Securely sharing a transport layer security session with one or more trusted devices

US 10,320,842 B1
Filed: 03/24/2017
Issued: 06/11/2019
Est. Priority Date: 03/24/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securely sharing a Transport Layer Security (TLS) session with a chain of trusted devices, the method comprising:

establishing a TLS session between a client device and a server device, the establishing of the TLS session comprising;

negotiating a master secret for the TLS session that is known to both the client device and the server device,establishing a chain of secure channels between a chain of trusted devices and the client device or the server device, the chain of trusted devices being communicatively positioned between the client device and the server device,sending, from the client device or the server device, the master secret to the chain of trusted devices over the chain of secure channels, andemploying the master secret at the client device, at the server device, and at the chain of trusted devices to generate, for the TLS session, encryption keys;

after establishment of the TLS session, communicating encrypted messages, that are encrypted using the encryption keys, between the client device and the server device; and

during the communicating of the encrypted messages, intercepting and decrypting one or more of the encrypted messages at one or more of the trusted devices in the chain of trusted devices using the encryption keys.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securely sharing a Transport Layer Security (TLS) session with one or more trusted devices. In one embodiment, a method may include establishing a TLS session between a client device and a server device, communicating encrypted messages that are encrypted using encryption keys between the client device and the server device, and intercepting and decrypting one or more of the encrypted messages at a trusted device using the encryption keys. In this embodiment, the establishing of the TLS session may include negotiating a master secret, establishing a secure channel between the trusted device and the client device or the server device, sending, from the client device or the server device, the master secret to the trusted device over the secure channel, and employing the master secret at the client device, at the server device, and at the trusted device to generate, for the TLS session, the encryption keys.

Citations

13 Claims

1. A computer-implemented method for securely sharing a Transport Layer Security (TLS) session with a chain of trusted devices, the method comprising:
- establishing a TLS session between a client device and a server device, the establishing of the TLS session comprising;
  
  negotiating a master secret for the TLS session that is known to both the client device and the server device,establishing a chain of secure channels between a chain of trusted devices and the client device or the server device, the chain of trusted devices being communicatively positioned between the client device and the server device,sending, from the client device or the server device, the master secret to the chain of trusted devices over the chain of secure channels, andemploying the master secret at the client device, at the server device, and at the chain of trusted devices to generate, for the TLS session, encryption keys;
  
  after establishment of the TLS session, communicating encrypted messages, that are encrypted using the encryption keys, between the client device and the server device; and
  
  during the communicating of the encrypted messages, intercepting and decrypting one or more of the encrypted messages at one or more of the trusted devices in the chain of trusted devices using the encryption keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein either the client device or the server device is a Man in the Middle (MITM) device acting as the client device or acting as the server device and is communicatively positioned between the client device and another server device or communicatively positioned between the server device and another client device.
  - 3. The method of claim 1, wherein each of the secure channels in the chain of secure channels is a TLS session-specific channel that only exists during the establishment of the TLS session.
  - 4. The method of claim 3, wherein each of the secure channels in the chain of secure channels is a Perfect Forward Secrecy (PFS) channel.
  - 5. The method of claim 4, wherein the establishing of each of the secure channels in the chain of secure channels is accomplished using a Diffie-Hellman key exchange.
  - 6. The method of claim 4, wherein the establishing of each of the secure channels in the chain of secure channels is accomplished using a One Round Trip Time (1-RTT) TLS 1.3 handshake.
  - 7. The method of claim 1, wherein the intercepting and the decrypting of the one or more of the encrypted messages at the one or more of the trusted devices in the chain of trusted devices is accomplished without interrupting the communicating of the one or more of the encrypted messages between the client device and the server device, without modifying the one or more of the encrypted messages, and without re-encrypting the one or more of the encrypted messages.

8. One or more non-transitory computer-readable media comprising one or more computer-readable instructions that, when executed by one or more processors of one or more computing devices, cause the one or more computing devices to:
- establish a Transport Layer Security (TLS) session between a client device and a server device, the establishing of the TLS session comprising;
  
  negotiating a master secret for the TLS session that is known to both the client device and the server device,establishing a chain of secure channels between a chain of trusted devices and the client device or the server device, the chain of trusted devices being communicatively positioned between the client device and the server device,sending, from the client device or the server device, the master secret to the chain of trusted devices over the chain of secure channels, andemploying the master secret at the client device, at the server device, and at the chain of trusted devices to generate, for the TLS session, encryption keys;
  
  after establishment of the TLS session, communicate encrypted messages, that are encrypted using the encryption keys, between the client device and the server device; and
  
  during the communicating of the encrypted messages, intercept and decrypt one or more of the encrypted messages at one or more of the trusted devices in the chain of trusted devices using the encryption keys.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The one or more non-transitory computer-readable media of claim 8, wherein either the client device or the server device is a Man in the Middle (MITM) device acting as the client device or acting as the server device and is communicatively positioned between the client device and another server device or communicatively positioned between the server device and another client device.
  - 10. The one or more non-transitory computer-readable media of claim 8, wherein each of the secure channels in the chain of secure channels is a TLS session-specific channel that only exists during the establishment of the TLS session.
  - 11. The one or more non-transitory computer-readable media of claim 10, wherein each of the secure channels in the chain of secure channels is a Perfect Forward Secrecy (PFS) channel.
  - 12. The one or more non-transitory computer-readable media of claim 11, wherein the establishing of each of the secure channels in the chain of secure channels is accomplished using a Diffie-Hellman key exchange or is accomplished using a One Round Trip Time (1-RTT) TLS 1.3 handshake.
  - 13. The one or more non-transitory computer-readable media of claim 8, wherein the intercepting and the decrypting of the one or more of the encrypted messages at the one or more of the trusted devices in the chain of trusted devices is accomplished without interrupting the communicating of the one or more of the encrypted messages between the client device and the server device, without modifying the one or more of the encrypted messages, and without re-encrypting the one or more of the encrypted messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Du Toit, Roelof N., Robbin, Noah Z., Wells, David
Primary Examiner(s)
Holder, Bradley W

Application Number

US15/468,895
Time in Patent Office

809 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 67/141   Setup of application sessio...

H04L 67/146   Markers for unambiguous ide...

H04L 69/326   in the transport layer [OSI...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/32   including means for verifyi...

Securely sharing a transport layer security session with one or more trusted devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Securely sharing a transport layer security session with one or more trusted devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links