Security is often a mandatory feature of a communication system. A secure communication system employs secure network protocols, such as Secure Real-time Transport Protocol (SRTP) as described in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3711 dated March 2004 (and any subsequent revisions) and Secure Real-time Transport Control Protocol (SRTCP) as described in IETF RFC 3550 dated July 2003 (and any subsequent revisions), to assure privacy for a group during a communication session. As used herein, a group is a communication group, and comprises a number of members, and each member uses a communication device (also interchangeably referred to as device) to participate in a communication session. Within the group, one member, using a device, sends packets (also interchangeably referred to as network packets) that carry encrypted data, such as voice data, to one or more other members of the group.
A secure communication system generally utilizes an infrastructure device, such as a central unit, to receive the packets from a sending device, and then forward the packets to one or more receiving devices. To achieve security for the device-to-device (also interchangeably referred to as end-to-end and member-to-member) communication, the central unit operates as either a translator or a mixer. As a translator, the central unit simply reroutes a packet by replacing destination information in the transport layer headers, such as User Datagram Protocol (UDP) headers and Internet Protocol (IP) headers, with new destination information. However, the translator approach is open to network amplification attacks because the central unit will blindly forward to downstream devices any rogue packets. A single upstream rogue packet could result in many downstream rogue packets, which will consume valuable resources of the network and receiving devices, and help enable Denial-of-Service (DoS) attacks on the network. A DoS attack may paralyze an entire network system.
Alternatively, the central unit functions as a mixer by cryptographically modifying or altering the packets. To cryptographically modify a packet, the central unit decrypts and then re-encrypts the packet after altering the media stream by, for example, converting the media to another format or combining media from multiple simultaneous senders. Accordingly, the central unit must possess the cryptographic keys for all inbound and outbound packets, thus becoming an attack point and a single point of failure and fundamentally breaking end-to-end encryption between endpoints. Furthermore, the central point must possess extra processing power to decrypt and encrypt all the packets in real-time.
Accordingly, there is a need for a system that includes a central server but that nonetheless performs a method that achieves end-to-end security in a communication system without at least some of the shortcomings of the translator and mixer approaches.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative other elements to help improve understanding of various embodiments. In addition, the description and drawings do not necessarily require the order illustrated. It will be further appreciated that certain actions and/or steps may be described or depicted in a particular order of occurrence while those skilled in the art will understand that such specificity with respect to sequence is not actually required.
System and method components have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the various embodiments so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein. Thus, it will be appreciated that for simplicity and clarity of illustration, common and well-understood elements that are useful or necessary in a commercially feasible embodiment may not be depicted in order to facilitate a less obstructed view of these various embodiments.