Implementation of secure socket layer intercept

US 10,469,594 B2
Filed: 12/08/2015
Issued: 11/05/2019
Est. Priority Date: 12/08/2015
Status: Active Grant

First Claim

Patent Images

1. A system for inspecting secure data, the system comprising:

a server facing device, the server facing device comprising a first hardware processor and a first memory, the server facing device being operable to;

retrieve the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection; and

receive the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device; and

a client facing device in communication with the server facing device, the client facing device comprising a second hardware processor and a second memory, the client facing device being operable to;

intercept a client request to establish a secure connection with a server, the client request being associated with the secure data;

establish a data traffic channel between the client facing device and the server facing device associated with the server, the data traffic channel being unencrypted;

send a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server;

receive, via the data traffic channel, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device;

upon establishing the client-side encrypted connection, receive the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client;

decrypt the secure data to obtain unencrypted data; and

send the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device;

wherein the server facing device is configured to;

upon receipt of the unencrypted data, re-encrypt the unencrypted data to obtain the secure data; and

upon the re-encrypting, send the secure data to the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods and systems for inspecting secure data. A system for inspecting secure data comprises a server facing module, and a client facing module in communication with the server facing module. The client facing module is operable to intercept a client request associated with the secure data to establish a secure connection with a server, establish a data traffic channel via the server facing module, and provide a control message to the server facing module via the data traffic channel. The control message includes an instruction to the server facing module to obtain a security certificate from the server. The security certificate is received from the server facing module via the data traffic channel. The security certificate is forged to establish the secure connection between the client and the client facing module. The client facing module sends unencrypted data to the server facing module via the data traffic channel.

Citations

17 Claims

1. A system for inspecting secure data, the system comprising:
- a server facing device, the server facing device comprising a first hardware processor and a first memory, the server facing device being operable to;
  
  retrieve the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection; and
  
  receive the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device; and
  
  a client facing device in communication with the server facing device, the client facing device comprising a second hardware processor and a second memory, the client facing device being operable to;
  
  intercept a client request to establish a secure connection with a server, the client request being associated with the secure data;
  
  establish a data traffic channel between the client facing device and the server facing device associated with the server, the data traffic channel being unencrypted;
  
  send a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server;
  
  receive, via the data traffic channel, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device;
  
  upon establishing the client-side encrypted connection, receive the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client;
  
  decrypt the secure data to obtain unencrypted data; and
  
  send the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device;
  
  wherein the server facing device is configured to;
  
  upon receipt of the unencrypted data, re-encrypt the unencrypted data to obtain the secure data; and
  
  upon the re-encrypting, send the secure data to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the monitoring device is operable to inspect the unencrypted data.
  - 3. The system of claim 1, wherein the client facing device is further operable to search for the security certificate associated with the server in a security certificate cache.
  - 4. The system of claim 3, wherein the client facing device is further operable to provide a forged security certificate to the server facing device, the forged security certificate being associated with the security certificate found in the security certificate cache.
  - 5. The system of claim 1, wherein the client facing device and the server facing device run on different partitions of a single device.
  - 6. The system of claim 1, wherein each of the client facing device and the server facing device include a physical device.
  - 7. The system of claim 1, wherein the control message is identified by an application protocol parser, the application protocol parser being installed on one or more of the client facing device and the server facing device.
  - 8. The system of claim 1, wherein the control message is provided as an extension to an application protocol message, the application protocol message being sent between the client facing device and the server facing device.
  - 9. The system of claim 1, wherein the server facing device is operable to:
    - receive the control message from the client facing device;
      
      based on the control message, request the security certificate from the server; and
      
      provide the security certificate to the client facing device.

10. A method for inspecting secure data, the method comprising:
- intercepting, by a client facing device, a client request to establish a secure connection with a server, the client request being associated with the secure data;
  
  establishing, by the client facing device, a data traffic channel between the client facing device and a server facing device associated with the server, the data traffic channel being unencrypted;
  
  sending, by the client facing device, a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server;
  
  retrieving, by the server facing device, the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection;
  
  receiving, via the data traffic channel, by the client facing device, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device;
  
  upon establishing the client-side encrypted connection, receiving, by the client facing device, the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client;
  
  decrypting, by the client facing device, the secure data to obtain unencrypted data;
  
  sending, by the client facing device, the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device;
  
  receiving, by the server facing device, the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device;
  
  upon receipt of the unencrypted data, re-encrypting, by the server facing device, the unencrypted data to obtain the secure data; and
  
  upon the re-encrypting, sending, by the server facing device, the secure data to the server.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein the secure data is encrypted according to a Secure Socket Layer protocol.
  - 12. The method of claim 10, further comprising searching, by the client facing device, for the security certificate associated with the server in a security certificate cache.
  - 13. The method of claim 12, further comprising forging the security certificate found in the security certificate cache.
  - 14. The method of claim 10, wherein the unencrypted data is inspected for malware or botnets.
  - 15. The method of claim 10, wherein the control message is identified by an application protocol parser, the application protocol parser being installed on one or more of the client facing device and the server facing device.
  - 16. The method of claim 10, wherein the control message is provided as an extension to an application protocol message, the application protocol message being sent between the client facing device and the server facing device.

17. A system for inspecting secure data, the system comprising:
- a client facing device, the client facing device comprising a first hardware processor and a first memory, the client facing device being operable to;
  
  intercept a client request to establish a secure connection with a server, the client request being associated with the secure data;
  
  establish a data traffic channel between the client facing device and a server facing device associated with the server, the data traffic channel being unencrypted;
  
  send a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server;
  
  search for the security certificate associated with the server in a security certificate cache;
  
  forge the security certificate found in the security certificate cache to obtain the forged security certificate;
  
  provide the forged security certificate to the server facing device;
  
  retrieve the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection;
  
  receive, via the data traffic channel, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device;
  
  upon establishing the client-side encrypted connection, receive the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client;
  
  decrypt the secure data to obtain unencrypted data;
  
  send the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device; and
  
  receive the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device; and
  
  the server facing device comprising a second hardware processor and a second memory, the server facing device being operable to;
  
  receive the control message from the client facing device;
  
  based on the control message, request the security certificate from the server;
  
  provide the security certificate to the client facing device;
  
  upon receipt of the unencrypted data, re-encrypt the unencrypted data to obtain the secure data after the unencrypted data is inspected; and
  
  send the secure data to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Jiang, Xuyang, Yang, Yang, Golshan, Ali
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Mejia, Feliciano S

Application Number

US14/962,058
Publication Number

US 20170163736A1
Time in Patent Office

1,428 Days
Field of Search

726 6, 726 26, 703150, 703182, 709218, 709219, 709227
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 63/306   intercepting packet switche...

H04L 67/141   Setup of application sessio...

H04L 67/56   Provisioning of proxy servi...

H04L 9/00   Cryptographic mechanisms or...

H04N 21/222   Secondary servers, e.g. pro...

H04N 21/64707   for transferring content fr...

Implementation of secure socket layer intercept

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Implementation of secure socket layer intercept

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links