Policy routing-based lawful interception in communication system with end-to-end encryption

摘要

A method for intercepting encrypted communications exchanged between first and second computing devices in a communication network, wherein interception is performed by a third computing device in the computing network. The third computing device obtains one or more packets having a packet address associated with one of the first and second computing devices in response to at least one interception routing policy being implemented in at least one element in the communication network, such that the obtained packets may be decrypted to obtain data contained therein. The third computing device preserves the packet address of the obtained packets and forwards the obtained packets toward a packet-destination one of the first and second computing devices such that the packet-destination one of the first and second computing devices is unable to detect from the one or more packets that the one or more packets were intercepted by the third computing device.

主权项

1. A method for intercepting encrypted communications exchanged between a first computing device and a second computing device in a communication network, wherein the interception is performed by a third computing device in the communication network, the method comprising:
the third computing device obtaining one or more packets which are encrypted as part of an end-to-end encryption session associated with the first computing device and the second computing device, the one or more packets having a given packet address associated with one of the first computing device and the second computing device, wherein the one or more packets are obtained by the third computing device in response to at least one interception routing policy being implemented in at least one element in the communication network which is also responsible for routing non-intercepted packet traffic therethrough, wherein the at least one interception routing policy is configured to forward packets having the given packet address to the third computing device, the third computing device decrypting the one or more obtained packets using a security association established for a packet-source comprising the first computing device so as to obtain data contained therein; the third computing device preserving the given packet address of the one or more obtained packets such that the one or more obtained packets do not appear to have been obtained by the third computing device; and the third computing device re-encrypting the one or more obtained packets using a security association established for a packet-destination comprising the second computing device, and forwarding the one or more packets toward the packet-destination; wherein the one or more packets forwarded toward the packet-destination have the given packet address; and wherein the interception routing policy re-routes bearer flows from the packet-source and the packet-destination to the third computing device.