Detecting Compromised Certificate Authority

US 20170005805A1
Filed: 07/01/2015
Published: 01/05/2017
Est. Priority Date: 07/01/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving over time reports containing data describing certificate authority certificates captured from messages exchanged between clients and servers;

storing metadata and statistics for certificates contained in the reports; and

determining whether a certificate authority has been compromised based on the metadata and statistics.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method is provided to detect a compromised Certificate Authority (CA). Over time reports are received containing data describing certificate authority certificates captured from messages exchanged between clients and servers. These reports may be received by a central computing entity. Metadata and statistics for certificates contained in the reports are stored. It is determined whether a certificate authority has been compromised based on the metadata and statistics.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving over time reports containing data describing certificate authority certificates captured from messages exchanged between clients and servers;
  
  storing metadata and statistics for certificates contained in the reports; and
  
  determining whether a certificate authority has been compromised based on the metadata and statistics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the metadata includes the certificate issuer and an indication of whether or not the certificate has been verified by a central authority, and wherein the statistics include, for each certificate, a date first reported, number of reports received, and time and geographical distribution of reports received.
  - 3. The method of claim 2, wherein determining comprises determining that a particular certificate authority that issued a particular certificate has been compromised upon determining that the particular certificate uses a Common Name or Domain Name System (DNS) name that has appeared in numerous received reports for the certificates issued by different certificate authorities.
  - 4. The method of claim 2, wherein determining comprises analyzing the metadata and statistics for the certificates contained in the reports to develop a normal activity pattern for a particular certificate, and generating an indication that that a certificate authority that is issuing a particular certificate has been compromised when a deviation from the normal activity pattern for the particular certificate is detected.
  - 5. The method of claim 2, wherein storing further comprises storing, in association with a given certificate, information indicating where in a domain name hierarchy the given certificate is detected.
  - 6. The method of claim 1, wherein receiving comprises receiving reports from a plurality of network devices that monitor handshake messages between clients and servers.
  - 7. The method of claim 1, wherein receiving comprises receiving reports from the clients and/or the servers.
  - 8. The method of claim 1, wherein receiving comprises receiving reports for a localized geographical region or to receive reports globally.

9. An apparatus comprising:
- a network interface unit configured to enable communications over a network;
  
  a memory;
  
  a processor coupled to the network interface unit and the memory, wherein the processor is configured to;
  
  receive over time reports containing data describing certificate authority certificates captured from messages exchanged between clients and servers;
  
  store in the memory metadata and statistics for certificates contained in the reports; and
  
  determine whether a certificate authority has been compromised based on the metadata and statistics.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the metadata includes the certificate issuer and an indication of whether or not the certificate has been verified by a central authority, and wherein the statistics include, for each certificate, a date first reported, number of reports received and time and geographical distribution of reports received.
  - 11. The apparatus of claim 10, wherein the processor is configured to determine by determining that a particular certificate authority that issued a particular certificate has been compromised upon determining that the particular certificate uses a Common Name or Domain Name System (DNS) name that has appeared in numerous received reports for the certificates issued by different certificate authorities.
  - 12. The apparatus of claim 10, wherein the processor is configured to determine by analyzing the metadata and statistics for the certificates contained in the reports to develop a normal activity pattern for a particular certificate, and generating an indication that that a certificate authority that is issuing a particular certificate has been compromised when a deviation from the normal activity pattern for the particular certificate is detected.
  - 13. The apparatus of claim 10, wherein the processor is configured to store, in association with a given certificate, information indicating where in a domain name hierarchy the given certificate is detected.
  - 14. The apparatus of claim 9, wherein the processor is configured to receive reports from a plurality of network devices that monitor handshake messages between clients and servers.
  - 15. The apparatus of claim 9, wherein the processor is configured to receive reports for a localized geographical region or to receive reports globally.

16. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to:
- receive over time reports containing data describing certificate authority certificates captured from messages exchanged between clients and servers;
  
  store in a memory metadata and statistics for certificates contained in the reports; and
  
  determine whether a certificate authority has been compromised based on the metadata and statistics.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage media of claim 16, wherein the metadata includes the certificate issuer and an indication of whether or not the certificate has been verified by a central authority, and wherein the statistics include, for each certificate, a date first reported, number of reports received, and time and geographical distribution of reports received.
  - 18. The non-transitory computer readable storage media of claim 17, wherein the instructions operable to determine comprise instructions operable to determine that a particular certificate authority that issued a particular certificate has been compromised upon determining that the particular certificate uses a Common Name or Domain Name System (DNS) name that has appeared in numerous received reports for the certificates issued by different certificate authorities.
  - 19. The non-transitory computer readable storage media of claim 17, wherein the instructions operable to determine comprise instructions operable to analyze the metadata and statistics for the certificates contained in the reports to develop a normal activity pattern for a particular certificate, and generate an indication that that a certificate authority that is issuing a particular certificate has been compromised when a deviation from the normal activity pattern for the particular certificate is detected.
  - 20. The non-transitory computer readable storage media of claim 17, wherein the instructions operable to store comprise to store, in association with a given certificate, information indicating where in a domain name hierarchy the given certificate is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wang, Jianxin, Shankar, Hari

Granted Patent

US 9,686,081 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/33   using certificates

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2135   Metering

H04L 63/0823   using certificates cryptogr...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

Detecting Compromised Certificate Authority

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Compromised Certificate Authority

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links