The 3rd Generation Partnership Project (3GPP) is currently considering several lawful interception and key generation approaches for IP Multimedia Subsystem (IMS) media security. One such key generation approach is Multimedia Internet KEYing—Identity Based Authentication Key Exchange (MIKEY-IBAKE), which is an example of the well-known Diffie-Hellman key exchange. The goal of such a key generation protocol is to establish agreement on a session key Ksess between two UEs, where UE stands for user equipment
As shown in FIG. 1, the steps in the MIKEY-IBAKE process can be summarized as follows: (1) UE1 generates private key information K1 by using a its key generation unit (KGU); (2) UE1 computes K1P using K1 and a publicly known elliptic curve point P; (3) UE1 transmits K1P to UE2 using Session Initiation Protocol (SIP) signaling via device CSCF1 and device CSCF2, each of which implements a Call Session Control Function (CSCF); (4) UE2 generates private key information K2 by using its KGU; (5) UE2 computes K2P using K2 and the publicly known elliptic curve point P; (6) UE2 transmits K2P to UE1 using SIP signaling; and (7) UE1 and UE2 each generate Ksess=K1K2P using [K1, K2P] and [K1P, K2], respectively.
In FIG. 1, the only entities with knowledge of the session key are UE1 and UE2. However, in addition to providing secure communications between UEs, government regulations also require that lawful interception be supported.
FIG. 2 illustrates a conventional key generation process allowing for lawful interception. As shown in FIG. 2, each KGU in a corresponding UEi produces corresponding keying information Ki, in a defined way from a corresponding master key KMi and a timestamp Tα. The master key KMi is known only to the corresponding UEi and a corresponding network device that is configured to perform a network intercept function under control of a corresponding law enforcement agency (LEA), as illustrated in FIG. 2. For example, CSCF1 and a corresponding intercept device of LEA1 are part of a first network, while CSCF2 and a corresponding intercept device of LEA2 are part of a second network, which is in communication with the first network.
Further, the timestamp Tα used in generating the corresponding keying information Ki is transmitted along with KiP in SIP by each corresponding UEi. Both KiP and Tα can be stored in one or more of the CSCF devices (CSCF1 and CSCF2) in the respective networks, as shown in FIG. 2. In particular, note that FIG. 2 shows the general case of UEs located in different networks, thus requiring separate CSCF devices. When UEs are located in a single network, only one CSCF device need be used.
The steps taken by the interception device of LEA2 in generating the session key Ksess for the purpose of lawful interception are as follows: (1) retrieve KM2 (used by UE2) from internal storage, and retrieve K1P and Tα from device CSCF2; (2) generate keying information K2=f(KM2, Tα); and (3) generate Ksess=K1K2P. The interception device of LEA2 can now decrypt traffic between UE1 and UE2 and forward it to LEA2. The interception process for the interception device of LEA1 is analogous, but uses KM1, Tα, and K2P.
Further, note that the above lawful interception process can be generalized so that UE1 and UE2 use different timestamps for key generation and/or signaling (e.g., Tα1, Tα2).