Managing session secrets for continuous packet capture systems

US 10,476,673 B2
Filed: 03/22/2017
Issued: 11/12/2019
Est. Priority Date: 03/22/2017
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:

continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;

employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;

obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;

providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;

storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;

providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets stored in the data store and their associated key information in the secure communication session based on the correlation information;

providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and

choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.

134 Citations

30 Claims

1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:
- continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
  
  employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
  
  providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
  
  storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
  
  providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets stored in the data store and their associated key information in the secure communication session based on the correlation information;
  
  providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and
  
  choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising, when a query is provided to the key escrow, performing further actions, including:
    - employing the query to provide a result set that includes query result correlation information and query result key information;
      
      providing one or more captured network packets from the data store based on the query result correlation information; and
      
      decrypting the one or more captured network packets based on the query result key information.
  - 3. The method of claim 1, wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
  - 4. The method of claim 1, wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
  - 5. The method claim 1, wherein the correlation information, further comprises:
    - other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
  - 6. The method of claim 1, further comprising:
    - providing one or more previously captured network packets that are associated with one or more secure communication sessions;
      
      providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
      
      decrypting the one or more previously captured network packets using the key information.
  - 7. The method of claim 1, further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.
  - 8. The method of claim 1, further comprising:
    - providing one or more previously captured encrypted network packets that are associated with one or more secure communication sessions;
      
      providing key information that is associated with the one or more previously captured encrypted network packets based on the correlation information that is associated with the one or more previously captured network packets; and
      
      enabling one or more services or applications to access the one or more previously captured encrypted network packets and the associated key information.

9. A system for monitoring communication over a network between one or more computers comprising:
- one or more network monitoring computers (NMCs), comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
  
  employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
  
  providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
  
  storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
  
  providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information;
  
  providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and
  
  choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters; and
  
  the one or more computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing the plurality of network packets.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising, when a query is provided to the key escrow, performing further actions, including:
    - employing the query to provide a result set that includes query result correlation information and query result key information;
      
      providing one or more captured network packets from the data store based on the query result correlation information; and
      
      decrypting the one or more captured network packets based on the query result key information.
  - 11. The system of claim 9, wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
  - 12. The system of claim 9, wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
  - 13. The system of claim 9, wherein the correlation information, further comprises:
    - other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
  - 14. The system of claim 9, wherein the NMCs one or more processors execute instructions that perform actions, further comprising:
    - providing one or more previously captured network packets that are associated with one or more secure communication sessions;
      
      providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
      
      decrypting the one or more previously captured network packets using the key information.
  - 15. The system of claim 9, wherein the NMCs one or more processors execute instructions that perform actions, further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.
  - 16. The system of claim 9, wherein the NMCs one or more processors execute instructions that perform actions, further comprising:
    - providing one or more previously captured encrypted network packets that are associated with one or more secure communication sessions;
      
      providing key information that is associated with the one or more previously captured encrypted network packets based on the correlation information that is associated with the one or more previously captured network packets; and
      
      enabling one or more services or applications to access the one or more previously captured encrypted network packets and the associated key information.

17. A processor readable non-transitory storage media that includes instructions for monitoring communication over a network between one or more computers, wherein execution of the instructions by one or more processors on one or more network monitoring computers (NMCs) performs actions, comprising:
- continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
  
  employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
  
  employing the one or more NMCs identify a secure communication session established between two of the one or more computers;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by a key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
  
  providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
  
  storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
  
  providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; and
  
  providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and
  
  choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The media of claim 17, further comprising, when a query is provided to the key escrow, performing further actions, including:
    - employing the query to provide a result set that includes query result correlation information and query result key information;
      
      providing one or more captured network packets from the data store based on the query result correlation information; and
      
      decrypting the one or more captured network packets based on the query result key information.
  - 19. The media of claim 17, wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
  - 20. The media of claim 17, wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
  - 21. The media of claim 17, wherein the correlation information, further comprises:
    - other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
  - 22. The media of claim 17, further comprising:
    - providing one or more previously captured network packets that are associated with one or more secure communication sessions;
      
      providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
      
      decrypting the one or more previously captured network packets using the key information.
  - 23. The media of claim 17, further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.

24. A network monitoring computer (NMC) for monitoring communication over a network between one or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  continuously capturing a portion of network packets that are communicated between the one or more computers, wherein the portion of captured network packets is stored in a data store, wherein the portion of network packets is based on one or more of parameters, configuration information, or policy rules;
  
  employing the one or more NMCs identify a secure communication session established between two of the one or more computers based on detection of one or more network packet traffic patterns that indicate a secure handshake process is used to establish the secure communication session, wherein the detected network packet traffic patterns are associated with one or more of a secure communication protocol or a cipher suite;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information includes a session private key that is provided by the key provider, and wherein the session private key is known to the one or more NMCs and known to the two or more computers that establish the secure communication session, and wherein the session private key is unknown to one or more other applications or services participating in the secure communication session;
  
  providing correlation information associated with the secure communication session, wherein the correlation information includes tuple information associated with the secure communication session;
  
  storing the key information and the correlation information in a key escrow, wherein the key information is indexed in the key escrow based on the correlation information;
  
  providing access, for the one or more other applications or services, to one or more previously captured encrypted network packets and their associated key information in the secure communication session based on the correlation information; and
  
  providing a query of the captured network packets stored in the data store, by the one or more other applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; and
  
  choosing one of an NMC or another application or a service to selectively decrypt encrypted network packets associated with the secure communication session, wherein the selective decryption and choosing is based on one or more of the configuration information, policy rules, or parameters.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The NMC of claim 24, further comprising, when a query is provided to the key escrow, performing further actions, including:
    - employing the query to provide a result set that includes query result correlation information and query result key information;
      
      providing one or more captured network packets from the data store based on the query result correlation information; and
      
      decrypting the one or more captured network packets based on the query result key information.
  - 26. The NMC of claim 24, wherein the key provider is a secret sharing engine executing on the one or more computers, or a network hardware security module.
  - 27. The NMC of claim 24, wherein the correlation information further comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL) session identifier, one or more tuples, one or more client-server random values, or one or more digest values comprised of one or more fields of one or more network packets comprising the secure communication session.
  - 28. The NMC of claim 24, wherein the correlation information, further comprises:
    - other information based on one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      tuple information for a network connection flow that corresponds to the secure communication session based on a match of one or more portions of the correlation information and one or more portions of the key information.
  - 29. The NMC of claim 24, further comprising:
    - providing one or more previously captured network packets that are associated with one or more secure communication sessions;
      
      providing key information that is associated with the one or more previously captured network packets based on the correlation information that is associated with the one or more previously captured network packets; and
      
      decrypting the one or more previously captured network packets using the key information.
  - 30. The NMC of claim 24, further comprising, when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Higgins, Benjamin Thomas, Tan, Charlotte Ching-Hsing, Rothstein, Jesse Abraham
Primary Examiner(s)
Shaw, Brian F

Application Number

US15/466,248
Publication Number

US 20180278419A1
Time in Patent Office

965 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/95   Retrieval from the web

G06F 16/951   Indexing; Web crawling tech...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/101   Access control lists [ACL]

H04L 63/16   Implementing security featu...

H04L 67/141   Setup of application sessio...

H04L 69/32   Architecture of open system...

H04L 69/326   in the transport layer [OSI...

H04L 69/327   in the session layer [OSI l...

H04L 69/328   in the presentation layer [...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

Managing session secrets for continuous packet capture systems

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

134 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Managing session secrets for continuous packet capture systems

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links