Cryptographic policy enforcement

US 7,930,540 B2
Filed: 11/22/2004
Issued: 04/19/2011
Est. Priority Date: 01/22/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing packets being transmitted over a network;

assembling an object from the captured packets;

assigning a cryptographic status to the object by determining whether the captured object is encrypted; and

determining whether the object violated a cryptographic policy using the assigned cryptographic status of the object, wherein assigning a cryptographic status to the captured object comprises performing a statistical analysis on bytes in the captured object, and wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Objects can be extracted from data flows captured by a capture device. In one embodiment, the invention includes assigning to each captured object a cryptographic status based on whether the captured object is encrypted. In one embodiment, the invention further includes determining whether the object violated a cryptographic policy using the assigned cryptographic status of the object.

285 Citations

30 Claims

1. A method comprising:
- capturing packets being transmitted over a network;
  
  assembling an object from the captured packets;
  
  assigning a cryptographic status to the object by determining whether the captured object is encrypted; and
  
  determining whether the object violated a cryptographic policy using the assigned cryptographic status of the object, wherein assigning a cryptographic status to the captured object comprises performing a statistical analysis on bytes in the captured object, and wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining whether the object violated the cryptographic policy comprises determining that the object violated the cryptographic policy by being encrypted when the object was not expected to be encrypted.
  - 3. The method of claim 1, wherein determining whether the object violated the cryptographic policy comprises determining that the object violated the cryptographic policy by being unencrypted when the object was required to be encrypted.
  - 4. The method of claim 1, wherein determining whether the object violated the cryptographic policy comprises accessing at least one rule of the cryptographic policy related to a transmission channel in which the object was transmitted, and comparing the cryptographic status of the object to a status required by the rule.
  - 5. The method of claim 4, wherein the transmission channel comprises a set of source Internet protocol (IP) addresses and a set of destination IP addresses.
  - 6. The method of claim 1, further comprising allowing a user to edit the cryptographic policy.
  - 7. The method of claim 1, further comprising generating an alert to a user if the cryptographic policy is determined to be violated.
  - 8. The method of claim 1, further comprising blocking delivery of the object if the cryptographic policy is determined to be violated.

9. An apparatus that includes a processor and a non-transitory computer readable medium, comprising:
- a packet capture module to capture packets being transmitted over a network;
  
  an object assembly module to reconstruct an object from the captured packets; and
  
  a cryptographic analyzer to determine whether the object violated a cryptographic policy in effect over the network, wherein a cryptographic status is assigned to the captured object and a statistical analysis is performed on bytes in the captured object, and wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the cryptographic policy comprises a set of cryptographic rules.
  - 11. The apparatus of claim 10, wherein at least one rule of the set of cryptographic rules defines a transmission channel and whether encrypted objects are allowed or not on the channel.
  - 12. The apparatus of claim 10, wherein at least one rule of the set of cryptographic rules defines a transmission channel and whether encrypted objects are required or not on the channel.
  - 13. The apparatus of claim 12, wherein the transmission channel comprises a set of source Internet protocol (IP) addresses and a set of destination IP addresses.
  - 14. The apparatus of claim 10, further comprising a user interface configured to allow a user to edit the set of cryptographic rules.
  - 15. The apparatus of claim 9, further comprising a user interface to transmit an alert to a user if the cryptographic policy is determined to be violated by the cryptographic analyzer.
  - 16. The apparatus of claim 9, wherein the apparatus blocks delivery of the object if the cryptographic policy is determined to be violated by the cryptographic analyzer.

17. A method comprising:
- capturing an object being transmitted over a network;
  
  generating a tag associated with the captured object, the tag containing metadata related to the captured object;
  
  assigning a cryptographic status to the captured object by determining whether the captured object was encrypted prior to being transmitted over the network; and
  
  adding the cryptographic status of the captured object to the tag associated with the captured object, wherein assigning a cryptographic status to the captured object comprises performing a statistical analysis on bytes in the captured object, and wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17, further comprising determining whether the captured object violates a cryptographic policy by checking the metadata contained in the tag against one or more cryptographic rules.
  - 19. The method of claim 17, wherein one of the cryptographic rules prohibits transmission of encrypted objects from one or more source Internet protocol (IP) addresses.
  - 20. The method of claim 17, wherein assigning a cryptographic status to the captured object does not rely on any known content in the captured object.
  - 21. The method of claim 17, wherein the statistical analysis comprises preprocessing the bytes making up the captured object by calculating differences between adjacent bytes, and the index of coincidence is determined for the calculated differences.

22. A non-transitory machine-readable medium having stored thereon data representing instructions, that, when executed by a processor of a capture system, cause the processor to perform operations comprising:
- capturing packets being transmitted over a network;
  
  assembling an object from the captured packets;
  
  assigning a cryptographic status to the object by determining whether the captured object is encrypted; and
  
  determining whether the object violated a cryptographic policy using the assigned cryptographic status of the object, wherein assigning a cryptographic status to the captured object comprises performing a statistical analysis on bytes in the captured object, and wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The machine-readable medium of claim 22, wherein determining whether the object violated the cryptographic policy comprises determining that the object violated the cryptographic policy by being encrypted when the object was not expected to be encrypted.
  - 24. The machine-readable medium of claim 22, wherein determining whether the object violated the cryptographic policy comprises determining that the object violated the cryptographic policy by being unencrypted when the object was required to be encrypted.
  - 25. The machine-readable medium of claim 22, wherein determining whether the object violated the cryptographic policy comprises accessing at least one rule of the cryptographic policy related to a transmission channel in which the object was transmitted, and comparing the cryptographic status of the object to a status required by the rule.
  - 26. The machine-readable medium of claim 25, wherein the transmission channel comprises a set of source Internet protocol (IP) addresses and a set of destination IP addresses.

27. A non-transitory machine-readable medium having stored thereon data representing instructions, that, when executed by a processor of a capture system, cause the processor to perform operations comprising:
- capturing an object being transmitted over a network;
  
  generating a tag associated with the captured object, the tag containing metadata related to the captured object;
  
  assigning a cryptographic status to the captured object by determining whether the captured object was encrypted prior to being transmitted over the network; and
  
  adding the cryptographic status of the captured object to the tag associated with the captured object, wherein assigning a cryptographic status to the captured object comprises performing a statistical analysis on bytes in the captured object, and wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object.
- View Dependent Claims (28, 29, 30)
- - 28. The machine-readable medium of claim 27, wherein the instructions further cause the processor to determine whether the captured object violates a cryptographic policy by checking the metadata contained in the tag against one or more cryptographic rules.
  - 29. The machine-readable medium of claim 27, wherein one of the cryptographic rules prohibits transmission of encrypted objects from one or more source Internet protocol (IP) addresses.
  - 30. The machine-readable medium of claim 27, wherein assigning a cryptographic status to the captured object does not rely on any known content in the captured object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
de la Iglesia, Erik, Ahuja, Ratinder Paul Singh, Coleman, Shaun
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H

Application Number

US10/995,455
Publication Number

US 20050166066A1
Time in Patent Office

2,339 Days
Field of Search

713/167, 713/189
US Class Current

713/167
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/102 Entity profiles

Cryptographic policy enforcement

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

285 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic policy enforcement

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links