Title of the invention
Method of Requesting Confidential Connection for Telecommunication Systems
Field of the invention
The invention is used in communications networks to ensure that a confidentiality request by a calling party when setting up a call to a called party is accommodated. This application is related to and claims the benefit of commonly- owned U.S. Provisional Patent Application No. 60/574,960, filed on the 27.05.2004, titled "Method of Requesting Confidential Connection For Telecommunication Systems" which is incorporated by reference herein in its entirety.
Summary of the invention
When a user establishes a connection in the telephony world, the network can provide him means of barring his identity.
One of the well known methods is suppression of calling name delivery. This is a limited form of confidentiality provided by the network, but it does not allow the user requesting a connection for a call (calling party) to have any kind of control over the call once the call has been set up.
For example once the connection has been established, the originating user (calling party) can be put to a voice-mail or the end-equipment can turn on loudspeaker, even though the calling party might not want this to be performed.
Effectively, the calling party looses any kind of control of the call that it initiated in the first place. Additionally, this means that the calling party also looses control over the dissipation of the content of a communication (call) . The communications system used to initiate, set up and establish
the call does not allow for call to be controlled by the calling party.
Currently, there is no capability provided by communication systems to allow a calling party to control the call, if the user wishes that the contents of the call be kept confidential at the called party and so maintain a secure communication. If for example the calling party wishes that the contents of the call are not to be recorded or not to be put on a loudspeaker, the possibility to control this is not supported by the telecommunication systems, either by the network or by the CPE .
A need therefore exists for a technique that can provide for a calling party with the capability to control the call at the called party and therefore ensure that the call is secured by increasing the confidentiality of the contents of the call.
With the present invention, the issue of controlling the call at the called party by the calling party is resolved. The proposed technique is responsive to a request of a calling party permitting the calling party to have more control of the call and its contents, and provides an efficient way for securing the confidentiality of a call.
The technique is achieved by the teachings contained in the independent method and network device claims .
Said method requests a call with a confidential connection between a first party and a second party in a communications network, comprising the steps of:
- signalling by said first party, a request to establish said call to said second party specifying a confidentiality mode for said call, to a call forwarding entity;
- signalling a reply to said request indicating whether said confidentiality mode can be maintained.
Said network device, is located in a communications network, comprises means arranged to employ the method according to claims 1 to 9.
Advantages can be seen in the dependent claims, whereby, the caller party is required to provide an input indicating whether the call is to proceed, a variety of networking devices can implement the technique, a series of parameters regulate the requested confidentiality, the confidentiality is ascertained by applying on at least one section of a line connecting the two parties a continuous measurement of a line characteristic and the confidentiality can be increased by encrypting the call, either end-to-end or for exposed line sections .
The present invention will become more fully understood from the detailed description given hereinbelow and the accompanying drawings which are given by way of illustration only, and thus are not limitative of the present invention, and wherein:
Fig.l, shows the signalling that takes place in the network.
Fig. 2, shows a typical network environment where the proposed invention is applicable.
Detailed description of the invention
In Fig. 1, which shows an exemplary embodiment of the invention, a calling party's terminal equipment 1, and a called party' s terminal equipment 2 are connected to a network 100. The terms "calling party", "calling party's terminal equipment", "first party", "A__party", "user_A", "A- subscriber" are equivalent terms that refer to the originator of a call. These terms are used interchangeably throughout the description. Similarly, the terms "called party", "called party's terminal equipment", "second party", "B_j?arty",
"user_B", "B-subscriber" are equivalent terms that refer to the receiver of a call. These terms are also used interchangeably throughout the description. Also the terms "signalling entity", "forwarding entity", "network device" are equivalent terms that refer to the device that receives the request to set up a confidential call between the calling party and the called party. These terms are also used interchangeably throughout the description. Furthermore, the calling party' s terminal equipment 1 and the called party' terminal equipment 2 comprise of a telephone 1A, 2B and a handset/receiver 1A' , 2B' respectively. Where necessary, in order for the invention to become, more understandable, the telephone and handset/receiver terms will be used. In other embodiments, the terminal equipment may include an intelligent peripheral, such as a PC having a handset/headset connected to it and a software telephony application installed on it.
Turning back to Fig. 1, when the calling party 1 wishes to set up a secure call over a connection to a called party 2 requesting a degree of confidentiality, it will transmit a message 10 containing a confidentiality request parameter.
The calling party 1 may not wish: a) to interact with a voice mail or any other type of recording devices, b) that a loudspeaker be turned-on on the other end (receiver) , c) that the called party 2 activates call forwarding (CF) , or transfers the call (CT) at any time, d) to become involved in a conference.
The parameters, which are explained further below, can be one of the following indicating the type of confidentiality that the calling party wishes to have at the called party:
(a) No recording of the actual conversation is allowed to be made by the called party.
(b) No loudspeaker is allowed to be activated by the called party. (c) No Call Forwarding (CF) is allowed to be performed by the called party. (d) No Call Transfer (CT) is allowed to be performed by the called party. (e) No conference initiation is allowed to be performed by the called party.
A message 10 is transmitted over the network 100 to a call forwarding entity 5 which is a PSTN switch or a PBX, depending on how the network 100 is designed, and which in turn receives the message 10. The call forwarding entity 5 is connected to the called party 2 directly or via other network components, and is aware of the confidentiality parameters that are available at the called party 2. The forwarding entity 5 in turn transmits a reply message 20 back to the calling party 1 over network 100. Message 20 contains information indicating whether the confidentiality requested is possible and/or honoured by the called party 2. Upon reception of message 20, the calling party 1 may be prompted for an input indicating whether to proceed with the call. Preferably, the calling party 1, is prompted only if the requested confidentiality mode is not available.
These parameters are further explained below:
Recording
The "no Recording" option is primarily handled between the calling party and the switch, although it may also be signalled all the way to the other end, and allows for no recording of the actual conversation between the calling party and the called party to take place , as offered by some terminal equipment. This is further explained below:
Type 1 - switch
Switch (public or private branch exchange (PBX) ) can recognize the request of the A-party and if the B-party has
the Confidential_Call-capability, then the request is further signalled to B-party. However, if the B-party does not offer this capability, then switch can signal back to A-party reporting B-party does not support Confidential_Call (as an announcement or display) . The originator (calling party) may choose to continue the call.
In the process of the call, if the switch has to put the originator to a voice-mail, the Confidential_Call request, if active, is taken into account and the calling party is not transferred to voice-mail.
Type 2 - end to end
If the B-party provides Confidential_Call-capability, then it honours the originator's request, so that in the case of voicemail, only the announcement is played to the originator and no message shall be recorded.
Loudspeaker
This is an end-to-end function. This function prohibits the usage of loudspeaker at one end if the other party has requested. For this feature forward and backward signalling is required and the acknowledgement may honour the request. The lack of acknowledgement as well as a negative acknowledgement dishonours the request. If the one of the parties (A or B) does not provide Confidential_Call- capability, then the switch signals this to the other party by means of announcement or a protocol signalling. The requestor of Confidential__Call may choose to continue the call.
If both parties provide Confidential_Call-capability, then they can switch at any time to confidentiality mode. The requestor may have established the call in normal mode. Any of the two ends may have turned the loudspeaker on, but once the confidentiality request is raised by either one of the parties, then the loudspeaker at the requested side or both speakers may automatically be abandoned.
Call Forwarding (CF)
The B-party has call forwarding activated as the A-subscriber attempts to establish a call to B. If A-subscriber has requested Confidential_Call with "No CF", then the forwarding entity (switch or intelligent CPE (Customer Premises
Equipment) ) shall honour this request and not forward the call and returns the proper reason of call termination. An intelligent CPE, is a device located in this case at the B- party side, which is programmed to read received data and react to requests, commands contained in this data.
Call Transfer (CT)
If the subscriber has requested Confidential_Call with "No
CT", then the call transfer entity (switch or intelligent CPE) shall honour this request and not allow the call to be transferred. In the event that no acknowledgement is transmitted or that a negative acknowledgement is transmitted, the request is dishonoured. If one of the parties (calling or called party) does not provide a Confidential_Call capability, then the forwarding entity signals this to the other party by means of an' announcement or protocol signalling. The requestor of the confidential call can then choose to continue the call or not.
Conference
If any party in a communications has requested Confidential_Call with "No Conference", the partners of this party should honour/dishonour this request. The party has a choice to continue the call. In the event that no acknowledgement is transmitted or that a negative acknowledgement is transmitted, the request is dishonoured. If one of the parties (calling or called party) does not provide a Confidential_Call capability, then the forwarding entity signals this to the other party by means of an announcement or protocol signalling. The requestor of the confidential call can then choose to continue the call or not. Deployment areas
Embodiment of signalling in existing protocols: The following protocols can be enhanced to cover the handling of confidentiality. The invention, however, is not limited to the mentioned protocols, but may also be applicable to other existing protocols.
SIP (Session Initiation Protocol) ITU-T H.323 ISUP (ISDN User Part Protocol) ISDN (Integrated Services Digital Network) MGCP (Media Gateway Control Protocol)
This can be done by implementing a set of messages comprising a set of parameters that indicate the particular type of confidentiality sought by the calling party or by modifying existing messages that are part of signalling protocols. The parameters can be indicated through the use of a flag that is set within a message to indicate that a request for confidentiality is requested. Each type of request has its own defined flaga It is also possible to define a particular flag that when set within a message will indicate that a calling party requests all types of confidentiality to be applied.
For example messages transmitted at call initiation, such as a SETUP message when using ISDN or an IAM (Initial Address Message) message when using ISUP or CRCX (Create Connection) when using MGCP, or INVITE message when using SIP can be modified to comprise a parameter indicating the type of confidentiality.
Also messages used for acknowledging the call initiation, such as PROGRESS or RING messages when using SIP, PROGRESS or SETUP-ACK or ACM (Address Complete Message) messages when using ISDN/ISUP, or CRCX-ACK when using MGCP can also be modified.
Additionally, messages used for indicating acceptance of the call, such as the OK message when using SIP, or the CONNECT or ANM (Answer) messages when using ISDN/ISUP, MDCX (Modify Connection message) or MDCX-ACK messages when using MGCP can also be modified.
Furthermore, messages used at any point in a call, such as NOTIFY message when using SIP, FACILITY or INF (Information) or INR (Information Request) messages when using ISDN/ISUP or NTFY (Notify) message when using MGCP can also be modified.
All these messages can be modified to carry the set of parameters that indicate the particular type of confidentiality sought by the calling party. These modifications or any new set of messages created do not require any hardware changes to be implemented.
The called party 2 or the corresponding forwarding entity 5 upon reception of such a message returns a reply to the calling party 1 indicating whether the request can be met .
Signalling entities 5 that forward a call request, such as, Intelligent Customer Premises Equipment (CPE) , Public Switched Telephone Network (PSTN) Switch, PBX, Voice-Mail servers can be enhanced so that the handling of confidentiality is covered by the means that already exist in the signalling entities.
The signalling methods described above allow a calling party 1 to specify either one or all of the above mentioned confidentiality requests at his/her terminal. These requests as stated previously are: a. call recording not allowed at call destination terminal; b. loudspeaker activation not allowed at call destination terminal; c. Call Forwarding (CF) not allowed at call destination terminal;
d. Call Transfer (CT) not allowed at call destination terminal; e. conference initiation not allowed at call destination terminal .
Requests c, d and e may be implemented using methods in the (PSTN or PBX) switch serving the called party 2: if either of these request flags is received, the switch serving the called party 2 simply ignores all requests to the contrary and may respond with an announcement to any such attempt, e.g. "Transfer not permitted for this call" or "Initiation of Conference not permitted for this call".
Since these three requests (c-e) may be controlled by the switch, they are tamper-proof in most situations in the following sense: even if a user modifies his/her terminal, such modification will not make the restriction imposed by a calling party 1 ineffective. Exceptions exist when the terminal has advanced capabilities or is, in fact, a small residential "exchange" such as a DECT base station serving several handsets. Problems may also arise for VoIP (Voice over IP) terminals which (for example, in a workgroup) may handle call forwarding, call transfer, and conference without using a central switch.
For requests (a) and (b) however, no guarantee can be given to the calling party 1 that the requests will actually be met at the terminating end. Even if "confidentiality enhanced" terminal equipment adheres to the "no recording" or "no loudspeaker" request imposed by the calling party 1 by not allowing the called party 2 to activate the recording feature or loudspeaker in his/her terminal, such restrictions may be easily overcome by a number of methods. For example, the physical cable connection the terminal to the terminal's handset could be plugged into a device having speaker and/or recording means . Or the terminal could be operated with a different software/firmware which ignores the confidentiality flags, which is a concern especially in environments where
programmable equipment such as PCs (Personal Computers) or PDAs (Personal Digital Assistants) are used for telephony.
In order to overcome the limitations of requests (a) and (b) , the confidentiality may be extended so that the caller 1 can rely on the following: either the restriction imposed is met at the other end or he will be informed of such "breach" of confidentiality. Alternatively the call may simply be released when a "no-confidentiality" situation is detected at any time during the call.
To this end, one of two approaches can be chosen: end-to-end confidentiality (by end-to-end encryption) or improving the confidentiality of sections of the communication path that can easily be tampered with. Both approaches require hardware support which is described in the following illustrative embodiment with reference to Fig. 2.
Fig. 2, shows a calling party 1, comprising a telephone 1A, and a handset/receiver 1A' , that communicates through a network 100 to a called party 2, also comprising a telephone 2B, and a handset/receiver 2B' . Within the network 100 PBXs 5 can be seen that connect the two parties to the network 100 and devices such as local exchanges and transit exchanges that allow signalling to be performed.
Consider a section of a transmission line 210, for example between a telephone 2B and its handset 2B' . Normally, the signals are transmitted over such line 210 in analogue form, wherein an amplifier in the telephone 2B sends a time-variant electrical signal to a speaker device in the handset 2B' . The amplifier "does not care" whether the device receiving the signal is, in fact, the speaker device of handset 2B' . The amplifier will continue to produce an output signal even if the transmission line 210 is connected via a tap-line L' to another device 3, which may be an unwanted recording or speaker device. The same applies for the section of the transmission line 200, which connects PBX 5 to the telephone
2B. Sections 200, 210 are vulnerable to attack due to the fact that they form part of the so called "last mile" section of transmission line.
A basic (analogue) approach to disallowing the tapping of lines 200, 210 would be to continuously measure at least one of the line characteristics (such as impedance, resistance, capacitance, or inductance) by means of an advanced amplifier. Upon detection of changes in any parameter exceeding a threshold the amplifier could signal to the confidentiality mechanism that the transmission line was tampered with and that confidentiality can no longer be guaranteed, which can be signalled back to inform the caller by the confidentiality circuitry. In the event that a wireless connection is used, other characteristics can be continuously measured in order to monitor the confidentiality of the call. This can be done for example, by measuring propagation characteristics such as jitter or signal delay. In the case of a wireless connection the terms "link" and "connection" are used interchangeably and are equivalent.
Another approach to securing lines 200, 210 would be to install a speaker having an integrated encryption/decryption chip in the handset 2B' and send all signals from telephone 2B to handset 2B' as encrypted digital signals, wherein the signals are encrypted such that only the chip in the handset 2B' has the necessary key(s) to decrypt. At any point where another device 3 is located, while the signals may be received, the information is not decipherable. A speaker with integrated decryption (and D/A conversion, amplification) circuitry could be constructed in encapsulated fashion such that any attempt to access pins for retrieving the analogue electric signal would result in the destruction of the speaker. The encryption/decryption chip in the telephone could be constructed in a similar fashion.
To prevent a user from using a microphone next to his/her handset speaker for unwanted recording, one or more sensors
could be installed in handset 2B' to detect any "abnormal" use of the handset (e.g. the handset being held away from the ear/mouth of the called party or a microphone next to the speaker) . Such sensors could include temperature sensors to detect whether the handset is near a body, surface contact sensors to detect whether the handset has contact with human skin (hands/ear) , electromagnetic sensors to detect the electromagnetic fields caused by microphones, etc.
It shall be noted that any transmission line section 200, 210 that is vulnerable can be secured using encryption/decryption methods at both ends of the line. If multiple sections exist the devices connecting these sections have to be constructed such that the signals cannot be compromised there. Example: if a first line section is secured (e.g., encrypted) between a PSTN switch and a PBX, a second line section 200 is secured between the PBX and a terminal (computer/telephone) , and a third line section 210 is secured between the terminal and the handset/headset. Then any internal connection, especially those in the terminal connecting the second and third..sections, needs to be secured by making it'..mechanically inaccessible (e.g. inside the same chip or chip package, or an inaccessible layer of a multilayer printed board) or using encryption.
Furthermore, the digital (encryption) and analogue protective methods may be combined to prevent another device 3 located at the end of the tap lines L' , to gather data for a cryptographic attack on the encrypted information.
It is understood that a microphone could be constructed in essentially the same fashion as described for a speaker, i.e. a microphone package that contains A/D converting circuitry, signal processing and amplification circuitry, and encryption circuitry. Any signal transmitted by such package would be digital and encrypted, decipherable only by means of a valid decryption key.
These approaches to securing the protection of the line have the advantage that the trust level of telecoms equipment is increased, by ensuring that the confidentiality requests (a) to (e) , are met at the terminal where the switch no longer has control over the signal and the signalling. Depending on the desired confidentiality level, it is possible to:
- prevent the most simple and uneducated attacks only (e.g. put a conversation on loudspeaker "for fun" against the callers intentions [to embarrass the caller in front of an "audience"] by attaching a speaker to any wire section between PBX and telephone or telephone and handset) ; or
- prevent attacks by malicious educated personnel (e.g. information theft by recording conversations that were not supposed to be recorded) .
In a further example to illustrate the functioning of the above, the calling party 1 wishes to call the called party 2. The calling party 1 specifies on his phone that the called party 2 must not turn on his speaker as the information to be conveyed is confidential. The called party's terminal receives that request and disables the speaker. The called party 2 however intends to ignore that request . For that he has installed a Y-cable between his telephone 2B and his handset 2B' . Attached to the Y-cable is an external loudspeaker. While the calling party 1 believes that the called party' s speaker is off, the called party 2 would still be able to have the calling party 1 on the external loudspeaker. With the added protection, the calling party 1 would receive an announcement that confidentiality cannot be guaranteed (analogue protection), or the called party's loudspeaker would not produce any signal as the calling party' s voice is sent to the called party' s handset speaker in encrypted fashion, effectively disabling any audio device on Y-cable .
Using the line section protection mechanism explained above the confidentiality of a conversation from a calling party 1 to a called party 2 can be ensured regardless of whether the
called party 2 wishes to keep the conversation confidential or not . Confidentiality is even ensured in situations where called party 2 does not wish the conversation to remain confidential.
In a further illustrative embodiment, the end-to-end connection between the calling party 1 and the called party 2 can be protected using the protection mechanism without having to rely on the network' s support for confidentiality requests. To this end, both the calling party 1 and the called party 2 have terminal equipment with encrypted speakers in handsets or headsets. The feature control "no recording/loudspeaker" resides in the terminal equipment . If the calling party 1 places a call requesting that the called party 2 cannot turn on his loudspeaker, such a request may be transmitted along with a corresponding call setup in the form of a flag to the called party's terminal. The called party's terminal will then disable the built-in speaker. The calling party' s terminal will send any voiced information in the form of encrypted data. The encryption of the outgoing signal can be handled in, a microphone package as described above, :ør in the terminal itself, for decryption with the called party' s headset speaker (i.e. using an encryption key corresponding with the called party's handset/headset). The encrypted data is sent through the telecoms network to the called party' s terminal (note: a communications channel is required that supports "data" rather than "voice", i.e. no echo cancellation or bit rate reduction must occur over the channel). The called party's terminal forwards the encrypted information to the handset/headset where it is decrypted and played to the called party 2.
Other embodiments may rely on the confidentiality of wire sections not normally accessible (i.e. the wire section from PSTN local exchange to PBX) and employ the invention on wire sections only that are more easily accessible (e.g. the wire connecting a terminal, such as a phone or a PC, and a handset/headset) , as illustrated in Fig. 2.
When using any type of computer having attached to it a handset or headset as terminal, special care must be taken when implementing the local software controlling telephone calls (softphone) . While tapping into the line connecting the computer to the network infrastructure is not a concern (methods for protecting such lines, typically LAN lines, are well known) , the softphone must be implemented such that copying of audio streams to any other device but the headset/handset is made impossible if a corresponding confidentiality request is received from a calling party (1) . The softphone shall encrypt all voice info sent to the handset/headset such that it can only be played there. The softphone may employ a secure chip for performing the encryption and/or storing the necessary key(s), for example a trusted platform module (TPM) , (see https : //www.trustedcomputinggroup.org/home) .
The request for confidentiality and the corresponding acknowledgement are preferably logged in a Call Data Record (CDR) generated by the forwarding entity 5, so that any misuse can be documented and traceable.
Although the invention has been described in terms of preferred embodiments described herein, those skilled in the art will appreciate other embodiments and modifications which can be made without departing from the scope of the teachings of the invention. All such modifications are intended to be included within the scope of the claims appended hereto.