Network security with surrogate digital certificates
First Claim
1. A system, comprising:
- a computer system that includes a processor; and
memory containing executable instructions that, as a result of execution by the processor, cause the system to;
receive a certificate chain transmitted from a server to a client, the certificate chain comprising;
an intermediate certificate comprising an intermediate authority public key and intermediate subject information, wherein validity of the intermediate certificate is cryptographically verifiable based at least in part on a first chain of trust between the intermediate certificate and a trusted root certificate; and
an end-entity certificate comprising an end-entity public key, wherein validity of the end-entity certificate is cryptographically verifiable based at least in part on the intermediate authority public key;
generate a surrogate certificate chain by;
obtaining a surrogate intermediate certificate comprising a surrogate intermediate authority public key and subject information associated with the intermediate subject information, wherein validity of the surrogate intermediate certificate is cryptographically verifiable based at least in part on a second chain of trust between the surrogate intermediate certificate and a trusted surrogate root certificate; and
obtaining a surrogate end-entity certificate comprising a surrogate end-entity public key and subject information associated with end-entity subject information of the surrogate end-entity certificate, wherein the surrogate end-entity certificate is digitally signed using a surrogate intermediate authority private key corresponding to the surrogate intermediate authority public key; and
transmit the surrogate certificate chain to the client as a replacement for the certificate chain.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing device such as a network security device receives one or more digital certificates in a certificate chain and generates one or more surrogate digital certificates that form a surrogate certificate chain. A surrogate certificate may be generated using certificate information from a corresponding digital certificate of the received certificate chain. In some cases, the received certificate chain may have a trusted root certificate that is a trust anchor for the received certificate chain and the generated surrogate certificate chain may have a different trusted root certificate that is the trust anchor for the surrogate certificate chain. Cryptographic keys of the certificate chains may be used to establish cryptographically protected communication sessions. The computing device may monitor network traffic utilizing cryptographic keys included in the certificate chains to encrypt data. The encrypted data may be decrypted and inspected to determine whether sensitive information is transmitted in an improper manner.
-
Citations
20 Claims
-
1. A system, comprising:
-
a computer system that includes a processor; and memory containing executable instructions that, as a result of execution by the processor, cause the system to; receive a certificate chain transmitted from a server to a client, the certificate chain comprising; an intermediate certificate comprising an intermediate authority public key and intermediate subject information, wherein validity of the intermediate certificate is cryptographically verifiable based at least in part on a first chain of trust between the intermediate certificate and a trusted root certificate; and an end-entity certificate comprising an end-entity public key, wherein validity of the end-entity certificate is cryptographically verifiable based at least in part on the intermediate authority public key; generate a surrogate certificate chain by; obtaining a surrogate intermediate certificate comprising a surrogate intermediate authority public key and subject information associated with the intermediate subject information, wherein validity of the surrogate intermediate certificate is cryptographically verifiable based at least in part on a second chain of trust between the surrogate intermediate certificate and a trusted surrogate root certificate; and obtaining a surrogate end-entity certificate comprising a surrogate end-entity public key and subject information associated with end-entity subject information of the surrogate end-entity certificate, wherein the surrogate end-entity certificate is digitally signed using a surrogate intermediate authority private key corresponding to the surrogate intermediate authority public key; and transmit the surrogate certificate chain to the client as a replacement for the certificate chain. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
obtaining an intermediate authority certificate, the intermediate authority certificate comprising an intermediate authority public key; generating a surrogate end-entity certificate, the surrogate end-entity certificate comprising; a surrogate end-entity public key; subject information associated with an end-entity certificate; issuer information associated with the end-entity certificate; and wherein validity of the surrogate end-entity certificate is cryptographically verifiable based at least in part on the intermediate authority public key; and making at least the surrogate end-entity certificate available to replace the end-entity certificate. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
generate a first plurality of digital certificates, the first plurality of digital certificates comprising a first digital certificate and a second digital certificate, wherein; individual digital certificates of the first plurality of digital certificates are associated with at least one corresponding digital certificate of a second plurality of digital certificates; and the second digital certificate comprises a first public key and issuer information obtained from an associated digital certificate of the second plurality of digital certificates, the associated digital certificate comprising a second public key different from the first public key; and provide the first plurality of digital certificates in place of the second plurality of digital certificates as part of an authentication process. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification