Methods and systems for enabling legal-intercept mode for a targeted secure element

What is claimed is: 1. A method comprising: embedding a first key-negotiation parameter associated with a target client device into an intercept secure encryption element; configuring an encryption-management device to receive the intercept secure encryption element and to receive a second key-negotiation parameter associated with the target client device and obtained from a service-provider system, the encryption-management device configured to embed the second key-negotiation parameter into the intercept secure encryption element; and providing the intercept secure encryption element to a communications-intercept system configured to obtain intercepted messages associated with the target client device, the intercepted messages comprising session-key-negotiation messages and associated data messages encrypted with a corresponding negotiated session key, wherein the intercept secure encryption element is configured to (i) identify the negotiated session key based on the session-key-negotiation messages and the first and second key-negotiation parameters and (ii) decrypt the data messages with the negotiated session key. 2. The method of claim 1 , further comprising configuring the encryption-management device to provide the first and second key-negotiation parameters to a target secure encryption element associated with the target client device. 3. The method of claim 1 , wherein a target secure encryption element associated with the target client device is preconfigured with the first and second key-negotiation parameters. 4. The method of claim 1 , wherein the negotiated session key is based on a first secret key associated with the target client device and a second secret key associated with a second client device, wherein a target secure encryption element associated with the target client device is selectively configured to use, as the first secret key, a pseudorandom secret key that is based on the first and second key-negotiation parameters. 5. The method of claim 4 , wherein each of the target secure encryption element and the intercept secure encryption element is configured with a respective pseudorandom generator that generates the pseudorandom secret key based on the first and second key-negotiation parameters. 6. The method of claim 4 , further comprising transmitting a configuration command to the target secure encryption element to selectively configure the target secure encryption element to generate the pseudorandom secret key. 7. The method of claim 4 , wherein either or both of the target secure encryption element and the intercept secure encryption element have at least one tamper-resistant safeguard. 8. The method of claim 1 , further comprising configuring the encryption-management device to obtain the second key-negotiation parameter from the service-provider system responsive to receiving the intercept secure encryption element. 9. The method of claim 1 , further comprising configuring the encryption-management device to obtain the second key-negotiation parameter via a user interface. 10. A method comprising: receiving an intercept secure encryption element containing an embedded first key-negotiation parameter associated with a target client device; obtaining, from a service-provider system, a second key-negotiation parameter associated with the target client device; embedding the second key-negotiation parameter into the intercept secure encryption element; obtaining intercepted messages associated with the target client device, the intercepted messages comprising session-key-negotiation messages and associated data messages encrypted with a corresponding negotiated session key; identifying, with the intercept secure encryption element, the negotiated session key based on the session-key-negotiation messages and the first and second key-negotiation parameters; and decrypting the data messages with the intercept secure encryption element and the negotiated session key. 11. The method of claim 10 , further comprising providing the first and second key-negotiation parameters to a target secure encryption element associated with the target client device. 12. The method of claim 10 , wherein a target secure encryption element associated with the target client device is preconfigured with the first and second key-negotiation parameters. 13. The method of claim 10 , wherein the negotiated session key is based on a first secret key associated with the target client device and a second secret key associated with a second client device, wherein a target secure encryption element associated with the target client device is selectively configured to use, as the first secret key, a pseudorandom secret key that is based on the first and second key-negotiation parameters. 14. The method of claim 13 , wherein each of the target secure encryption element and the intercept secure encryption element is configured with a respective pseudorandom generator that generates the pseudorandom secret key based on the first and second key-negotiation parameters. 15. The method of claim 13 , further comprising transmitting a configuration command to the target secure encryption element to selectively configure the target secure encryption element to generate the pseudorandom secret key. 16. The method of claim 13 , wherein either or both of the target secure encryption element and the intercept secure encryption element have at least one tamper-resistant safeguard. 17. The method of claim 10 , wherein the second key-negotiation parameter is obtained from the service-provided system responsive to receiving the intercept secure encryption element. 18. A method comprising: negotiating cryptographic session keys with remote devices using randomly generated secret keys, and encrypting and decrypting data with the negotiated session keys during communication sessions with the remote devices; and receiving and authenticating an intercept-mode command, and responsively negotiating a predictable cryptographic session key at least in part by: accessing a first key-negotiation parameter originating in a secure-encryption-element provider and a second key-negotiation parameter originating in a service provider; generating a pseudorandom secret key based on the first and second key-negotiation parameters; generating and sharing a first shared intermediate value based on the pseudorandom secret key; receiving a second shared intermediate value; generating the predictable cryptographic session key based on the pseudorandom secret key and the second shared intermediate value; and encrypting and decrypting data with the generated predictable cryptographic session key during a communication session with a remote device. 19. The method of claim 18 , wherein the first shared intermediate value is generated using a discrete-logarithm function or an elliptical-curve function. 20. The method of claim 19 , wherein the discrete-logarithm function comprises an exponential multiplication of the pseudorandom secret key into a product, followed by a modulo reduction of the product.