Controlling and auditing SFTP file transfers

US 20130191627A1
Filed: 01/24/2013
Published: 07/25/2013
Est. Priority Date: 01/24/2012
Status: Active Grant

First Claim

Patent Images

1. A computer program product stored on a non-transitory computer-readable medium for controlling encrypted file transfers comprising instructions operable to cause a computer to:

perform a man-in-the-middle attack on an encrypted file transfer protocol connection going through the computer to obtain access to the plaintext of the encrypted file transfer protocol connection;

identify a file transfer attempt in the plaintext; and

determine whether to allow the file transfer attempt based on the name or content of the file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encrypted SFTP file transfers and other encrypted file transfers may be audited and what files can be transferred may be controlled at a firewall or other gateway. Transferred files may be subjected to data loss prevention analysis and/or virus checks.

Citations

20 Claims

1. A computer program product stored on a non-transitory computer-readable medium for controlling encrypted file transfers comprising instructions operable to cause a computer to:
- perform a man-in-the-middle attack on an encrypted file transfer protocol connection going through the computer to obtain access to the plaintext of the encrypted file transfer protocol connection;
  
  identify a file transfer attempt in the plaintext; and
  
  determine whether to allow the file transfer attempt based on the name or content of the file.
- View Dependent Claims (2, 3, 4)
- - 2. The computer program product of claim 1, further comprising instructions operable to:
    - send the content of a transmitted file to an audit server over a network connection.
  - 3. The computer program product of claim 2, further comprising instructions operable to:
    - in response to recognizing an attempt to transfer content that are already stored on the audit server, send an identification of the content to the audit server.
  - 4. The computer program product of claim 2, further comprising instructions operable to:
    - receive information from a second computer for spoofing authentication for the destination endpoint of the encrypted connection and use the information in the man-in-the-middle attack.

5. A method comprising:
- performing a man-in-the-middle attack on an encrypted connection that is a Secure Shell (SSH) protocol connection going through a first network device to obtain decrypted content of the encrypted connection;
  
  identifying a protocol request in the decrypted content as a request pertaining to a file; and
  
  determining whether to allow the request.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method of claim 5, wherein the determining is based at least in part on a name of the file that the request pertains to.
  - 7. The method of claim 5, wherein the determining is based at least in part on the content of the file that the request pertains to.
  - 8. The method of claim 7, further comprising:
    - causing the content of the file that the request pertains to to be sent to a Data Loss Prevention (DLP) system;
      
      wherein the determining uses a response from the Data Loss Prevention system.
  - 9. The method of claim 7, further comprising:
    - causing the content of the file that the request pertains to to be checked for viruses.
  - 10. The method of claim 5, further comprising:
    - sending at least a part of the decrypted content of a file transferred across the encrypted connection to an audit server residing in a second network device.
  - 11. The method of claim 10, further comprising:
    - in response to detecting when a file is transferred more than once, sending an identification of a previously sent content of a file to the audit server instead of the content of the file.
  - 12. The method of claim 10, further comprising:
    - computing a hash value of the content of a file transmitted across the encrypted connection;
      
      determining whether the content of the file is already stored on the audit server, the determination using the hash value; and
      
      in response to the content being already stored on the audit server, sending an identification of the content without sending the content of the file.

13. An apparatus comprising:
- at least one processor;
  
  at least one memory comprising program code configured to, with the at least one processor, cause the apparatus to;
  
  perform a man-in-the-middle attack on an encrypted connection that is a Secure Shell (SSH) protocol connection going through a first network device to obtain decrypted content of the encrypted connection;
  
  identify a protocol request in the decrypted content of the encrypted connection as a request pertaining to a file; and
  
  determine whether to allow the request.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus of claim 13, wherein the determining is based at least in part on the content of the file that the request pertains to.
  - 15. The apparatus of claim 13, wherein the determining comprises sending the content of the file to a data loss prevention system and rejecting the request in response to the data loss prevention system indicating it should not be allowed.
  - 16. The apparatus of claim 13, wherein the determining comprises checking the file for viruses.
  - 17. The apparatus of claim 13, wherein the determining comprises checking whether the file is in a directory configured as permitted.
  - 18. The apparatus of claim 13, wherein the determining comprises comparing the type of the request against configured policy.
  - 19. The apparatus of claim 13, wherein the program code is further configured to cause the apparatus to:
    - send at least a portion of the decrypted content of a file to an audit server that is not part of the apparatus.
  - 20. The apparatus of claim 13, wherein the program code is further configured to cause the apparatus to:
    - send information about the request in the decrypted content of the encrypted connection to an audit server that is not part of the apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Corp. (SSH Communications Security Oyj)
Inventors
Ylonen, Tatu J., Lavitt, Samuel Douglas

Granted Patent

US 10,469,533 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/1483   service impersonation, e.g....

H04L 63/16   Implementing security featu...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

Controlling and auditing SFTP file transfers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling and auditing SFTP file transfers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links