Intercepting secure session upon receipt of untrusted certificate

US 10,116,634 B2
Filed: 06/28/2016
Issued: 10/30/2018
Est. Priority Date: 06/28/2016
Status: Active Grant

First Claim

Patent Images

1. A system for intercepting a secure session, the system comprising:

a network device configured to;

intercept a first secure data session, wherein the first secure data session is established between a client device and a server device via a security gateway;

establish a second secure data session between the server device and the security gateway;

receive a first secure session request from the client device over the first secure data session;

receive a server certificate from the server device over the second secure data session, the server certificate being associated with the first secure session request;

determine that the server certificate is untrusted;

in response to the determining that the server certificate is untrusted, generate a gateway certificate based on the server certificate;

provide the gateway certificate to the client device, wherein the client device determines that the gateway certificate is untrusted and determines, based on a security policy, whether to proceed with the first secure data session; and

receive first secure content from the client device over the first secure data session; and

a processor being in operative connection with the network device, wherein the processor is configured to;

create first encrypted secure content using the first secure content and the server certificate from the server device; and

send or cause sending the first encrypted secure content to the server device over the second secure data session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for intercepting, by a security gateway, a secure data session comprises the steps of establishing a first secure data session between a client device and a server device, intercepting the first secure data session by the security gateway, establishing a second secure data session between the server device and the security gateway, receiving a first secure session request from the client device, generating a second secure session request based on the first secure session request, receiving a server certificate from the server device, sending the second secure session request to the server device, receiving first secure content from the client device over the first secure data session, creating first encrypted secure content using the first secure content and the server certificate, and sending the first encrypted secure content to the server device over the second secure data session.

146 Citations

20 Claims

1. A system for intercepting a secure session, the system comprising:
- a network device configured to;
  
  intercept a first secure data session, wherein the first secure data session is established between a client device and a server device via a security gateway;
  
  establish a second secure data session between the server device and the security gateway;
  
  receive a first secure session request from the client device over the first secure data session;
  
  receive a server certificate from the server device over the second secure data session, the server certificate being associated with the first secure session request;
  
  determine that the server certificate is untrusted;
  
  in response to the determining that the server certificate is untrusted, generate a gateway certificate based on the server certificate;
  
  provide the gateway certificate to the client device, wherein the client device determines that the gateway certificate is untrusted and determines, based on a security policy, whether to proceed with the first secure data session; and
  
  receive first secure content from the client device over the first secure data session; and
  
  a processor being in operative connection with the network device, wherein the processor is configured to;
  
  create first encrypted secure content using the first secure content and the server certificate from the server device; and
  
  send or cause sending the first encrypted secure content to the server device over the second secure data session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the processor module is further configured to:
    - in response to receiving the first secure session request from the client device, generate a second secure session request based on the first secure session request, wherein the second secure session request differs from the first secure session request; and
      
      send or cause sending the second secure session request to the server device over the second secure session.
  - 3. The system of claim 2, further comprising the server device operable to:
    - in response to receiving the second secure session request from the security gateway, generate by the server device the server certificate; and
      
      send the server certificate to the security gateway over the second secure session.
  - 4. The system of claim 2, wherein the processor is further configured to:
    - access a server certificate table containing a plurality of security certificates from a data store; and
      
      match the server certificate against the plurality of security certificates of the security certificate table, wherein the determining that the server certificate is untrusted is performed based on the matching.
  - 5. The system of claim 4, wherein the processor is further configured to:
    - in response to determining that the server certificate is untrusted, check a security policy; and
      
      determine whether interception of content transferrable using the first secure session or the second secure session is required based on the security policy.
  - 6. The system of claim 5, wherein the processor generates the gateway certificate in response to determining that interception of content transferrable using the first secure session or the second secure session is required.
  - 7. The system of claim 6, wherein the processor module is further configured to:
    - copy the server certificate to the gateway certificate;
      
      replace a server security key with a gateway security key, wherein the gateway security key is untrusted with respect to the client device; and
      
      sign the gateway certificate using the gateway key.
  - 8. The system of claim 7, wherein the processor further provides the gateway certificate to the client device by sending the gateway certificate to the client device in a packet, wherein the packet is a response to the first secure session request.
  - 9. The system of claim 8, wherein the processor is further configured to:
    - receive second secure content from the server device over the second secure data session;
      
      create second encrypted secure content using the second secure content and a gateway certificate; and
      
      send the second encrypted secure content to the client device over the first secure data session.

10. A method for intercepting a secure session, the method comprising:
- establishing a first secure data session between a client device and a server device via a security gateway;
  
  intercepting the first secure data session by the security gateway;
  
  establishing, by the security gateway, a second secure data session between the server device and the security gateway;
  
  receiving, by the security gateway, a first secure session request from the client device over the first secure data session;
  
  receiving, by the security gateway, a server certificate from the server device over the second secure data session, the server certificate being associated with the first secure session request;
  
  determining, by the security gateway, that the server certificate is untrusted;
  
  in response to the determining that the server certificate is untrusted, generating, by the security gateway, a gateway certificate based on the server certificate;
  
  providing, by the security gateway, the gateway certificate to the client device, wherein the client device determines that the gateway certificate is untrusted and determines, based on a security policy, whether to proceed with the first secure data session;
  
  receiving, by the security gateway, first secure content from the client device over the first secure data session;
  
  creating, by the security gateway, first encrypted secure content using the first secure content and the server certificate from the server device; and
  
  sending, by the security gateway, the first encrypted secure content to the server device over the second secure data session.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, further comprising:
    - in response to receiving the first secure session request from the client device, generating by the security gateway, a second secure session request based on the first secure session request, wherein the second secure session request differs from the first secure session request; and
      
      sending by the security gateway the second secure session request to the server device over the second secure session.
  - 12. The method of claim 11, further comprising:
    - in response to receiving the second secure session request from the security gateway, generating, by the server device, the server certificate; and
      
      sending, by the server device, the server certificate to the security gateway over the second secure session.
  - 13. The method of claim 11, further comprising:
    - accessing, by the security gateway, a server certificate table containing a plurality of security certificates from a data store; and
      
      matching the server certificate against the plurality of security certificates of the security certificate table, wherein the determining that the server certificate is untrusted is performed based on the matching.
  - 14. The method of claim 13, further comprising:
    - in response to determining that the server certificate is untrusted, checking by the security gateway a security policy; and
      
      determining whether interception of content transferrable using the first secure session or the second secure session is required.
  - 15. The method of claim 14, wherein the generating by the security gateway of the gateway certificate is performed in response to determining that interception of content transferrable using the first secure session or the second secure session is required.
  - 16. The method of claim 15, further comprising:
    - copying by the security gateway the server certificate to the gateway certificate;
      
      replacing by the security gateway a server security key with a gateway security key, wherein the gateway security key is untrusted with respect to the client device; and
      
      signing, by the security gateway, the gateway certificate using the gateway key.
  - 17. The method of claim 15, wherein the providing of the gateway certificate to the client device includessending by the security gateway the gateway certificate to the client device in a packet, which is a response to the first secure session request.
  - 18. The method of claim 17, further comprising:
    - if it is determined by the client device that the gateway certificate is untrusted, using the first secure data session to transmit secure data from the client device to the server device.
  - 19. The method of claim 17, further comprising:
    - receiving, by the security gateway, second secure content from the server device over the second secure data session;
      
      creating, by the security gateway, second encrypted secure content using the second secure content and a gateway certificate; and
      
      sending, by the security gateway, the second encrypted secure content to the client device over the first secure data session.

20. A non-transitory processor-readable medium having instructions stored thereon, which when executed by one or more processors, cause the one or more processors to implement a method for intercepting a secure session, the method comprising:
- enabling to establish a first secure data session between a client device and a server device via a security gateway;
  
  intercepting the first secure data session by the security gateway;
  
  establishing, by the security gateway, a second secure data session between the server device and the security gateway;
  
  receiving, by the security gateway, a first secure session request from the client device over the first secure data session;
  
  receiving, by the security gateway, a server certificate from the server device over the second secure data session, the server certificate being associated with the first secure session request;
  
  determining, by the security gateway, that the server certificate is untrusted;
  
  in response to the determining that the server certificate is untrusted, generating, by the security gateway, a gateway certificate based on the server certificate;
  
  providing, by the security gateway, the gateway certificate to the client device, wherein the client device determines that the gateway certificate is untrusted and determines, based on a security policy, whether to proceed with the first secure data session;
  
  receiving, by the security gateway, first secure content from the client device over the first secure data session;
  
  creating, by the security gateway, first encrypted secure content using the first secure content and the server certificate from the server device; and
  
  sending, by the security gateway, the first encrypted secure content to the server device over the second secure data session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Golshan, Ali, Jiang, Xuyang, Yang, Yang
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Ahmed, Mahabub S

Application Number

US15/195,812
Publication Number

US 20170374043A1
Time in Patent Office

854 Days
Field of Search

713153
US Class Current
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0471   applying encryption by an i...

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/166   at the transport layer

H04L 63/18   using different networks or...

H04L 9/3268   using certificate validatio...

Intercepting secure session upon receipt of untrusted certificate

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

146 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Intercepting secure session upon receipt of untrusted certificate

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

146 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others