Cryptographic proxy service

US 10,469,465 B2
Filed: 02/22/2017
Issued: 11/05/2019
Est. Priority Date: 06/23/2014
Status: Active Grant

First Claim

Patent Images

1. A cryptographic proxy system comprising:

a memory store; and

a processor coupled to the memory store, wherein the processor is configured to execute operations comprising;

receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations;

conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations;

obtaining a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key corresponding to a first private key;

verifying that the computing device is in compliance with a compliance rule specifying management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement;

in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data;

receiving the encrypted sensitive data;

decrypting the sensitive data using the first private key;

re-encrypting the sensitive data according to a second security certificate associated with the network destination;

forwarding the re-encrypted data to the network destination;

operating as a certificate authority for the spoofed security certificate.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic proxy service may be provided. Upon determining that data associated with a network destination comprises at least some sensitive data, a cryptographic service may provide a security certificate associated with the network destination. The plurality of data may be encrypted according to the security certificate associated with the network destination and provided to the cryptographic service for re-encryption and transmission to the network destination.

Citations

14 Claims

1. A cryptographic proxy system comprising:
- a memory store; and
  
  a processor coupled to the memory store, wherein the processor is configured to execute operations comprising;
  
  receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations;
  
  conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations;
  
  obtaining a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key corresponding to a first private key;
  
  verifying that the computing device is in compliance with a compliance rule specifying management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement;
  
  in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data;
  
  receiving the encrypted sensitive data;
  
  decrypting the sensitive data using the first private key;
  
  re-encrypting the sensitive data according to a second security certificate associated with the network destination;
  
  forwarding the re-encrypted data to the network destination;
  
  operating as a certificate authority for the spoofed security certificate.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the operations further comprise:
    - retrieving the second security certificate from a certificate authority associated with the network destination.
  - 3. The system of claim 1, wherein the operations further comprise:
    - installing a root certificate for the certificate authority for the spoofed security certificate on the computing device.
  - 4. The system of claim 3, wherein the operations further comprise:
    - installing a second root certificate for the certificate authority for the second security certificate on the network destination.
  - 5. The system of claim 1, wherein the network destination comprises a second computing device.

6. A method for providing a cryptographic proxy service, comprising:
- receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations;
  
  conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations;
  
  generating a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key and a first private key;
  
  verifying that the computing device is in compliance with a compliance rule specifying management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement;
  
  in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data;
  
  receiving the encrypted sensitive data;
  
  decrypting the sensitive data using the first private key;
  
  negotiating the secure channel with the network destination;
  
  sending the sensitive data to the network destination; and
  
  operating as a certificate authority for the spoofed security certificate.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein negotiating the secure channel includes re-encrypting the sensitive data using a second public key of a destination security certificate, the destination security certificate being received from the certificate authority associated with the network destination.
  - 8. The method of claim 6, further comprising:
    - installing a root certificate for the certificate authority for the spoofed security certificate on the computing device.
  - 9. The method of claim 8, further comprising:
    - installing a second root certificate for the certificate authority for the destination security certificate on the network destination.
  - 10. The method of claim 6, wherein the network destination comprises a second computing device.

11. A non-transitory, computer-readable medium containing instructions that cause a processor to perform operations for providing a cryptographic proxy service, the operations comprising:
- receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations;
  
  conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations;
  
  generating a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key and a first private key;
  
  verifying that the computing device is in compliance with a compliance rule specifying at management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement;
  
  in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data;
  
  receiving the encrypted sensitive data;
  
  decrypting the sensitive data using the first private key;
  
  negotiating the secure channel with the network destination;
  
  sending the sensitive data to the network destination;
  
  operating as a certificate authority for the spoofed security certificate.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory, computer-readable medium of claim 11, wherein negotiating the secure channel includes re-encrypting the sensitive data using a second public key of a destination security certificate, the destination security certificate being received from the certificate authority associated with the network destination.
  - 13. The non-transitory, computer-readable medium of claim 11, the operations further comprising:
    - installing a root certificate for the certificate authority for the spoofed security certificate on the computing device.
  - 14. The non-transitory, computer-readable medium of claim 13, the operations further comprising:
    - installing a second root certificate for the certificate authority for the destination security certificate on the network destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Stuntebeck, Erich
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Wilcox, James J

Application Number

US15/439,349
Publication Number

US 20170163429A1
Time in Patent Office

986 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0471   applying encryption by an i...

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 67/01   Protocols

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3263   involving certificates, e.g...

H04W 12/02   Protecting privacy or anony...

H04W 12/033   of the user plane, e.g. use...

H04W 4/80   Services using short range ...

Cryptographic proxy service

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic proxy service

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links