Cryptographic proxy service
First Claim
Patent Images
1. A cryptographic proxy system comprising:
- a memory store; and
a processor coupled to the memory store, wherein the processor is configured to execute operations comprising;
receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations;
conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations;
obtaining a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key corresponding to a first private key;
verifying that the computing device is in compliance with a compliance rule specifying management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement;
in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data;
receiving the encrypted sensitive data;
decrypting the sensitive data using the first private key;
re-encrypting the sensitive data according to a second security certificate associated with the network destination;
forwarding the re-encrypted data to the network destination;
operating as a certificate authority for the spoofed security certificate.
5 Assignments
0 Petitions
Accused Products
Abstract
A cryptographic proxy service may be provided. Upon determining that data associated with a network destination comprises at least some sensitive data, a cryptographic service may provide a security certificate associated with the network destination. The plurality of data may be encrypted according to the security certificate associated with the network destination and provided to the cryptographic service for re-encryption and transmission to the network destination.
-
Citations
14 Claims
-
1. A cryptographic proxy system comprising:
-
a memory store; and a processor coupled to the memory store, wherein the processor is configured to execute operations comprising; receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations; conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations; obtaining a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key corresponding to a first private key; verifying that the computing device is in compliance with a compliance rule specifying management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement; in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data; receiving the encrypted sensitive data; decrypting the sensitive data using the first private key; re-encrypting the sensitive data according to a second security certificate associated with the network destination; forwarding the re-encrypted data to the network destination; operating as a certificate authority for the spoofed security certificate. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for providing a cryptographic proxy service, comprising:
-
receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations; conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations; generating a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key and a first private key; verifying that the computing device is in compliance with a compliance rule specifying management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement; in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data; receiving the encrypted sensitive data; decrypting the sensitive data using the first private key; negotiating the secure channel with the network destination; sending the sensitive data to the network destination; and operating as a certificate authority for the spoofed security certificate. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory, computer-readable medium containing instructions that cause a processor to perform operations for providing a cryptographic proxy service, the operations comprising:
-
receiving identification of a network destination where a computing device is attempting to transmit sensitive data, wherein the sensitive data is identified by the computing device, prior to transmitting the sensitive data, based on content evaluation rules that cause the computing device to search the sensitive data for keywords and compare the network destination to a list of network destinations; conditionally blocking transmission of the sensitive data based on a determination that a secure channel cannot be established between the computing device and the network destination identified in the list of network destinations; generating a spoofed security certificate that impersonates the network destination, the spoofed security certificate including a first public key and a first private key; verifying that the computing device is in compliance with a compliance rule specifying at management restrictions that must be satisfied to establish compliance, the management restrictions comprising an encryption requirement and a firmware-version requirement; in response to verifying that the computing device is in compliance with the compliance rule, sending the first public key to the computing device to use for encrypting the sensitive data; receiving the encrypted sensitive data; decrypting the sensitive data using the first private key; negotiating the secure channel with the network destination; sending the sensitive data to the network destination; operating as a certificate authority for the spoofed security certificate. - View Dependent Claims (12, 13, 14)
-
Specification