Interposer with security assistant key escrow
First Claim
1. A method comprising:
- at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a handshake for a secure session between the client device and the server;
forwarding the set of session initiation messages to the server at the server address;
forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device;
receiving a first session authorization, wherein the first session authorization is based on a first key stored on the server;
determining whether the network device will act as an active interposer or as a transparent interposer;
responsive to a determination that the network device will act as an active interposer, receiving a second session authorization from the security assistant device and transmitting the second session authorization to the client device, wherein the second session authorization is based on a second key stored on the security assistant device;
responsive to a determination that the network device will act as a transparent interposer, transmitting to the client device the first session authorization;
sending a portion of the handshake for the secure session to be processed by the security assistant device using the first key or the second key;
receiving from the security assistant device, the portion of the handshake that has been processed by the first key or the second keys;
receiving a plurality of secure messages from the secure session between the client device and the server;
unwrapping the plurality of secure messages with the second session authorization received from the security assistant device to generate a plurality of unwrapped messages; and
processing the unwrapped messages according to a network application based on contents of the unwrapped messages.
1 Assignment
0 Petitions
Accused Products
Abstract
An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.
31 Citations
19 Claims
-
1. A method comprising:
-
at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a handshake for a secure session between the client device and the server; forwarding the set of session initiation messages to the server at the server address; forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device; receiving a first session authorization, wherein the first session authorization is based on a first key stored on the server; determining whether the network device will act as an active interposer or as a transparent interposer; responsive to a determination that the network device will act as an active interposer, receiving a second session authorization from the security assistant device and transmitting the second session authorization to the client device, wherein the second session authorization is based on a second key stored on the security assistant device; responsive to a determination that the network device will act as a transparent interposer, transmitting to the client device the first session authorization; sending a portion of the handshake for the secure session to be processed by the security assistant device using the first key or the second key; receiving from the security assistant device, the portion of the handshake that has been processed by the first key or the second keys; receiving a plurality of secure messages from the secure session between the client device and the server; unwrapping the plurality of secure messages with the second session authorization received from the security assistant device to generate a plurality of unwrapped messages; and processing the unwrapped messages according to a network application based on contents of the unwrapped messages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a network interface unit that sends and receives communications over a network; and a processor coupled to the network interface unit, to; receive a set of session initiation messages from a client device via the network interface unit, the set of session initiation messages comprising a server address for a server to initiate a handshake for a secure session between the client device and the server; cause the network interface unit to forward the set of session initiation messages to the server at the server address; cause the network interface unit to forward the set of session initiation messages to a security assistant device physically located separate from the apparatus; receive a first session authorization from the server, wherein the first session authorization is based on a first key stored on the server; determining whether the apparatus will act as an active interposer or as a transparent interposer; responsive to a determination that the apparatus will act as an active interposer, receive a second session authorization from the security assistant device via the network interface unit and cause the network interface unit to transmit the second session authorization to the client device, wherein the second session authorization is based on a second key stored on the security assistant device; responsive to a determination that the apparatus will act as a transparent interposer, cause the network interface unit to transmit to the client device the first session authorization; cause the network interface unit to send a portion of the handshake for the secure session to be processed by the security assistant device using the first key or the second key; and receive from the security assistant device, via the network interface unit, the portion of the handshake that has been processed by the first key or the second keys; receive, via the network interface unit, a plurality of secure messages from the secure session between the client device and the server; unwrap the plurality of secure messages with the second session authorization received from the security assistant device to generate a plurality of unwrapped messages; and process the unwrapped messages according to a network application based on contents of the unwrapped messages. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
Specification