Interposer with security assistant key escrow

US 10,178,181 B2
Filed: 07/10/2014
Issued: 01/08/2019
Est. Priority Date: 04/02/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a handshake for a secure session between the client device and the server;

forwarding the set of session initiation messages to the server at the server address;

forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device;

receiving a first session authorization, wherein the first session authorization is based on a first key stored on the server;

determining whether the network device will act as an active interposer or as a transparent interposer;

responsive to a determination that the network device will act as an active interposer, receiving a second session authorization from the security assistant device and transmitting the second session authorization to the client device, wherein the second session authorization is based on a second key stored on the security assistant device;

responsive to a determination that the network device will act as a transparent interposer, transmitting to the client device the first session authorization;

sending a portion of the handshake for the secure session to be processed by the security assistant device using the first key or the second key;

receiving from the security assistant device, the portion of the handshake that has been processed by the first key or the second keys;

receiving a plurality of secure messages from the secure session between the client device and the server;

unwrapping the plurality of secure messages with the second session authorization received from the security assistant device to generate a plurality of unwrapped messages; and

processing the unwrapped messages according to a network application based on contents of the unwrapped messages.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

31 Citations

View as Search Results

19 Claims

1. A method comprising:
- at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a handshake for a secure session between the client device and the server;
  
  forwarding the set of session initiation messages to the server at the server address;
  
  forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device;
  
  receiving a first session authorization, wherein the first session authorization is based on a first key stored on the server;
  
  determining whether the network device will act as an active interposer or as a transparent interposer;
  
  responsive to a determination that the network device will act as an active interposer, receiving a second session authorization from the security assistant device and transmitting the second session authorization to the client device, wherein the second session authorization is based on a second key stored on the security assistant device;
  
  responsive to a determination that the network device will act as a transparent interposer, transmitting to the client device the first session authorization;
  
  sending a portion of the handshake for the secure session to be processed by the security assistant device using the first key or the second key;
  
  receiving from the security assistant device, the portion of the handshake that has been processed by the first key or the second keys;
  
  receiving a plurality of secure messages from the secure session between the client device and the server;
  
  unwrapping the plurality of secure messages with the second session authorization received from the security assistant device to generate a plurality of unwrapped messages; and
  
  processing the unwrapped messages according to a network application based on contents of the unwrapped messages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - responsive to a determination that the network device will act as an active interposer, transmitting the second session authentication to the client device.
  - 3. The method of claim 1, further comprising:
    - responsive to a determination that the network device will act as a transparent interposer, transmitting the first session authentication to the client device.
  - 4. The method of claim 1, further comprising:
    - modifying the unwrapped messages according to the network application to generate modified messages;
      
      wrapping the modified messages to generate modified secure messages; and
      
      transmitting the modified secure messages to the client device.
  - 5. The method of claim 1, wherein the security assistant device negotiates the second session authorization with the server on behalf of the network device.
  - 6. The method of claim 1, wherein the secure session is secured via one of Secure Sockets Layer (SSL) Transport Layer Security (TLS), Datagram Transport Layer Security (DTLS), Microsoft Kerberos (MS-KRB), or Microsoft NT LAN Management (MS-NTLM).
  - 7. The method of claim 1, wherein the network device and the security assistant device communicate via a secure back channel.
  - 8. The method of claim 7, further comprising provisioning the network device via the secure back channel with an authorization to provide security services.
  - 9. The method of claim 8, further comprising invalidating the authorization to provide security services.
  - 10. The method of claim 1, further comprising:
    - computing a hash of at least a part of the set of session initiation messages;
      
      generating a handshake finish message including the hash; and
      
      transmitting the handshake finish message to at least one of the client or the server.

11. An apparatus comprising:
- a network interface unit that sends and receives communications over a network; and
  
  a processor coupled to the network interface unit, to;
  
  receive a set of session initiation messages from a client device via the network interface unit, the set of session initiation messages comprising a server address for a server to initiate a handshake for a secure session between the client device and the server;
  
  cause the network interface unit to forward the set of session initiation messages to the server at the server address;
  
  cause the network interface unit to forward the set of session initiation messages to a security assistant device physically located separate from the apparatus;
  
  receive a first session authorization from the server, wherein the first session authorization is based on a first key stored on the server;
  
  determining whether the apparatus will act as an active interposer or as a transparent interposer;
  
  responsive to a determination that the apparatus will act as an active interposer, receive a second session authorization from the security assistant device via the network interface unit and cause the network interface unit to transmit the second session authorization to the client device, wherein the second session authorization is based on a second key stored on the security assistant device;
  
  responsive to a determination that the apparatus will act as a transparent interposer, cause the network interface unit to transmit to the client device the first session authorization;
  
  cause the network interface unit to send a portion of the handshake for the secure session to be processed by the security assistant device using the first key or the second key; and
  
  receive from the security assistant device, via the network interface unit, the portion of the handshake that has been processed by the first key or the second keys;
  
  receive, via the network interface unit, a plurality of secure messages from the secure session between the client device and the server;
  
  unwrap the plurality of secure messages with the second session authorization received from the security assistant device to generate a plurality of unwrapped messages; and
  
  process the unwrapped messages according to a network application based on contents of the unwrapped messages.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The apparatus of claim 11, wherein the processor further:
    - responsive to a determination that the apparatus is to act as an active interposer, causes the network interface unit to transmit the second session authentication to the client device.
  - 13. The apparatus of claim 11, wherein the processor further:
    - responsive to a determination that the apparatus is to act as a transparent interposer, causes the network interface unit to transmit the first session authentication to the client device.
  - 14. The apparatus of claim 11, wherein the processor further:
    - modifies the unwrapped messages according to the network application to generate modified messages;
      
      wraps the modified messages to generate modified secured messages; and
      
      causes the network interface unit to transmit the modified secure messages to the client device.
  - 15. The apparatus of claim 11, wherein the secure session is secured via one of Secure Sockets Layer (SSL) Transport Layer Security (TLS), Datagram Transport Layer Security (DTLS), Microsoft Kerberos (MS-KRB), or Microsoft NT LAN Management (MS-NTLM).
  - 16. The apparatus of claim 11, wherein the network interface communicates with the security assistant device via a secure back channel.
  - 17. The apparatus of claim 16, wherein the processor is provisioned via the secure back channel with an authorization to provide security services.
  - 18. The apparatus of claim 17, wherein the processor receives, via the network interface, an invalidation message that invalidates the authorization to provide security services.
  - 19. The apparatus of claim 11, wherein the processor further:
    - computes a hash of at least a part of the set of session initiation messages;
      
      generates a handshake finish message including the hash; and
      
      causes the network interface to transmit the handshake finish message to at least one of the client or the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ben-Nun, Eitan, Zayats, Michael, Wing, Daniel G., Patil, Kirtesh, Padhye, Jaideep, Hungund, Manohar B., Agasaveeran, Saravanan
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Tran, Baotram

Application Number

US14/328,094
Publication Number

US 20150288679A1
Time in Patent Office

1,643 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/168   above the transport layer

H04L 67/141   Setup of application sessio...

H04L 67/56   Provisioning of proxy servi...

Interposer with security assistant key escrow

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Interposer with security assistant key escrow

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links