System and methods for transparent encryption

US 20060064750A1
Filed: 09/22/2004
Published: 03/23/2006
Est. Priority Date: 09/22/2004
Status: Active Grant

First Claim

Patent Images

1. A method for secure transport comprising:

intercepting an outgoing connection attempt;

identifying a destination from the outgoing connection attempt;

establishing a secure connection using the identified destination from the connection attempt;

establishing the attempted outgoing connection by terminating the outgoing connection attempt; and

associating the terminated outgoing connection with the established secure connection, the association operable to transfer message traffic intended for the destination over the secure connection in a continuous manner from the detected outgoing connection to the identified destination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Conventional SSL termination devices support secure connections only to a predetermined destination address. An SSL termination device accepts a plaintext connection and associate it to a secure connection to an arbitrary destination endpoint by intercepting a connection request from the local subnetwork, identifying the intended destination of the connection, and establishing a secure connection to the destination, bridges the local connection and the secure connection to provide a connection through the gateway device. The SSL termination device identifies an outgoing secure connection request from a client, and intercepts the connection request to identify the recipient destination. The SSL termination device establishes a secure connection using the identified destination, and associates the connections by mapping the intercepted connection to the recipient. The identified recipient allows the secure connection to the destination, and the mapping allows message traffic received from the client over the local connection to be mapped to the destination.

Citations

26 Claims

1. A method for secure transport comprising:
- intercepting an outgoing connection attempt;
  
  identifying a destination from the outgoing connection attempt;
  
  establishing a secure connection using the identified destination from the connection attempt;
  
  establishing the attempted outgoing connection by terminating the outgoing connection attempt; and
  
  associating the terminated outgoing connection with the established secure connection, the association operable to transfer message traffic intended for the destination over the secure connection in a continuous manner from the detected outgoing connection to the identified destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein terminating the outgoing connection attempt further comprises:
    - accepting the outgoing connection attempt as a local connection by completing a connection exchange; and
      
      emulating the intended destination as an endpoint of the outgoing connection.
  - 3. The method of claim 2 further comprising:
    - identifying data to be transmitted as message traffic via the outgoing connection;
      
      receiving the identified data; and
      
      redirecting the identified data via the established secure connection.
  - 4. The method of claim 3 further comprising mapping data sent from a client, the data intended for transmission via the outgoing connection, to the established secure connection.
  - 5. The method of claim 4 wherein identifying the destination further comprises scanning the connection attempt and extracting an identifier indicative of the intended destination.
  - 6. The method of claim 2 further comprising transporting data between the client and a remote intended destination in a seamless manner via the mapped connection, the seamless manner further comprising:
    - receiving data over the established local connection;
      
      indexing the secure connection to the identified destination via the mapping; and
      
      forwarding the received data to the identified destination via the indexed secure connection.
  - 7. The method of claim 6 further comprising identifying a ciphersuite, corresponding to the identified destination, indicative of an encryption algorithm operable via the secure connection;
    - and applying the identified ciphersuite to the received data prior to redirecting.
  - 8. The method of claim 1 wherein intercepting comprises:
    - detecting an outgoing connection attempt; and
      
      scanning the connection attempt for a destination identifier indicative of a remote intended recipient.
  - 9. The method of claim 8 further comprising:
    - correlating the outgoing connection attempt and the established secure connection in a mapping table indicative of local and remote connection attempts;
      
      indexing the outgoing connection and the established secure connection to identify outgoing message data on the outgoing connection destined for the identified destination; and
      
      bridging the outgoing connection with the secure connection to forward message data to the destination via the secure connection.
  - 10. The method of claim 9 further comprising determining if the outgoing connection is intended as a secure connection;
    - and indexing a ciphersuite using the intended destination by indexing a repository of expected destinations.
  - 11. The method of claim 1 wherein, if the remote destination is unable to accept the secure connection:
    - establishing a secure connection using the identified destination from the connection attempt; and
      
      reverting the second connection to a plaintext connection.

12. A method of providing a secure connection comprising:
- identifying an outgoing connection attempt intended as a secure connection to a destination;
  
  intercepting the outgoing connection attempt;
  
  analyzing the outgoing connection attempt to determine an identifier indicative of the destination;
  
  determining, using the identifier, if the destination is operable to accept a secure connection, and if so;
  
  retrieving a ciphersuite indicative of the secure connection attributes operable with the destination;
  
  completing a first connection by accepting the outgoing connection attempt as an end to end connection from the originator of the outgoing connection attempt;
  
  establishing a second connection by issuing a secure connection attempt to the destination employing the destination identifier and the retrieved secure connection attributes;
  
  storing an association of the first and second connections;
  
  receiving data via the first connection destined for the recipient;
  
  indexing, via the stored association, the second connection corresponding to the first connection; and
  
  forwarding the received data to the destination via the second connection.
- View Dependent Claims (13)
- - 13. The method of claim 12 wherein if the remote destination is unable to accept the secure connection, the second connection reverts to a plaintext connection.

14. A data communication device for secure transport comprising:
- an SSL terminator operable to intercept an outgoing connection attempt;
  
  a connection scanner operable to identify a destination from the intercepted outgoing connection attempt;
  
  a secure endpoint responsive to the SSL terminator to establish a secure connection using the identified destination from the connection attempt, the SSL terminator further operable to establish the attempted outgoing connection by terminating the outgoing connection attempt; and
  
  a mapper operable to associate the terminated outgoing connection with the established secure connection, the association operable to transfer message traffic intended for the destination over the secure connection in a continuous manner from the intercepted outgoing connection to the identified destination.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The data communication device of claim 14 wherein the SSL terminator is operable to:
    - accept the outgoing connection attempt as a local connection by completing a connection exchange to terminate and complete the outgoing connection attempt; and
      
      emulate the intended destination as an endpoint of the outgoing connection.
  - 16. The data communication device of claim 15 wherein the SSL terminator is further operable to:
    - identify data to be transmitted as message traffic via the outgoing connection;
      
      receive the identified data; and
      
      redirect the identified data via the established secure connection.
  - 17. The data communication device of claim 16 wherein the mapper is operable to map data sent from a client, in which the data is intended for transmission via the outgoing connection, to the established secure connection.
  - 18. The data communication device of claim 17 wherein the scanner is operable to identify the destination by scanning the connection attempt;
    - and extracting an identifier indicative of the intended destination.
  - 19. The data communication device of claim 15 wherein the SSL terminator is operable to transport data between the client and a remote intended destination in a seamless manner via the mapped connection, the SSL terminator further operable to:
    - receive data over the established local connection;
      
      index the secure connection to the identified destination via the mapping; and
      
      forward the received data to the identified destination via the indexed secure connection.
  - 20. The data communication device of claim 19 further comprising a repository operable to store a ciphersuite, the SSL terminator further operable to:
    - identify the ciphersuite corresponding to the identified destination and indicative of an encryption algorithm operable via the secure connection; and
      
      apply the identified ciphersuite to the received data prior to redirecting.
  - 21. The data communication device of claim 14 wherein the connection scanner is further operable to:
    - detect an outgoing connection attempt; and
      
      scan the connection attempt for a destination identifier indicative of a remote intended recipient.
  - 22. The data communication device of claim 21 wherein the SSL terminator is further operable to:
    - correlate the outgoing connection attempt and the established secure connection in a mapping table indicative of local and remote connection attempts;
      
      index, in the mapping table, the outgoing connection and the established secure connection to identify outgoing message data on the outgoing connection destined for the identified destination; and
      
      associate the outgoing connection with a proxy link to the secure connection to forward message data to the destination via the secure connection.
  - 23. The data communication device of claim 22 wherein the SSL terminator is further operable to determine, via the mapping, if the outgoing connection is intended as a secure connection;
    - and if so index a ciphersuite using the intended destination by indexing a repository of expected destinations; and
      
      if not, to revert to establishing a plaintext connection to the remote destination.

24. A computer program product having a computer readable medium operable to store computer program logic embodied in computer program code encoded thereon for secure transport comprising:
- computer program code for intercepting an outgoing connection attempt;
  
  computer program code for identifying a destination from the outgoing connection attempt;
  
  computer program code for establishing a secure connection using the identified destination from the connection attempt;
  
  computer program code for establishing the attempted outgoing connection by terminating the outgoing connection attempt; and
  
  computer program code for associating the terminated outgoing connection with the established secure connection, the association operable to transfer message traffic intended for the destination over the secure connection in a continuous manner from the detected outgoing connection to the identified destination.

25. A computer data signal having program code for secure transport comprising:
- program code for intercepting an outgoing connection attempt;
  
  program code for identifying a destination from the outgoing connection attempt;
  
  program code for establishing a secure connection using the identified destination from the connection attempt;
  
  program code for establishing the attempted outgoing connection by terminating the outgoing connection attempt; and
  
  program code for associating the terminated outgoing connection with the established secure connection, the association operable to transfer message traffic intended for the destination over the secure connection in a continuous manner from the detected outgoing connection to the identified destination.

26. A data communication device for secure transport comprising:
- means for program code for intercepting an outgoing connection attempt;
  
  means for identifying a destination from the outgoing connection attempt;
  
  means for establishing a secure connection using the identified destination from the connection attempt;
  
  means for establishing the attempted outgoing connection by terminating the outgoing connection attempt; and
  
  means for associating the terminated outgoing connection with the established secure connection, the association operable to transfer message traffic intended for the destination over the secure connection in a continuous manner from the detected outgoing connection to the identified destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kersey, Edward C., Huckaby, Derek L.

Granted Patent

US 7,480,794 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/16   Implementing security featu...

H04L 63/20   for managing network securi...

System and methods for transparent encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for transparent encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links