Implementation of secure socket layer intercept
First Claim
1. A system for inspecting secure data, the system comprising:
- a server facing device, the server facing device comprising a first hardware processor and a first memory, the server facing device being operable to;
retrieve the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection; and
receive the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device; and
a client facing device in communication with the server facing device, the client facing device comprising a second hardware processor and a second memory, the client facing device being operable to;
intercept a client request to establish a secure connection with a server, the client request being associated with the secure data;
establish a data traffic channel between the client facing device and the server facing device associated with the server, the data traffic channel being unencrypted;
send a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server;
receive, via the data traffic channel, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device;
upon establishing the client-side encrypted connection, receive the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client;
decrypt the secure data to obtain unencrypted data; and
send the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device;
wherein the server facing device is configured to;
upon receipt of the unencrypted data, re-encrypt the unencrypted data to obtain the secure data; and
upon the re-encrypting, send the secure data to the server.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are methods and systems for inspecting secure data. A system for inspecting secure data comprises a server facing module, and a client facing module in communication with the server facing module. The client facing module is operable to intercept a client request associated with the secure data to establish a secure connection with a server, establish a data traffic channel via the server facing module, and provide a control message to the server facing module via the data traffic channel. The control message includes an instruction to the server facing module to obtain a security certificate from the server. The security certificate is received from the server facing module via the data traffic channel. The security certificate is forged to establish the secure connection between the client and the client facing module. The client facing module sends unencrypted data to the server facing module via the data traffic channel.
-
Citations
17 Claims
-
1. A system for inspecting secure data, the system comprising:
-
a server facing device, the server facing device comprising a first hardware processor and a first memory, the server facing device being operable to; retrieve the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection; and receive the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device; and a client facing device in communication with the server facing device, the client facing device comprising a second hardware processor and a second memory, the client facing device being operable to; intercept a client request to establish a secure connection with a server, the client request being associated with the secure data; establish a data traffic channel between the client facing device and the server facing device associated with the server, the data traffic channel being unencrypted; send a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server; receive, via the data traffic channel, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device; upon establishing the client-side encrypted connection, receive the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client; decrypt the secure data to obtain unencrypted data; and send the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device; wherein the server facing device is configured to; upon receipt of the unencrypted data, re-encrypt the unencrypted data to obtain the secure data; and upon the re-encrypting, send the secure data to the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for inspecting secure data, the method comprising:
-
intercepting, by a client facing device, a client request to establish a secure connection with a server, the client request being associated with the secure data; establishing, by the client facing device, a data traffic channel between the client facing device and a server facing device associated with the server, the data traffic channel being unencrypted; sending, by the client facing device, a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server; retrieving, by the server facing device, the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection; receiving, via the data traffic channel, by the client facing device, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device; upon establishing the client-side encrypted connection, receiving, by the client facing device, the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client; decrypting, by the client facing device, the secure data to obtain unencrypted data; sending, by the client facing device, the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device; receiving, by the server facing device, the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device; upon receipt of the unencrypted data, re-encrypting, by the server facing device, the unencrypted data to obtain the secure data; and upon the re-encrypting, sending, by the server facing device, the secure data to the server. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system for inspecting secure data, the system comprising:
-
a client facing device, the client facing device comprising a first hardware processor and a first memory, the client facing device being operable to; intercept a client request to establish a secure connection with a server, the client request being associated with the secure data; establish a data traffic channel between the client facing device and a server facing device associated with the server, the data traffic channel being unencrypted; send a control message to the server facing device via the data traffic channel, the control message including an instruction to the server facing device to obtain a security certificate from the server; search for the security certificate associated with the server in a security certificate cache; forge the security certificate found in the security certificate cache to obtain the forged security certificate; provide the forged security certificate to the server facing device; retrieve the security certificate from the server, the server facing device and the server being connected via a server-side encrypted connection; receive, via the data traffic channel, from the server facing device, the security certificate, the security certificate being forged by the client facing device to establish a client-side encrypted connection between the client and the client facing device; upon establishing the client-side encrypted connection, receive the secure data from the client via the client-side encrypted connection, the secure data being encrypted by the client; decrypt the secure data to obtain unencrypted data; send the unencrypted data to a monitoring device via the data traffic channel, the monitoring device including a third-party security device placed between the client facing device and the server facing device and communicating with each of the client facing device and the server facing device via the data traffic channel, wherein the unencrypted data is inspected by the monitoring device and sent by the monitoring device, upon the inspecting, to the server facing device; and receive the unencrypted data from the monitoring device via the data traffic channel upon the inspection of the unencrypted data by the monitoring device; and the server facing device comprising a second hardware processor and a second memory, the server facing device being operable to; receive the control message from the client facing device; based on the control message, request the security certificate from the server; provide the security certificate to the client facing device; upon receipt of the unencrypted data, re-encrypt the unencrypted data to obtain the secure data after the unencrypted data is inspected; and send the secure data to the server.
-
Specification