Network security with surrogate digital certificates

US 10,397,006 B2
Filed: 02/13/2017
Issued: 08/27/2019
Est. Priority Date: 02/13/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a computer system that includes a processor; and

memory containing executable instructions that, as a result of execution by the processor, cause the system to;

receive a certificate chain transmitted from a server to a client, the certificate chain comprising;

an intermediate certificate comprising an intermediate authority public key and intermediate subject information, wherein validity of the intermediate certificate is cryptographically verifiable based at least in part on a first chain of trust between the intermediate certificate and a trusted root certificate; and

an end-entity certificate comprising an end-entity public key, wherein validity of the end-entity certificate is cryptographically verifiable based at least in part on the intermediate authority public key;

generate a surrogate certificate chain by;

obtaining a surrogate intermediate certificate comprising a surrogate intermediate authority public key and subject information associated with the intermediate subject information, wherein validity of the surrogate intermediate certificate is cryptographically verifiable based at least in part on a second chain of trust between the surrogate intermediate certificate and a trusted surrogate root certificate; and

obtaining a surrogate end-entity certificate comprising a surrogate end-entity public key and subject information associated with end-entity subject information of the surrogate end-entity certificate, wherein the surrogate end-entity certificate is digitally signed using a surrogate intermediate authority private key corresponding to the surrogate intermediate authority public key; and

transmit the surrogate certificate chain to the client as a replacement for the certificate chain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device such as a network security device receives one or more digital certificates in a certificate chain and generates one or more surrogate digital certificates that form a surrogate certificate chain. A surrogate certificate may be generated using certificate information from a corresponding digital certificate of the received certificate chain. In some cases, the received certificate chain may have a trusted root certificate that is a trust anchor for the received certificate chain and the generated surrogate certificate chain may have a different trusted root certificate that is the trust anchor for the surrogate certificate chain. Cryptographic keys of the certificate chains may be used to establish cryptographically protected communication sessions. The computing device may monitor network traffic utilizing cryptographic keys included in the certificate chains to encrypt data. The encrypted data may be decrypted and inspected to determine whether sensitive information is transmitted in an improper manner.

Citations

20 Claims

1. A system, comprising:
- a computer system that includes a processor; and
  
  memory containing executable instructions that, as a result of execution by the processor, cause the system to;
  
  receive a certificate chain transmitted from a server to a client, the certificate chain comprising;
  
  an intermediate certificate comprising an intermediate authority public key and intermediate subject information, wherein validity of the intermediate certificate is cryptographically verifiable based at least in part on a first chain of trust between the intermediate certificate and a trusted root certificate; and
  
  an end-entity certificate comprising an end-entity public key, wherein validity of the end-entity certificate is cryptographically verifiable based at least in part on the intermediate authority public key;
  
  generate a surrogate certificate chain by;
  
  obtaining a surrogate intermediate certificate comprising a surrogate intermediate authority public key and subject information associated with the intermediate subject information, wherein validity of the surrogate intermediate certificate is cryptographically verifiable based at least in part on a second chain of trust between the surrogate intermediate certificate and a trusted surrogate root certificate; and
  
  obtaining a surrogate end-entity certificate comprising a surrogate end-entity public key and subject information associated with end-entity subject information of the surrogate end-entity certificate, wherein the surrogate end-entity certificate is digitally signed using a surrogate intermediate authority private key corresponding to the surrogate intermediate authority public key; and
  
  transmit the surrogate certificate chain to the client as a replacement for the certificate chain.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein:
    - the computer system establishes a first cryptographically protected communication session with the server using at least the end-entity certificate and the certificate chain; and
      
      the computer system establishes a second cryptographically protected communication session with the client using at least the surrogate certificate chain and a surrogate end-entity private key corresponding to the surrogate end-entity public key.
  - 3. The system of claim 2, wherein the memory containing executable instructions further includes executable instructions that, as a result of execution by the processor, cause the system to:
    - receive an encrypted message via the second cryptographically protected communication session;
      
      decrypt the encrypted message to generate a decrypted message;
      
      detect, based at least in part on the decrypted message, satisfaction of a condition indicating the server should not receive the decrypted message;
      
      modify the decrypted message to generate a modified message such that the condition is no longer satisfied;
      
      encrypt the modified message using the end-entity public key to generate an encrypted modified message; and
      
      transmit the encrypted modified message via the second cryptographically protected communication session.
  - 4. The system of claim 1, wherein the certificate chain and the surrogate certificate chain are of a same length.

5. A computer-implemented method, comprising:
- obtaining an intermediate authority certificate, the intermediate authority certificate comprising an intermediate authority public key;
  
  generating a surrogate end-entity certificate, the surrogate end-entity certificate comprising;
  
  a surrogate end-entity public key;
  
  subject information associated with an end-entity certificate;
  
  issuer information associated with the end-entity certificate; and
  
  wherein validity of the surrogate end-entity certificate is cryptographically verifiable based at least in part on the intermediate authority public key; and
  
  making at least the surrogate end-entity certificate available to replace the end-entity certificate.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The computer-implemented method of claim 5, wherein validity of the intermediate authority certificate is cryptographically verifiable via a chain of trust that includes a first trusted root authority, the first trusted root authority being different from a second trusted root authority usable to determine validity of the end-entity certificate.
  - 7. The computer-implemented method of claim 5, wherein a size of the end-entity certificate and a size of the surrogate end-entity certificate are equal.
  - 8. The computer-implemented method of claim 5, wherein:
    - the end-entity certificate is obtained via a first data packet, the first data packet comprising a protocol type and a packet size; and
      
      the surrogate end-entity certificate is made available via a second data packet, the second data packet comprising the protocol type and the packet size.
  - 9. The computer-implemented method of claim 8, wherein the protocol type is selected from the group consisting of:
    - internet protocol (IP);
      
      transport layer security (TLS);
      
      transmission control protocol (TCP); and
      
      user datagram protocol (UDP).
  - 10. The computer-implemented method of claim 8, wherein:
    - the end-entity certificate is of a larger size than the surrogate end-entity certificate; and
      
      the second data packet further comprises a data portion of the second data packet the data portion comprising the surrogate end-entity certificate and a padding structure.
  - 11. The computer-implemented method of claim 8, wherein:
    - the end-entity certificate comprises an end-entity public key;
      
      the end-entity public key is of a larger size than the surrogate end-entity public key; and
      
      the surrogate end-entity certificate further comprises a padding structure.
  - 12. The computer-implemented method of claim 8, wherein:
    - the end-entity certificate comprises an end-entity public key and one or more extension fields;
      
      the end-entity public key is of a smaller size than the surrogate end-entity public key; and
      
      obtaining the subject information from the end-entity certificate includes omitting at least a portion of the one or more extension fields.

13. A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- generate a first plurality of digital certificates, the first plurality of digital certificates comprising a first digital certificate and a second digital certificate, wherein;
  
  individual digital certificates of the first plurality of digital certificates are associated with at least one corresponding digital certificate of a second plurality of digital certificates; and
  
  the second digital certificate comprises a first public key and issuer information obtained from an associated digital certificate of the second plurality of digital certificates, the associated digital certificate comprising a second public key different from the first public key; and
  
  provide the first plurality of digital certificates in place of the second plurality of digital certificates as part of an authentication process.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the first plurality of digital certificates are generated by at least:
    - determining a cached digital certificate associated with a certificate of the second plurality of digital certificates is stored;
      
      obtaining the cached digital certificate; and
      
      adding the cached digital certificate to the first plurality of digital certificates.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein:
    - a first chain of trust is cryptographically verifiable from the first digital certificate to the second digital certificate based at least in part on the first plurality of digital certificates; and
      
      a second chain of trust is cryptographically verifiable from the associated digital certificate to a root certificate based at least in part on the second plurality of digital certificates.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein first public key is in accordance with a first public key algorithm and the second public key is in accordance with a second public key algorithm that is different from the first public key algorithm.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the first public key is generated to have a size equal to the size of the second public key.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further cause the computer system to:
    - establish a first cryptographically protected communication session with a first computing entity using the first public key;
      
      establish a second cryptographically protected communication session with a second computing entity using the second public key;
      
      receive an encrypted message via the second cryptographically protected communication session from the second computing entity;
      
      decrypt the encrypted message to generate a message;
      
      modify the message so as to remove sensitive information; and
      
      transmit an encrypted modified message via the first cryptographically protected communication session to the first computing entity.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the first cryptographically protected communication session utilizes a first cipher suite and the second cryptographically protected communication session utilizes a second cipher suite that is different from the first cipher suite.
  - 20. The non-transitory computer-readable storage medium of claim 18, wherein modifying the message includes identifying a first section of the sensitive information to modify and identifying a second section of the sensitive information to preserve.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Bowen, Peter
Primary Examiner(s)
Bayou, Yonas A

Application Number

US15/431,496
Publication Number

US 20180234256A1
Time in Patent Office

925 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0428   wherein the data content is...

H04L 63/064   Hierarchical key distributi...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 63/308   retaining data, e.g. retain...

H04L 9/3265   using certificate chains, t...

Network security with surrogate digital certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network security with surrogate digital certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links