Cryptographic policy enforcement

US 8,307,206 B2
Filed: 03/14/2011
Issued: 11/06/2012
Est. Priority Date: 01/22/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

capturing packets in a network environment;

assembling an object from the captured packets;

determining whether the object is encrypted;

assigning a cryptographic status to the object; and

determining whether the object violated a cryptographic policy, wherein the cryptographic policy comprises a set of cryptographic rules differentiating between transmissions that are required to be encrypted, transmissions that are required to be unencrypted, and transmissions that are allowed, but not required, to be encrypted.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Objects can be extracted from data flows captured by a capture device. In one embodiment, the invention includes assigning to each captured object a cryptographic status based on whether the captured object is encrypted. In one embodiment, the invention further includes determining whether the object violated a cryptographic policy using the assigned cryptographic status of the object.

372 Citations

20 Claims

1. A method, comprising:
- capturing packets in a network environment;
  
  assembling an object from the captured packets;
  
  determining whether the object is encrypted;
  
  assigning a cryptographic status to the object; and
  
  determining whether the object violated a cryptographic policy, wherein the cryptographic policy comprises a set of cryptographic rules differentiating between transmissions that are required to be encrypted, transmissions that are required to be unencrypted, and transmissions that are allowed, but not required, to be encrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the cryptographic status is provided for the object based, at least, on a statistical analysis of bytes in the object.
  - 3. The method of claim 2, wherein determining whether the object violated the cryptographic policy comprises determining that the object was unencrypted when the object was required to be encrypted.
  - 4. The method of claim 2, further comprising:
    - generating an alert if the cryptographic policy is determined to be violated.
  - 5. The method of claim 1, wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object.
  - 6. The method of claim 5, wherein the index of coincidence measures a distribution of numbers that differ from being uniform.
  - 7. The method of claim 1, further comprising:
    - evaluating whether the object was encrypted using a form of block cipher prior to transmission.
  - 8. The method of claim 1, wherein the statistical analysis includes distinguishing ciphertext from binary data.
  - 9. The method of claim 1, wherein the statistical analysis includes identifying a frequency count of bytes that appear in a block of bytes of a particular size.
  - 10. The method of claim 1, wherein the bytes are preprocessed before performing the statistical analysis such that the statistical analysis is based at least on differences between adjacent bytes.
  - 11. The method of claim 1, further comprising:
    - identifying a type of encryption used for the object; and
      
      decrypting the object.
  - 12. The method of claim 1, wherein the cryptographic status is stored in a tag associated with the object, and wherein the tag is provided in a tag database.

13. A capture system, comprising:
- a packet capture module configured to capture packets in a network environment;
  
  an object assembly module configured to assemble an object from the captured packets; and
  
  a cryptographic analyzer configured to determine a cryptographic status of the object and determine whether the object violated a cryptographic policy, wherein the cryptographic policy comprises a set of cryptographic rules differentiating between transmissions that are required to be encrypted, transmissions that are required to be unencrypted, and transmissions that are allowed, but not required, to be encrypted.
- View Dependent Claims (14, 15, 16)
- - 14. The capture system of claim 13, wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object, and wherein the index of coincidence measures a distribution of numbers that differ from being uniform.
  - 15. The capture system of claim 13, wherein the statistical analysis includes distinguishing ciphertext from binary data, and wherein the statistical analysis includes identifying a frequency count of bytes that appear in a block of bytes of a particular size.
  - 16. The capture system of claim 13, wherein the bytes are preprocessed before performing the statistical analysis such that the statistical analysis is based at least on differences between adjacent bytes.

17. A non-transitory medium having stored thereon data representing instructions configured for execution by a processor of a capture system, the instructions causing the capture system to perform operations comprising:
- assembling an object from packets captured in a network environment;
  
  determining whether the object is encrypted;
  
  identifying a cryptographic status of the object; and
  
  determining whether the object violated a cryptographic policy, wherein the cryptographic policy comprises a set of cryptographic rules differentiating between transmissions that are required to be encrypted, transmissions that are required to be unencrypted, and transmissions that are allowed, but not required, to be encrypted.
- View Dependent Claims (18, 19, 20)
- - 18. The medium of claim 17, wherein determining whether the object violated the cryptographic policy comprises determining that the object was unencrypted when the object was required to be encrypted.
  - 19. The medium of claim 17, wherein the statistical analysis comprises calculating an index of coincidence for the bytes in the captured object, and wherein the index of coincidence measures a distribution of numbers that differ from being uniform.
  - 20. The medium of claim 17, wherein the statistical analysis includes distinguishing ciphertext from binary data, and wherein the statistical analysis includes identifying a frequency count of bytes that appear in a block of bytes of a particular size.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ahuja, Ratinder Paul Singh, Coleman, Shaun, de la Iglesia, Erik
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
WYSZYNSKI, AUBREY H

Application Number

US13/047,068
Publication Number

US 20110167265A1
Time in Patent Office

603 Days
Field of Search

713/168
US Class Current

713/168
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/102 Entity profiles

Cryptographic policy enforcement

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

372 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic policy enforcement

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

372 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links