session. The PMK may be proposed by the initiator of the session and accepted (or rejected) by the responder, or may be generated using values exchanged between the parties to the session. The agreement of the PMK forms part of an IP Multi-Media key management function. Following the agreement of the PMK, the Multi-Media key management 30 function may encrypt the PMK with a secret which it shares with the responder, or with the public key of the responder, or the initiator may calculate a DiffieHellman modular i exponentiation using the PMK as an exponent. It will be appreciated that in order to l
( intercept traffic associated with that session, a third party must have knowledge of the PMK. An arrangement which allows the operator to have knowledge of the PMK is described 5 in British patent application no. 0129339.8. Typically, when a subscriber registers with the operator of a 3GPP network, he or she receives a Subscriber Identity Module (SIM) card on which is stored a unique International Mobile Subscriber Identity (IMSI) code.
In addition to the IMSI it is proposed in application no. 0129339.8 that a secret key is also stored on the SIM card. This key is known only to the network operator and to the ] O user (or rather to the user's SIM card) and a copy of the key is stored in a database 14 attached to the GGSN 5,8 of the subscriber's home network. Also stored on the subscriber's SIM card (or possibly in a memory of the subscriber's UK) and in the GGSN 5,8 is a pseudo-random function such as a keyed hash (or MAC, Message Authentication Code) such as SHA-I or MD5, or an encryption function such as an 15 AES or DES function.
When an IP session is initiated, a seed value is exchanged between the subscriber's terminal and the operator. The pseudo-random function is applied to the key and the seed value at both the terminal and the operator to generate a pre-master key (PMK), 20 which becomes known to each of the terminals involved in the IP session and to operator. The premaster key is then used (directly or indirectly) to encrypt and decrypt traffic associated with the session.
This arrangement has the result that the operator can decrypt all IP traffic in the session.
25 In theory, it will only do so if mandated to do so by a law enforcement agency.
However, there exists the possibility that the decryption key could fall into the wrong hands, for example during the exchange process with the operator. The fact that the operator retains a decryption key for exchange between two terminals always leaves open the possibility that interception could be carried out by a third party not mandated 30 to do so by a law enforcement agency. It would be desirable to reduce the risk of this occurring. Furthermore, if the decryption key is obtained by an unauthorized third party it would be desirable to limit the time for which that third party could decrypt traffic.
' l ill l Summary of the invention
it is an object of the present invention to reduce the probability of unauthorised 5 interception of an IP session, while still allowing the possibility of a legal interception.
According to a first aspect of the present invention there is provided a method of facilitating the legal interception of a session between two or more terminals, wherein said session uses encryption to secure traffic, the method comprising: 10 storing or generating a first key input component at one of said terminals and at a node within a network through which said session is conducted; storing or generating a second key input component at that terminal; applying the first and second key input components as inputs to a pseudo random function at the terminal to generate a key; and 15 directly or indirectly using said key to encrypt and decrypt traffic associated with said session.
Thus the network node does not have all the information necessary to allow it to easily generate the key. However, since the first key input component and pseudo-random 20 function are known to the node, it is possible for it to determine the key by a brute force approach. Unauthorised third parties are unlikely to have sufficient computational resources to generate the key by a brute force approach, and it is made even more difficult for them if they do not know the first key input component or pseudo-random function. A pseudo-random function is usually a one-way function, i.e. the input from 25 such a function cannot be deduced from the input.
Thus the key may be determined at the network node from the first key input component, preferably using plain text attack. This may involve determining possible second key input components at the network node and applying the pseudo-random 30 function to the first key input component and the possible second key input components at the network node to determine the key.
(; Am In order to give the node material for the plain text attack, the terminal preferably sends the same message twice to the node, once in plain text and once encrypted using the key. 5 The second key input component may be a randomly generated value. Alternatively, the second key input component may be a parameter associated with the cryptographic session (e.g. a crypto session Ill)) or with some other function/operation.
The step of generating a key is preferably earned out each time a new session is to be 10 created. More preferably, this step is carried out for every session regardless of whether or not legal interception is required.
Preferably, the terminal at which a key is generated is the terminal which initiates the session. Preferably, the key is used by the terminals involved in the session to generate one or more traffic encryption keys. The traffic encryption key(s) is(are) used to encrypt the traffic associated with the IF session.
20 Preferably, said network is a mobile telecommunications network, and the terminal is a mobile wireless terminal. The network is typically the home network of that terminal, although this need not be the case.
In order to further increase security, a shared key value is preferably stored at the 25 terminal and at the node. Prior to the creation of said session, a seed value is preferably exchanged between the terminal and the node. The step of generating the first key input component at the terminal and at the node may then include applying the pseudo-
random function to the shared key value and the seed value. This allows a new first key input component to be determined for each session.
The shared key may be changed over time, the changes at the terminal and the node being synchronized.
The session may be an IP session, with data and traffic associated with the session being IP data and IP traffic respectively.
5 According to a second aspect of the present invention there is provided a method of intercepting a session set up using the method of the above first aspect, the method comprising intercepting data associated with said session at said network node or at another node coupled to that network node, and directly or indirectly using the key to decrypt the encrypted traffic.
tO In one embodiment of the second aspect of the invention, the key or a traffic encryption key (or keys) is sent to an external node and the encrypted traffic is forwarded to that node from the network node for decryption. In an alternative embodiment, traffic is intercepted at said network node and is forwarded to a node outside of the network 15 following decryption.
According to a third aspect of the present invention there is provided a terminal for conducting an encrypted session with one or more other terminals, the terminal comprising: 20 a memory for storing a first key input component allocated to the terminal or to a subscriber using the terminal; means for generating a second key input component; means for applying a pseudo-random function to the key at the terminal to generate a key; and 25 means for directly or indirectly using the key to encrypt and decrypt traffic associated with said session.
According to a fourth aspect of the present invention there is provided a network node for use in intercepting encrypted traffic associated with a session conducted between 30 two or more terminals coupled to a communications network, the node comprising: a memory storing first key input components allocated to terminals or subscribers registered with the network;
r. means for generating possible second key input components; means for applying a pseudo-random function to first key input components and possible second key input components to generate a key; and means for directly or indirectly using said Icey to decrypt traffic associated with 5 said session which is intercepted by the node.
According to a fifth aspect of the present invention there is provided a method of facilitating the legal interception of a session between two or more terminals, wherein said session uses encryption to secure traffic, the method comprising: 10 establishing a secure connection between at least one of said terminals and a node within a network through which said session is conducted; generating an input key utilising the secure connection between the tennina] or network node; using at least part of the input key at the terminal in a key generation process 15 with other terminals for generating an encryption key; directly or indirectly using said encryption key to encrypt and decrypt traffic associated with said session.
Brief Description of the Drawings
Figure I illustrates schematically a communications network for enabling an IP session to be established between two mobile terminals; Figure 2 shows first and second key input components; Figure 3 shows the signalling involved with Legal Interception; and 25 Figure 4 is a flow diagram illustrating a method of intercepting an IF session.
Detailed Descrintion of a Preferred Embodiment There is illustrated in Figure I a communications system comprising a mobile 30 telecommunications network I which for the purpose of this discussion is assumed to be a 3GPP (or UNITS) network. Within the 3GPP network I are a UNITS Terrestrial Radio Access Network (UTRAN) 2 and a GPRS network 3. The GPRS network
t ' ' t l d l I comprises one or more Serving GPRS Support nodes (SGSNs) 4 and one or more Gateway GPRS Support Nodes (GGSNs) 5. The role of the SGSN 4 is to maintain subscription data (identities and addresses) and to track the location of user equipment (UK) within the network. The role of the GGSN 5 is to maintain subscription 5 information and allocated IP addresses and to track the SGSN 4 to which UEs are attached. Figure 1 also illustrates a second mobile telecommunications network 6 which is also assumed to be a 3GPP network. This network also comprises SGSNs 7 and GGSNs 8 10 forming part of a GPRS network 9, and a VTRAN 10. The two GGSNs 5,8 are both coupled to an IP network 11. Two UEs 12,13 are attached to the first and second networks 1,6 respectively. 3GPP provides UEs with an "always connected" service such that as long as UEs are registered with a network (home or visited) they are allocated IP addresses and can receive and send data without the need for a connection I 5 to be established. A protocol such as Session Initiation Protocol (SIP) may be used to establish a multimedia session between the two UEs 12,13 of Figure 1. Within the GPRS networks 3,9 it is the GGSNs 5,8 which implement the policy of the network operator, e.g. which subscribers can access which services, subscriber priorities, etc. 20 Typically, when a subscriber registers with the operator of a 3GPP network, he or she receives a Subscriber Identity Module (SIM) card on which is stored a unique International Mobile Subscriber Identity (IMSI) code. In addition to the IMSI it is proposed here that a secret key k is also stored on the SIM card. This key is known only to the network operator and to the user (or rather to the user's SIM card) and a copy of 25 the key is stored in a database 14 attached to the GGSN 5,8 of the subscriber's home network. Also stored on the subscriber's SIM card (or possibly in a memory of the subscriber's UK) and in the GGSN 5,8 is a pseudo-random function such as a keyed hash (or MAC, Message Authentication Code) such as SHA-I or MD5.
30 For the reasons set out above, it may be necessary to intercept an IP session between the two UEs 12,13. Interception is carried out as follows.
. t4':: Assume that an [P multimedia session is initiated by a first of the UEs 12. The UE 12 sends a SIP Invite message to the GGSN 5 to which it is attached. The SIP Invite message identifies both the initiating UE l 2 and the responding UE - in this case UE 13. At this stage, the GGSN 5 places the session initiation on hold, and inspects the 5 local database 14 to see if it holds a key for the initiating UE 12 If no key is contained in the database 14, the session initiation is not allowed to continue and a notification message may be returned to the UE 12 If on the other hand a key is held for the UE 12, the GGSN 5 generates a random number or "nonce" and returns this to the UE 12 The nonce need not be secured (i.e. encrypted) for transmission to the UE 12. Both the UE lO 12 and the GGSN 5 then compute a shared key input component, k_m, by applying the pseudo-random function to the shared key and the nonce, i.e. k m = PRF(k,nonce).
The UE 12 then generates a second random number and from this computes a Pre 15 Master Key (PMK), by applying the pseudo-random function a second time to the shared key input component k m and the second random number. Alternatively a second pseudo-random function may be applied to the shared key input component k_m and the second random number to compute the PMK.
20 If the call is to be intercepted, the PMK must also be determined at the GGSN 5 to which the originating UE 12 is attached. Since the GGSN 5 has access to the key input component k m, but not to the second random number generated by the originating UE 12, it will not be in a position to generate the PMK directly using the pseudo-random function in the same way as the UE 12. Instead a "plain text" or brute force approach 25 must be used by the GGSN 5 to determine the PMK, and for this it needs a sample of text encrypted using the PMK.
The UE 12 sends a short message in plain text, and the same message encrypted using the PMK, to the GGSN 5. The GGSN 5 attempts to determine the PMK by entering the 30 key input component k_m into the pseudo-random fimction, together with a locally generated number, to determine a possible PMK. The GGSN 5 then encrypts the plain text message received from the UE 12 using the possible PMK, and compares the result
l with the encrypted message received from the UE 12. If there is no match, the process is repeated as often as necessary, using a different locally generated number as the input to the pseudo-random function each time, until there is a match between the message encrypted using the possible PMK and the encrypted message received from the UE 12.
5 This indicates to the GGSN 5 that it now knows the real PMK as determined by the UE 12. Once the PMK has been established, the GGSN 5 routes the SIP message to the home network 6 of the responding UE 13 via an IP Multimedia Core Network Subsystem (not 10 shorn in Figure 1). The SIP Invite message is received by the responding UE 13 via the GGSN 8 to which it is connected. Assuming that the responding UE 13 chooses to accept the session setup request, phase 1 of the SRTP is initiated. This requires that the UE 12 send to the UE 13 the PMK which has been established by the UE 12 and the GGSN 5. The PMK may be encrypted with a secret shared between the UEs 12,13 or 15 with the public key of the responding UE 13 (SRTP does not specify how the PMK should be exchanged or negotiated, it only requires that a common, secret PMK must be known to the parties). Alternatively the PMK could be used as the secret exponent in a Diffie-Hellman exchange to determine a further PMK. In any of these cases, the result is that the UEs 12,13 and the GGSN 5 to which the originating UE 12 is attached, all 20 know the PMK at the end of phase 1.
In phase 2 of the SRTP, the UEs 12,13 use the shared PMK to generate a Traffic-
Encrypting Key (TEK). The procedure involved is set out in the MIKEY draft referred to above. Once the TEK is generated, the IP session can begin. Traffic is encrypted and 25 decrypted at the UEs 12,13 using the TEK. In some cases, a pair of TEKs may be generated in phase 2 of the SRTP, with a first of the TEKs being used to encrypt traffic in one direction and the second TEK being used to encrypt traffic in the opposite direction. 30 It will be appreciated that IP traffic associated with the session will always pass through the GGSN 5. As such, the GGSN 5 is able to intercept the traffic and decrypt it using the TEK(s). The decrypted traffic can then be passed to a government authority such as
1 ',. ',':: ':
the police. Alternatively, during the session setup phase, the network operator may forward the TEK(s) to the government authority. Traffic which is intercepted at the GGSN 5 is therefore passed directly to the government authority which can decrypt the traffic using the previously received TEK(s). As a further alternative, the network 5 operator may forward the key input component Am and the pseudo-random function to the government authority during the session set-up phase. The government authority determines the PMK and thus TEK(s) itself and decrypts the traffic.
The mechanism can be further understood with reference to Figure 2. Two key input to components, of 9 bytes and 7 bytes respectively, are input by the UE 12 into the pseudo-random function to generate the PMK, but only the first of these (9 bytes), corresponding to the shared key input component k m, is known by the network operator. The other component, of 7 bytes, is generated at the UE 12 before the pseudo-
random operator is applied to the entire input key. The operator could use e.g. brute 15 force, or known-plain-text attacks to resolve the remaining 7 bytes. If the 16 bytes are used to encrypt the information related to a session encryption key, the information could include field(s) known only by the operator and the user device. This may help
the operator to resolve the correct session key using known-plain-text attack. The known plain text could for example be hash from concatenated "infrequent time-stamp" 20 and "user private identity or key". The outcome of the pseudo-random function has such a random nature that unauthorised attackers have a much harder task to resolve the correct key.
Agreements may be made between governments and network operators to enable a 25 government authority to intercept an IP session initiated by a UE outside the authority of an interested government. In this case, a PMK generated at a node of an external network may be sent from the external network to the network under the authority of the interested government. The PMK can then be used to intercept the IP session.
30 Whilst the above description has been concerned with UEs and mobile networks, the
present invention is not to be considered limited to mobile networks. The invention is also applicable to IP sessions extending between teTninals coupled to fixed line
nor - It A networks and to other wireless networks, and to TP sessions extending betwocn terminals coupled to different network types (e.g. a mobile to fixed line terminal session). The invention may be applied to UEs connected to the same access network as well as to different access networks.
s As an alternative, the shared key k could be used as the basis for establishing a secure connection between the UE 12 and GGSN 5. This secure connection is then used as the basis for generating an input key for use by UE 12 and the (:iGSN 5. The input key may also be sent to a government authority if required.
The UEs 12, 13 use the input key in a end-to-end key generation process with each other. Only part of the input key contributes to the end-to-end key. Furthermore other - information known only to the operator and the UE 12 can be used to contribute to the end-to-end key.
The terminals can then communicate securely using the end-to-end encryption key. If authorised, the GGSN sends the signalling and data to the government authority for monitoring. The government authority can decrypt the information using the input key and other information using a plain text attack or brute force. This arrangement is 20 shown in Figure 3.
It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiment without departing from the scope of the present invention. For example, the key k has been described as being stored at the UE 25 and GGSN. However, to improve security further, the key k could change periodically.
If this is the case the UE and GGSN must be synchronized so that the key k is changed for each of them at the same time.
Furthermore, the method of intercepting a call has been described with reference to a 30 random number exchange between the operator and user so as to generate the key input k_m. It will be appreciated that it would be possible for the user to use k directly, together with a locally generated random number, in the pseudo-random function to
: q determine the PMK, thus removing the need for a random number exchange with the operator. The operator would then need to use a plain text attack using k in the pseudo-
random function to determine the PMK.
5 In addition, it would be possible to store the second key input component to be entered into the pseudo-random function at the UK, rather than generating a fresh one each time.
Again, however, this is not preferred as it is less secure. There may also be further inputs to the pseudo-random function, for example further numbers exchanged between the user and operator, or generated by the user.
The generation of the first random number by the operator or the second random number by the user may be performed in a number of different ways. One example makes use of the fact that the position of the UE 12 relative to its associated Base Station (BS) is known or can be determined by the operator. The number used as the I 5 random number is a function of the distance of the UE 12 from the BS 4.
In another modification an encryption function such as DES or AES may be used. It is preferred that, whatever function is used, it is a one-way function. A HASH or keyed HASH pseudo-random function is a full one-way function. An encryption function 20 such as DES or AES is one-way if the key to it is not known. In yet another.
modification, the TEK(s) is (are) derived from the PMK via one or more intermediate encryption keys.

Claims (1)

  1. ( CLAIMS:
    1. A method of facilitating the legal interception of a session between two or more terminals, wherein said session uses encryption to secure traffic, the method 5 comprising: storing or generating a first key input component at one of said terminals and at a node within a network through which said session is conducted; storing or generating a second key input component at that terminal; applying the first and second key input components as inputs to a pseudo 10 random function at the terminal to generate a key; and directly or indirectly using said key to encrypt and decrypt traffic associated with said session.
    2. A method as claimed in claim 1, wherein the second key input component is a 15 number randomly generated at the terminal.
    3. A method as claimed in claim I or 2, further comprising determining the key at the network node from the first key input component using the pseudo-random function.
    20 4. A method as claimed in claim 3, wherein the key is determined at the network node using plain text attack.
    5. A method as claimed in claim I or 2, further comprising: determining possible second key input components at the network node; and 25 applying the pseudo-random function to the first key input component and the possible second key input components at the network node to determine the key.
    6. A method as claimed in claim 3, 4 or 5, further comprising: sending a plain text message from the terminal to the node; 30 encrypting the message at the terminal using the key; and sending the encrypted message from the terminal to the node.
    7. A method of intercepting a session set up using the method of claim 3, 4, 5 or 6, comprising intercepting data associated with said session at said network node or at another node coupled to that network node, and directly or indirectly using the key to decrypt the encrypted traffic.
    8. A method as claimed in claim 7, wherein traffic is intercepted at said network node and is forwarded to a node outside of the network following decryption.
    9. A method as claimed in claim 7, wherein the key or a traffic encryption key or 10 keys is or are sent to an external node and the encrypted traffic is forwarded to that node from the network node for decryption.
    10. A method as claimed in any preceding claim, wherein the step of generating a key is carried out each time a new session is to be established.
    11. A method as claimed in any preceding claim, wherein the terminal at which a key is generated is the terminal which initiates the session.
    12. A method as claimed in any preceding claim, wherein the key is used by the 20 terminals involved in the session to generate one or more traffic encryption keys, the traffic encryption key(s) being used to encrypt the traffic associated with the session.
    13. A method as claimed in any preceding claim, further comprising: storing a shared key value at the terminal and at the node; and 25 prior to the creation of said session, exchanging a seed value between the terminal and the node; wherein the step of generating the first key input component at the terminal and at the node includes applying the pseudorandom function to the shared key value and the seed value.
    14. A method as claimed in claim 13, further comprising:
    periodically changing the shared key value stored at the terminal and the node, the changes being synchronised.
    15. A method as claimed in any preceding claim, wherein the session is an IP 5 session, data associated with the session is IP data, and traffic associated with the session is 1P traffic.
    16. A terminal for conducting an encrypted session with one or more other tenninals, the terminal comprising: 10 a memory for storing a first key input component allocated to the terminal or to a subscriber using the terminal; means for generating a second key input component; means for applying a pseudo-random function to the first and second key input components at the terminal to generate a key; and 15 means for directly or indirectly using the key to encrypt and decrypt traffic associated with said session.
    17. A network node for use in intercepting encrypted traffic associated with a session conducted between two or more terminals coupled to a communications 20 network, the node comprising: a memory storing first key input components allocated to terminals or subscribers registered with the network; means for generating possible second key input components; means for applying a pseudo-random function to the first key input component 25 and possible second key input components to generate a key; and means for directly or indirectly using said key to decrypt traffic associated with said session wheels is intercepted by the node.
    18. A method of facilitating the legal interception of a session between two or more 30 terminals, wherein said session uses encryption to secure traffic, the method comprising:
    establishing a secure connection between at least one of said terminals and a node within a network through which said session is conducted; generating an input key utilising the secure connection between the terminal or network node; 5 using at least part of the input key at the tenninal in a key generation process with other terminals for generating an encryption key; directly or indirectly using said encryption key to encrypt and decrypt traffic associated with said session.
    10 19. A method as claimed in claim 18, further comprising determining the encryption key at the network node from knowledge of the input key.
    20. A method as claimed in claim 18, further comprising: forwarding traffic associated with said session and the input key from the 15 network node to a third party node; at the third party node, determining the encryption key Mom knowledge of the input key; and decrypting the traffic at the third party node.
GB0214911A 2002-06-27 2002-06-27 Escrowing with an authority only part of the information required to reconstruct a decryption key Pending GB2390270A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0214911A GB2390270A (en) 2002-06-27 2002-06-27 Escrowing with an authority only part of the information required to reconstruct a decryption key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0214911A GB2390270A (en) 2002-06-27 2002-06-27 Escrowing with an authority only part of the information required to reconstruct a decryption key

Publications (2)

Publication Number Publication Date
GB0214911D0 GB0214911D0 (en) 2002-08-07
GB2390270A true GB2390270A (en) 2003-12-31

Family

ID=9939427

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0214911A Pending GB2390270A (en) 2002-06-27 2002-06-27 Escrowing with an authority only part of the information required to reconstruct a decryption key

Country Status (1)

Country Link
GB (1) GB2390270A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008014958A1 (en) 2006-08-01 2008-02-07 Nec Europe Ltd. Method for establishing a secret key between two nodes in a communication network
WO2008059475A1 (en) * 2006-11-12 2008-05-22 Nds Limited Secure communication
US7730305B2 (en) * 2004-12-10 2010-06-01 Electronics And Telecommunications Research Instutute Authentication method for link protection in Ethernet passive optical network
WO2014031489A1 (en) * 2012-08-22 2014-02-27 Certicom Corp. Method of lawful interception for umts

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2308282A (en) * 1995-12-15 1997-06-18 Lotus Dev Corp Secret crytptographic key is split to reduce work factor
US5666414A (en) * 1996-03-21 1997-09-09 Micali; Silvio Guaranteed partial key-escrow
EP0801478A2 (en) * 1996-04-10 1997-10-15 International Business Machines Corporation Cryptographic key recovery system
US5768388A (en) * 1996-03-01 1998-06-16 Goldwasser; Shafi Time delayed key escrow
US6052469A (en) * 1996-07-29 2000-04-18 International Business Machines Corporation Interoperable cryptographic key recovery system with verification by comparison
WO2001056222A1 (en) * 2000-01-31 2001-08-02 France Telecom Communication method with encryption key escrow and recovery
GB2376392A (en) * 2001-12-07 2002-12-11 Ericsson Telefon Ab L M Legal interception of encrypted IP traffic

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2308282A (en) * 1995-12-15 1997-06-18 Lotus Dev Corp Secret crytptographic key is split to reduce work factor
US5768388A (en) * 1996-03-01 1998-06-16 Goldwasser; Shafi Time delayed key escrow
US5666414A (en) * 1996-03-21 1997-09-09 Micali; Silvio Guaranteed partial key-escrow
EP0801478A2 (en) * 1996-04-10 1997-10-15 International Business Machines Corporation Cryptographic key recovery system
US6052469A (en) * 1996-07-29 2000-04-18 International Business Machines Corporation Interoperable cryptographic key recovery system with verification by comparison
WO2001056222A1 (en) * 2000-01-31 2001-08-02 France Telecom Communication method with encryption key escrow and recovery
GB2376392A (en) * 2001-12-07 2002-12-11 Ericsson Telefon Ab L M Legal interception of encrypted IP traffic

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7730305B2 (en) * 2004-12-10 2010-06-01 Electronics And Telecommunications Research Instutute Authentication method for link protection in Ethernet passive optical network
WO2008014958A1 (en) 2006-08-01 2008-02-07 Nec Europe Ltd. Method for establishing a secret key between two nodes in a communication network
DE102006036165B3 (en) * 2006-08-01 2008-06-26 Nec Europe Ltd. Method for establishing a secret key between two nodes in a communication network
CN101496340B (en) * 2006-08-01 2012-08-22 Nec欧洲有限公司 Method for establishing a secret key between two nodes in a communication network
US8340301B2 (en) 2006-08-01 2012-12-25 Nec Europe, Ltd. Method for establishing a secret key between two nodes in a communication network
WO2008059475A1 (en) * 2006-11-12 2008-05-22 Nds Limited Secure communication
WO2014031489A1 (en) * 2012-08-22 2014-02-27 Certicom Corp. Method of lawful interception for umts
US9094471B2 (en) 2012-08-22 2015-07-28 Certicom Corp. Method of lawful interception for UMTS

Also Published As

Publication number Publication date
GB0214911D0 (en) 2002-08-07

Similar Documents

Publication Publication Date Title
CN100592731C (en) Lawful interception of end-to-end encrypted data traffic
EP1946479B1 (en) Communication securiy
US7181012B2 (en) Secured map messages for telecommunications networks
KR101013427B1 (en) End-to-end protection of media stream encryption keys for voice-over-IP systems
KR100852146B1 (en) System and method for lawful interception using trusted third parties in voip secure communications
CN101420413B (en) Session cipher negotiating method, authentication server and network appliance
KR101021708B1 (en) Group Key Distribution Method and Server and Client for Implementing the Same
EP2813047B1 (en) Lawful interception of encrypted communications
JP2013034220A (en) Method and apparatus for establishing security association
EP2700187A1 (en) Discovery of security associations
KR20130140873A (en) Discovery of security associations for key management relying on public keys
EP2324594A2 (en) Method of integrating quantum key distribution with internet key exchange protocol
CN101971559A (en) Method and apparatus to enable lawful intercept of encrypted traffic
US8488795B2 (en) Method for providing a symmetric key for protecting a key management protocol
US8924722B2 (en) Apparatus, method, system and program for secure communication
CN108616536A (en) Encrypt a kind of method and its application of socks agreements
WO2017197968A1 (en) Data transmission method and device
GB2376392A (en) Legal interception of encrypted IP traffic
GB2390270A (en) Escrowing with an authority only part of the information required to reconstruct a decryption key
CN101729535B (en) Implementation method of media on-demand business
Gurbani et al. A secure and lightweight scheme for media keying in the session initiation protocol (SIP) work in progress
Bassil et al. Critical analysis and new perspective for securing Voice Networks
Kim et al. New key recovery in WAKE protocol
CN113242121A (en) Safety communication method based on combined encryption
Yoon et al. Lawful interception scheme for secure VoIP communications using TTP