The field of the present invention pertains to communication. More particularly, the present invention relates to the field of encrypted network communication.
One of the many ways that people communicate is over networks made up of interconnected computer systems. With these computer system networks, large amounts of information can be sent and received over great distances in a very short period of time. There are different types of computer system networks. One type of network is referred to as a local area network (LAN) which is a private network that is typically used within smaller geographical areas, e.g., a building complex of a company. Another type of network is referred to as a wide area network (WAN) which is a network for many independent users that typically covers an expansive geographical area, e.g., a city, a country, or the world.
Obviously, these different types of computer networks can be associated with both legal and illegal activities. As such, the need sometimes arises for law enforcement agencies to monitor the activities of specific individuals or groups that utilize computer networks. Therefore, law enforcement agencies gain access to specific communications that travel over computer networks. One way this can be accomplished is by wiretapping a computer system used by a specific individual. But law enforcement agencies have encountered obstacles associated with wiretapping computer systems. One of the main obstacles is that some of the retrieved communication data is encrypted and therefore unreadable. As such, the encrypted communication data is rendered useless for the objectives of law enforcement agencies.
In an effort to combat this law enforcement obstacle of encrypted communication data, the United States (U.S.) government has restricted U.S. companies from exporting hardware and software which supports strong encryption. As such, U.S. companies are only allowed to export hardware and software that incorporate weak encryption algorithms. Security professionals understand that the weak encryption that is exported by U.S. companies offers no real security. Therefore, the U.S. government continues to prevent U.S. companies from competing in the global market for secure delivery systems.
Since about 1993, the U.S. government has indicated that if a xe2x80x9ckey escrowxe2x80x9d system was developed and implemented, it would ease the restrictions on exportation of hardware and software that supports strong encryption. This key escrow system, also know as a xe2x80x9ckey recoveryxe2x80x9d or xe2x80x9ckey management infrastructurexe2x80x9d (KMI) system, would be developed whereby encryption keys would be stored thereby enabling law enforcement agencies to access them if they have a court order. Such a key escrow system proposal is both practically and technically unworkable. For instance, the key escrow system would require a very massive database in order to store all the encryption keys ever used between two parties over any type of computer network. Another disadvantage associated with the key escrow system is that it would be an extremely appealing target for people who break into computer systems to perform illegal activities, commonly referred to as xe2x80x9chackers.xe2x80x9d
Recently, the U.S. government has indicated that besides the key escrow system, it would be satisfied with access to unencrypted communication data, also referred to as plaintext or cleartext, transmitted over computer networks. One prior art attempt for providing the U.S. government and law enforcement agencies access to plaintext involves utilizing the router as the encryption gateway while the end-station does not participate in the encryption of its traffic. Specifically, a router encrypts any data received from an end-station and then sends it to its destination. It should be appreciated that a series of routers are typically utilized during the transmission of data over a computer network. Therefore, in order to provide access to the plaintext, one of the routers in a series of routers decrypts the data and sends it in the clear to another router, which re-encrypts the data and sends it to its destination. As such, law enforcement agencies put a wiretap between the two routers in order to access the plaintext data while it is in the clear.
There are several disadvantages associated with the prior art router approach described above. One of the main disadvantages is that a computer user does not have any control over the encryption of their data. Instead, the computer user relinquishes that control to some third party. Consequently, this raises the issue of whether the third party is operating in the best interest of the computer user. Another disadvantage of the prior art router approach is that it allows plaintext communication data to be transmitted in the clear en route to its destination. As such, the possibility exists that others not associated with any law enforcement agency could also gain access to the plaintext communication data. Therefore, the prior art router approach is undesirable because it is not a completely secure information delivery system.
Another one of the disadvantages of the prior art router approach is a large performance drain on many routers caused by handling encryption for many different communication sessions. One prior art technique to overcome this performance drain is to add extra hardware to each router of the established infrastructure to specifically handle the encryption functionality. But there are also disadvantages associated with this prior art technique. For instance, it involves a monumental task of changing the established hardware infrastructure of routers that form computer networks. Furthermore, adding extra hardware to routers introduces extra costs to those who own routers.
Accordingly, a need exists for a method and system for providing law enforcement agencies the ability to wiretap specific encrypted communications. A further need exists for a method and system which meets the above need and which does not involve changing the established hardware infrastructure of computer networks. Still another need exists for a method and system which meets the above need and which does not slow down the performance of the network system. Furthermore, another need exists for a method and system which meets the above need and which does not relinquish encryption of communication data to a third party. Additionally, another need exists for a method and system which meets the above need and which does not allow communication data to be transmitted at any time in plaintext en route to its destination.
The present invention provides a method and system for providing law enforcement agencies the ability to wiretap specific encrypted communications. Moreover, the present invention provides a method and system which meets the above need and allows the established hardware infrastructure of computer networks to remain unchanged. Furthermore, the present invention provides a method and system which meets the above need while not affecting the performance of the network. Additionally, the present invention provides a method and system which meets the above need while enabling end users to utilize any desired encryption algorithms for their communications. The present invention also provides a method and system which meets the above need while enabling encrypted communication data to remain encrypted during transmittal en route to its destination.
Specifically, one embodiment of the present invention includes a system for allowing controlled access to a networked communication. The system comprises an intermediate device that includes memory. The memory of the intermediate device is for storing a policy rule therein. The intermediate device is adapted to download the policy rules governing access to a desired location. The system further comprises a client which is coupled to the intermediate device. The client is adapted to receive the policy rule when the intermediate device downloads it to the client. As such, any communication data intended to travel between a first destination and the client is forwarded to a second destination.
Other embodiments of the present invention include the above and further comprise a remote access server, which forwards to the second destination any communication data intended to travel between the first destination and the client. Additionally, the second destination mentioned above is a destination that provides a law enforcement agency access to the communication data. Furthermore, the downloading of the policy rule by the intermediate device to the client mentioned above is motivated by a law enforcement agency desiring access to the communication data.
These and other advantages of the present invention will no doubt become obvious to those of ordinary skill in the art after having read the following detailed description of the preferred embodiments which are illustrated in the drawing figures.