Auditing and controlling encrypted communications

US 20130191630A1
Filed: 01/24/2013
Published: 07/25/2013
Est. Priority Date: 01/24/2012
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

causing intercepting by a first computing device an encrypted communication between a first endpoint and a second endpoint;

causing performing a man-in-the-middle attack on the encrypted communication, the man-in-the-middle attack establishing a first set of encryption keys between the first endpoint and the first computing device and a second set of encryption keys between the first computing device and the second endpoint and providing access to at least a part of the plaintext of the encrypted communication; and

causing transmitting information obtained using the man-in-the-middle attack to an audit server distinct from the first computing device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Use of one or more computer systems may be audited by performing a man-in-the-middle attack against a cryptographic protocol (e.g., SSH) at one or more interceptors, transmitting audit data to a centralized audit server. Operations performed using the encrypted connection may be controlled and restricted.

31 Citations

View as Search Results

30 Claims

1. A method comprising:
- causing intercepting by a first computing device an encrypted communication between a first endpoint and a second endpoint;
  
  causing performing a man-in-the-middle attack on the encrypted communication, the man-in-the-middle attack establishing a first set of encryption keys between the first endpoint and the first computing device and a second set of encryption keys between the first computing device and the second endpoint and providing access to at least a part of the plaintext of the encrypted communication; and
  
  causing transmitting information obtained using the man-in-the-middle attack to an audit server distinct from the first computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the encrypted communication is according to a protocol selected from the group consisting of:
    - Secure Shell protocol (SSH), Remote Desktop Protocol (RDP), Virtual Network Computing protocol (VNC), and IP Security protocol (IPSec).
  - 3. The method of claim 1, wherein the encrypted communication is according to a protocol that provides perfect forward secrecy.
  - 4. The method of claim 1, wherein the transmitted information comprises at least a part of the plaintext of the encrypted communication.
  - 5. The method of claim 1, wherein the transmitted information comprises the encrypted communication and information from which at least one key used for decrypting the encrypted communication can be derived.
  - 6. The method of claim 1, wherein communication between the first computing device and the audit server is protected using encryption.
  - 7. The method of claim 1, further comprising:
    - causing recording a substantial portion of the plaintext obtained using the man-in-the-middle attack by the audit server.
  - 8. The method of claim 1, further comprising:
    - causing at least a part of the plaintext of the encrypted communication to determine, based on a policy received from a policy server, whether to allow or reject an operation being attempted using the encrypted communication.
  - 9. The method of claim 1, wherein the man-in-the-middle attack uses a private key received by the first computing device from an audit server or a private key server.
  - 10. The method of claim 1, further comprising:
    - causing a private key operation to be performed, as part of the man-in-the-middle attack, by a computer that has access to a private host key of the second endpoint.
  - 11. The method of claim 1, further comprising:
    - causing reception by the first computing device of an X.509 certificate identifying the second endpoint signed by a certificate authority; and
      
      causing a private key operation to be performed by a private key corresponding to the X.509 certificate, and sending a result of the private key operation and the X.509 certificate to the first endpoint.
  - 12. The method of claim 1, further comprising:
    - causing obtaining a Kerberos ticket for a host principal of the second endpoint and the ticket to be used in the man-in-the-middle attack for authenticating the first computing device to the first endpoint.
  - 13. The method of claim 1, further comprising:
    - causing sending a first portion of the plaintext of the encrypted communication to a data loss prevention (DLP) system; and
      
      in response to the data loss prevention system indicating that communication of the first portion of the plaintext of the encrypted communication should not be allowed, causing at least one of the following operations to be performed;
      
      rejecting a protocol request in the encrypted communication to transmit the information;
      
      triggering an alarm;
      
      flagging information recorded about the encrypted communication in an audit server for further analysis;
      
      orterminating the encrypted communication.
  - 14. The method of claim 1, further comprising:
    - sending a query to a second computing device about whether the encrypted communication should be permitted, the query comprising information derived from the plaintext of the encrypted communication; and
      
      suspending the encrypted communication while waiting for a response from the second computing device to the query.
  - 15. The method of claim 1, further comprising:
    - sending a request to a second computing device for a second person to authorize the communication; and
      
      suspending the encrypted communication while waiting for response from the second computing device to the request.

16. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to perform;
  
  intercepting an encrypted connection going through a network interface of a network device;
  
  sending information relating to the intercepted encrypted connection to an audit server for recording, said information enabling inspection of plaintext content of the intercepted encrypted connection.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16, wherein the intercepting comprises performing a man-in-the-middle attack on the encrypted connection.
  - 18. The system of claim 16, further comprising a policy enforcer for controlling which actions may be performed using the encrypted connection.
  - 19. The system of claim 18, wherein the policy enforcer controls which files may be transferred.
  - 20. The system of claim 18, wherein the policy enforcer controls which TCP/IP ports may be forwarded.
  - 21. The system of claim 18, wherein the policy enforcer controls which devices may be accessed.
  - 22. The system of claim 18, wherein the policy enforcer restricts the plaintext of the encrypted connected to comprise data approved by a data loss prevention (DLP) system.
  - 23. The system of claim 18, wherein the policy enforcer causes a virus check to be performed on at least one transmitted file.

24. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to perform;
  
  receiving information relating to an intercepted encrypted connection going through an interceptor in a network device; and
  
  recording the information relating to the intercepted encrypted connection, said information enabling inspection of plaintext content of the intercepted encrypted connection.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein the interceptor connects to a server residing on another computer to perform a cryptographic operation using a private key used by the intended destination endpoint of the connection.

26. A computer program product stored on a non-transitory computer-readable medium for causing a network device to process encrypted connections, comprising:
- computer program code for causing the network device to intercept an encrypted connection through the network device; and
  
  computer program code for causing the network device to send information relating to the encrypted connection to an audit server, the information providing the audit server effective access to plaintext of the connection.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The computer program product of claim 26, further comprising:
    - computer program code for authenticating the network device as the destination endpoint of the encrypted connection.
  - 28. The computer program product of claim 26, further comprising:
    - computer program code for restricting which files may be transferred using the encrypted connection.
  - 29. The computer program product of claim 26, further comprising:
    - computer program code for checking, in part by communicating with an Ligtweight Directory Access Protocol (LDAP) server or Active Directory server and in part using information from the plaintext of the encrypted connection, whether to allow the encrypted connection to be established.
  - 30. The computer program product of claim 26, further comprising:
    - determining whether to allow the encrypted connection to proceed to its destination endpoint based on the result of trying to obtain a ticket from a ticketing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Corp. (SSH Communications Security Oyj)
Original Assignee
SSH Communications Security Corp. (SSH Communications Security Oyj)
Inventors
Ylonen, Tatu J., Lavitt, Samuel Douglas

Application Number

US13/748,693
Publication Number

US 20130191630A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/1483   service impersonation, e.g....

H04L 63/16   Implementing security featu...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

Auditing and controlling encrypted communications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Auditing and controlling encrypted communications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links