Transparent proxy of encrypted sessions

US 20080126794A1
Filed: 11/28/2006
Published: 05/29/2008
Est. Priority Date: 11/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting a client-server security session request sent from a client to a server at a proxy device;

initiating, with the server, a proxy-server security session from the proxy device;

obtaining, from the server, server security information at the proxy device;

initiating, with the client, a client-proxy security session from the proxy device using a trusted proxy certificate of the proxy device;

obtaining, from the client, client security information at the proxy device;

creating a dynamic certificate using the obtained client security information and the trusted proxy certificate;

establishing the initiated proxy-server security session with the dynamic certificate; and

establishing the initiated client-proxy security session, wherein the client-proxy security session and proxy-server security session transparently appear to the client and server as the requested client-server security session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a server and a client are configured to trust a certificate of an intermediate proxy device. The proxy device may then intercept a client-server security session request message sent from the client to the server. In response, the proxy device initiates a proxy-server security session with the server and obtains server security information from the server. Then, the proxy device initiates a client-proxy security session with the client using the trusted proxy certificate, and obtains client security information from the client. Upon obtaining the client security information, the proxy device creates a dynamic certificate using the obtained client security information and the trusted proxy certificate, and establishes the initiated proxy-server security session with the dynamic certificate. The proxy device then establishes the initiated client-proxy session, wherein the client-proxy security session and proxy-server security session transparently appear to the client and server as the requested client-server security session.

198 Citations

20 Claims

1. A method, comprising:
- intercepting a client-server security session request sent from a client to a server at a proxy device;
  
  initiating, with the server, a proxy-server security session from the proxy device;
  
  obtaining, from the server, server security information at the proxy device;
  
  initiating, with the client, a client-proxy security session from the proxy device using a trusted proxy certificate of the proxy device;
  
  obtaining, from the client, client security information at the proxy device;
  
  creating a dynamic certificate using the obtained client security information and the trusted proxy certificate;
  
  establishing the initiated proxy-server security session with the dynamic certificate; and
  
  establishing the initiated client-proxy security session, wherein the client-proxy security session and proxy-server security session transparently appear to the client and server as the requested client-server security session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as in claim 1, further comprising:
    - configuring the server to trust the proxy certificate by installing the proxy certificate on the server.
  - 3. The method as in claim 2, further comprising:
    - configuring the client to trust the proxy certificate by pushing the trusted proxy certificate from the server to the client.
  - 4. The method as in claim 1, wherein the trusted proxy certificate is a proxy Certificate Authority (CA) certificate.
  - 5. The method as in claim 1, further comprising:
    - configuring the client to initiate the client-server security session to the server disregarding the existence of the proxy device.
  - 6. The method as in claim 1, further comprising:
    - receiving encrypted traffic at the proxy from either the client, over the client-proxy security session, or the server, over the proxy-server security session;
      
      decrypting the encrypted traffic at the proxy;
      
      re-encrypting the decrypted traffic at the proxy for the corresponding proxy-server security session and client-proxy security session; and
      
      transmitting the re-encrypted traffic from the proxy correspondingly to the server over the proxy-server security session and to the client over the client-proxy security session.
  - 7. The method as in claim 6, wherein the proxy device is a firewall, the method further comprising:
    - inspecting the decrypted traffic at the firewall.
  - 8. The method as in claim 1, wherein the client-proxy and proxy-server security sessions are selected from a group consisting of:
    - an authentication session, an encryption session, a Transport Layer Security (TLS) session, a Secure Socket Layer (SSL) session, and an Internet Protocol Security (IPSec) session.
  - 9. The method as in claim 1, further comprising:
    - creating a dynamic server certificate using the obtained server security information and the trusted proxy certificate; and
      
      initiating, with the client, the client-proxy security session from the proxy device using the dynamic server certificate.
  - 10. The method as in claim 1, wherein the trusted proxy certificate is shared to represent one or more servers for each of one or more client-proxy security sessions.
  - 11. The method as in claim 1, wherein the dynamic certificate for the client is a new certificate created at the proxy device having at least one of a corresponding client subject name, signature algorithm, or certificate extension.
  - 12. The method as in claim 1, wherein each of the dynamic certificates created by the proxy have a distinct public and private key pair.
  - 13. The method as in claim 1, wherein all dynamic certificates created by the proxy share a single public and private key pair.
  - 14. The method as in claim 1, further comprising:
    - receiving a security session tear-down request at the proxy device; and
      
      , in response,tearing down the client-proxy security session and proxy-server security session.
  - 15. The method as in claim 1, wherein the dynamic certificate is valid only for a duration of the client-proxy or proxy-server security sessions.
  - 16. The method as in claim 1, wherein the client-proxy security session is established prior to initiating the proxy-server security session.

17. A node, comprising:
- one or more network interfaces adapted to communicate with at least one server and at least one client, wherein the server and the client are configured to trust a proxy certificate of the node;
  
  one or more processors coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory adapted to store a proxy security process executable by each processor, the proxy security process when executed operable to;
  
  i) intercept a client-server security session request sent from the client to the server, ii) initiate, with the server, a proxy-server security session, iii) obtain, from the server, server security information, iv) initiate, with the client, a client-proxy security session using the trusted proxy certificate, v) obtain, from the client, client security information, vi) create a dynamic certificate using the obtained client security information and the trusted proxy certificate, vii) establish the initiated proxy-server security session with the dynamic certificate, and vii) establish the initiated client-proxy security session, wherein the client-proxy security session and proxy-server security session transparently appear to the client and server as the requested client-server security session.
- View Dependent Claims (18, 19)
- - 18. The node as in claim 17, wherein the proxy security process is further operable to:
    - i) receive encrypted traffic from either the client, over the client-proxy security session, or the server, over the proxy-server security session;
      
      ii) decrypt the encrypted traffic;
      
      iii) re-encrypt the decrypted traffic for the corresponding proxy-server security session and client-proxy security session; and
      
      iv) transmit the re-encrypted traffic correspondingly to the server over the proxy-server security session and to the client over the client-proxy security session.
  - 19. The node as in claim 18, wherein the memory is further adapted to store a firewall process executable by each processor, the firewall process when executed operable to inspect the decrypted traffic.

20. An apparatus, comprising:
- means for intercepting a client-server security session request sent from a client to a server;
  
  means for initiating, with the server, a proxy-server security session;
  
  means for obtaining, from the server, server security information;
  
  means for initiating, with the client, a client-proxy security session using a trusted proxy certificate;
  
  means for obtaining, from the client, client security information;
  
  means for creating a dynamic certificate using the obtained client security information and the trusted proxy certificate;
  
  means for establishing the initiated proxy-server security session with the dynamic certificate; and
  
  means for establishing the initiated client-proxy security session, wherein the client-proxy security session and proxy-server security session transparently appear to the client and server as the requested client-server security session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sundaresan, Anupama, Calia, Dario, Kaza, Vijaya Bharathi, Wang, Jianxin

Granted Patent

US 8,214,635 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0281   Proxies

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/3263   involving certificates, e.g...

Transparent proxy of encrypted sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

198 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Transparent proxy of encrypted sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

198 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others