Interposer with Security Assistant Key Escrow
First Claim
1. A method comprising:
- at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a secure session between the client device and the server;
forwarding the set of session initiation messages to the server at the server address;
forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device; and
receiving a session authorization from the security assistant device, the session authorization enabling the network device to decrypt messages from the secure session between the client device and the server.
1 Assignment
0 Petitions
Accused Products
Abstract
An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.
140 Citations
23 Claims
-
1. A method comprising:
-
at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a secure session between the client device and the server; forwarding the set of session initiation messages to the server at the server address; forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device; and receiving a session authorization from the security assistant device, the session authorization enabling the network device to decrypt messages from the secure session between the client device and the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus comprising:
-
a network interface unit that sends and receives communications over a network; and a processor coupled to the network interface unit, to; receive a set of session initiation messages from a client device via the network interface unit, the set of session initiation messages comprising a server address for a server to initiate a secure session between the client device and the server; cause the network interface unit to forward the set of session initiation messages to the server at the server address; cause the network interface unit to forward the set of session initiation messages to a security assistant device physically located separate from the apparatus; and receive a session authorization from the security assistant device via the network interface unit, the session authorization enabling the apparatus to decrypt messages from the secure session between the client device and the server. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method comprising:
-
receiving a set of session initiation messages from an interposer device, the set of session initiation messages initiating a secure session between a client device and a server; determining a certificate associated with the set of session initiation messages; and transmitting, to the interposer device, a session authorization based on the certificate, the session authorization enabling the interposer to unwrap messages in the secure session. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification