METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES

US 20120167212A1
Filed: 03/04/2012
Published: 06/28/2012
Est. Priority Date: 01/20/2009
Status: Active Grant

First Claim

Patent Images

1. A method for inspecting security certificates, the method comprising the steps of:

(a) scanning, by a network security device, messages of a security protocol between a server and a client system, by steps including;

(i) scanning said messages for an object ID (OID) of a compromised cryptographic hash function, and(ii) scanning said messages for an OID of a certificate extension;

(b) detecting said messages having a security certificate;

(c) detecting suspicious security certificates from said messages; and

(d) aborting particular sessions of said security protocol associated with said suspicious security certificates.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates.

Citations

18 Claims

1. A method for inspecting security certificates, the method comprising the steps of:
- (a) scanning, by a network security device, messages of a security protocol between a server and a client system, by steps including;
  
  (i) scanning said messages for an object ID (OID) of a compromised cryptographic hash function, and(ii) scanning said messages for an OID of a certificate extension;
  
  (b) detecting said messages having a security certificate;
  
  (c) detecting suspicious security certificates from said messages; and
  
  (d) aborting particular sessions of said security protocol associated with said suspicious security certificates.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said step of scanning is performed only on messages of server certificate records.
  - 3. The method of claim 1, the method further comprising the step of(e) sending an invalid-certificate notice to said server and said client system.
  - 4. The method of claim 1, wherein said step of detecting said suspicious security certificates includes:
    - upon detecting said OID of said certificate extension in said messages, checking a comment length of said OID of said certificate extension for invalid-certificate criteria.
  - 5. The method of claim 4, wherein said step of detecting said suspicious security certificates further includes:
    - (ii) prior to said step of checking, determining that said OID of said compromised cryptographic hash function and said OID of said certificate extension are in the same trust chain member by searching for a second appearance of said OID of said compromised cryptographic hash function.
  - 6. The method of claim 4, wherein said invalid-certificate criteria include an excessive comment length and at least one non-ASCII character contained in said OID of said certificate extension.
  - 7. The method of claim 1, wherein said step of detecting said suspicious security certificates includes detecting a use of an incorrectly-generated private key for said security certificates.
  - 8. The method of claim 1, wherein said step of detecting said suspicious security certificates includes detecting an unavailability of revocation information for said security certificates.
  - 9. The method of claim 1, wherein said step of detecting said suspicious security certificates includes detecting a use of an invalid cryptographic algorithm for said security certificates.

10. A non-transitory computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising:
- (a) program code for scanning, by a network security device, messages of a security protocol between a server and a client system, wherein said program code for scanning includes;
  
  (i) program code for scanning said messages for an object ID (OID) of a compromised cryptographic hash function, and(ii) program code for scanning said messages for an OID of a certificate extension;
  
  (b) program code for detecting said messages having a security certificate;
  
  (c) program code for detecting suspicious security certificates from said messages; and
  
  (d) program code for aborting particular sessions of said security protocol associated with said suspicious security certificates.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The storage medium of claim 10, wherein said program code for scanning is performed only on messages of server certificate records.
  - 12. The storage medium of claim 10, the computer-readable code further comprising:
    - (e) program code for sending an invalid-certificate notice to said server and said client system.
  - 13. The storage medium of claim 11, wherein said program code for detecting said suspicious security certificates includes:
    - (i) program code for, upon detecting said OID of said certificate extension in said messages, checking a comment length of said OID of said certificate extension for invalid-certificate criteria.
  - 14. The storage medium of claim 13, wherein said program code for detecting said suspicious security certificates further includes:
    - (ii) program code for, prior to said checking, determining that said OID of said compromised cryptographic hash function and said OID of said certificate extension are in the same trust chain member by searching for a second appearance of said OID of said compromised cryptographic hash function.
  - 15. The storage medium of claim 13, wherein said invalid-certificate criteria include an excessive comment length of more than 200 bytes and at least one non-ASCII character contained in said OID of said certificate extension.
  - 16. The storage medium of claim 11, wherein said program code for detecting said suspicious security certificates includes program code for detecting a use of an incorrectly-generated private key for said security certificates.
  - 17. The storage medium of claim 11, wherein said program code for detecting said suspicious security certificates includes program code for detecting an unavailability of revocation information for said security certificates.
  - 18. The storage medium of claim 11, wherein said program code for detecting said suspicious security certificates includes program code for detecting a use of an invalid cryptographic algorithm for said security certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Limited
Original Assignee
Check Point Software Technologies Limited
Inventors
Guzner, Guy, Haviv, Ami, Lieblich, Danny, Gal, Yahav

Granted Patent

US 8,850,576 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 9/3268   using certificate validatio...

METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links