Interposer with Security Assistant Key Escrow

US 20150288679A1
Filed: 07/10/2014
Published: 10/08/2015
Est. Priority Date: 04/02/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a secure session between the client device and the server;

forwarding the set of session initiation messages to the server at the server address;

forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device; and

receiving a session authorization from the security assistant device, the session authorization enabling the network device to decrypt messages from the secure session between the client device and the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An interposer is provided that is configured to interpose into an application security protocol exchange by obtaining application session security state. The interposer does this without holding any private keying material of client or server. An out-of-band Security Assistant Key Escrow service (SAS/SAKE) is also provided. The SAKE resides in the secure physical network perimeter and holds the private keying material required to derive session keys for interposing into application security protocol. During a security protocol handshake, the interposer sends SAKE security protocol handshake messages and in return receives from the SAKE session security state that allows it to participate in application security protocol.

140 Citations

23 Claims

1. A method comprising:
- at a network device, receiving a set of session initiation messages from a client device, the set of session initiation messages comprising an address for a server to initiate a secure session between the client device and the server;
  
  forwarding the set of session initiation messages to the server at the server address;
  
  forwarding the set of session initiation messages to a security assistant device, the security assistant device physically located in a secure location apart from the network device; and
  
  receiving a session authorization from the security assistant device, the session authorization enabling the network device to decrypt messages from the secure session between the client device and the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving a first session authentication from the server;
      
      receiving a second session authentication from the security assistant device; and
      
      responsive to a determination that the network device will act as an active interposer, transmitting the second session authentication to the client device.
  - 3. The method of claim 2, further comprising:
    - responsive to a determination that the network device will act as a transparent interposer, transmitting the first session authentication to the client device.
  - 4. The method of claim 1, further comprising:
    - receiving a plurality of secure messages from the secure session between the client device and the server;
      
      unwrapping the plurality of secure messages with the session authorization received from the security assistant device to generate a plurality of unwrapped messages; and
      
      processing the unwrapped messages according to a network application based on contents of the unwrapped messages.
  - 5. The method of claim 4, further comprising:
    - modifying the unwrapped messages according to the network application to generate modified messages;
      
      wrapping the modified messages to generate modified secure messages; and
      
      transmitting the modified secure messages to the client device.
  - 6. The method of claim 1, wherein the security assistant device negotiates the session authorization with the server on behalf of the network device.
  - 7. The method of claim 1, wherein the secure session is secured via one of Secure Sockets Layer (SSL) Transport Layer Security (TLS). Datagram Transport Layer Security (DTLS), Microsoft Kerberos (MS-KRB), or Microsoft NT LAN Management (MS-NTLM).
  - 8. The method of claim 1, wherein the network device and the security assistant device communicate via a secure back channel.
  - 9. The method of claim 8, further comprising provisioning the network device via the secure back channel with an authorization to provide security services.
  - 10. The method of claim 9, further comprising invalidating the authorization to provide security services.
  - 11. The method of claim 1, further comprising:
    - computing a hash of at least a part of the set of session initiation messages;
      
      generating a handshake finish message including the hash; and
      
      transmitting the handshake finish message to at least one of the client or the server.

12. An apparatus comprising:
- a network interface unit that sends and receives communications over a network; and
  
  a processor coupled to the network interface unit, to;
  
  receive a set of session initiation messages from a client device via the network interface unit, the set of session initiation messages comprising a server address for a server to initiate a secure session between the client device and the server;
  
  cause the network interface unit to forward the set of session initiation messages to the server at the server address;
  
  cause the network interface unit to forward the set of session initiation messages to a security assistant device physically located separate from the apparatus; and
  
  receive a session authorization from the security assistant device via the network interface unit, the session authorization enabling the apparatus to decrypt messages from the secure session between the client device and the server.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12, wherein the processor further:
    - receives a first session authentication from the server via the network interface unit;
      
      receives a second session authentication from the security assistant device via the network interface unit; and
      
      responsive to a determination that the apparatus is to act as an active interposer, causes the network interface unit to transmit the second session authentication to the client device.
  - 14. The apparatus of claim 13, wherein the processor further:
    - responsive to a determination that the apparatus is to act as a transparent interposer, causes the network interface unit to transmit the first session authentication to the client device.
  - 15. The apparatus of claim 12, wherein the processor further:
    - receives, via the network interface unit, a plurality of secure messages from the secure session between the client device and the server;
      
      unwraps the plurality of secure messages with the session authorization received from the security assistant device to generate a plurality of unwrapped messages; and
      
      processes the unwrapped messages according to a network application based on contents of the unwrapped messages.
  - 16. The apparatus of claim 15, wherein the processor further:
    - modifies the unwrapped messages according to the network application to generate modified messages;
      
      wraps the modified messages to generate modified secured messages; and
      
      causes the network interface unit to transmit the modified secure messages to the client device.

17. A method comprising:
- receiving a set of session initiation messages from an interposer device, the set of session initiation messages initiating a secure session between a client device and a server;
  
  determining a certificate associated with the set of session initiation messages; and
  
  transmitting, to the interposer device, a session authorization based on the certificate, the session authorization enabling the interposer to unwrap messages in the secure session.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, further comprising:
    - receiving an pre-master secret encrypted with a public key associated with the server;
      
      decrypting the pre-master secret with a private key associated with the server; and
      
      transmitting the decrypted pre-master secret to the interposer.
  - 19. The method of claim 17, wherein determining the certificate comprises signing a proxy certificate for the server.
  - 20. The method of claim 17, wherein determining the certificate comprises determining an account object associated with a security context and Pre-Shared Key (PSK), the security context and PSK belonging to the secure session.
  - 21. The method of claim 17, wherein the interposer device and the security assistant device communicate via a secure back channel.
  - 22. The method of claim 21, further comprising revoking the session authorization responsive to a determination that the interposer device is no longer authorized.
  - 23. The method of claim 22, further comprising transmitting a message to the server requesting the server to renegotiate the secure session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ben-Nun, Eitan, Wing, Daniel G., Agasaveeran, Saravanan, Zayats, Michael, Patil, Kirtesh, Padhye, Jaideep, Hungund, Manohar B.

Granted Patent

US 10,178,181 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/168   above the transport layer

H04L 67/141   Setup of application sessio...

H04L 67/56   Provisioning of proxy servi...

Interposer with Security Assistant Key Escrow

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

140 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Interposer with Security Assistant Key Escrow

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

140 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links