Method and apparatus for managing secure communications
First Claim
1. In a data communications device, a method of managing secure communications comprising:
- packet sniffing one or more network packets from a first endpoint device and traversing the data communications device destined for a second endpoint device to identify;
(i) a request from a first endpoint device to initiate secure communications between the first endpoint device and the second endpoint device, and(ii) a security usage indicator in the request indicative of an intended secure session to be established between the first and second endpoint devices;
analyzing the identified security usage indicator to determine an intended key to be used in establishing the secure communications;
computing a secure usage result indicative of whether to allow the intended secure session to be established, comprising;
mapping one or more attributes of the intended key to a respective one or more entries within a data store; and
applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and
enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.
1 Assignment
0 Petitions
Accused Products
Abstract
A device for managing secure communications by examining message packets to detect and control the use of encryption keys noninvasively examines an incoming message packet according to typical cryptographic protocols and sequences. If an incoming packet exhibits the use of an encryption key, such as via IKEP, IPsec, or PPTP, the device processes the packet to attempt to find the corresponding encryption key. The device compares the key to a list of known suspect keys to determine a blocked status. If the key is not on the list, a sequence of authorization rules concerning prohibited key usage attempts to determine a result. The authorization rules examine available keying attributes from the message packet, possibly via a remote server, and compute an indication concerning key usage. If the authorization rules are still undeterministic of usage of the key, the device uses a default action. The default action indicates whether to allow or block usage of the key until a deterministic response indicates the key status.
-
Citations
27 Claims
-
1. In a data communications device, a method of managing secure communications comprising:
-
packet sniffing one or more network packets from a first endpoint device and traversing the data communications device destined for a second endpoint device to identify; (i) a request from a first endpoint device to initiate secure communications between the first endpoint device and the second endpoint device, and (ii) a security usage indicator in the request indicative of an intended secure session to be established between the first and second endpoint devices; analyzing the identified security usage indicator to determine an intended key to be used in establishing the secure communications; computing a secure usage result indicative of whether to allow the intended secure session to be established, comprising; mapping one or more attributes of the intended key to a respective one or more entries within a data store; and applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A data communications device for managing secure communications comprising:
-
an observer operable to sniff communications received by the data communications device and identify, from communications between a first endpoint device and traversing the data communications device destined for a second endpoint device, a security usage indicator indicative of an intended secure session to be established between the first and second endpoints; and an authorizer coupled to the observer having secure authorization logic operable to analyze the security usage indicator to compute, by operation of one or more computer processors, a secure usage result indicative of whether or not to allow the intended secure session, wherein the authorizer is configured to map one or more attributes of an intended key, determined by analyzing the identified security usage indicator, to a respective one or more entries within a data store and to apply one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and an enforcer operable to enforce the secure usage result at the data communications device by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method of key usage enforcement comprising:
-
packet sniffing, at a key enforcement device, communications from a first endpoint device and traversing the key enforcement device destined for a second endpoint device to identify a request to initiate secure communications between the first and second endpoint devices; interrogating the request to determine a security usage indicator indicative of an intended secure session to be established between the first and second endpoint devices; identifying, from the security usage indicator, an intended key to be employed in establishing the secure communications; computing a secure usage result indicative of whether to allow the intended secure session to be established, comprising; mapping one or more attributes of the intended key to a respective one or more entries within a data store; and applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.
-
-
26. A computer program product including a computer readable medium for encoding program logic thereon, the computer readable medium having computer program code for managing secure communications comprising:
-
computer program code for packet sniffing, at a data communications device, one or more network packets from a first endpoint device and traversing the data communications device en route to a second endpoint device, to identify (i) a request to initiate secure communications between the first and second endpoint devices and (ii) a security usage indicator indicative of an intended secure session to be established between the first and second endpoint devices; computer program code to analyze the identified security usage indicator to determine an intended key to be used in establishing the secure communications; computer program code for computing a secure usage result indicative of whether or not to allow the intended secure session to be established, comprising mapping one or more attributes of the intended key to a respective one or more entries within a data store, and applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and computer program code for enforcing the secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.
-
-
27. A data communications device for managing secure communications comprising:
-
means for identifying, by packet sniffing one or more network packets from a first endpoint device and traversing the data communications device en route to a second endpoint device, (i) a request to initiate secure communications between the first endpoint device and a second endpoint devices, and (ii) a security usage indicator indicative of an intended secure session to be established employed for the secure communications between the first and second endpoint devices; means for analyzing the identified security usage indicator to determine an intended key to be used in establishing the secure communications; means for computing a security usage result indicative of whether to allow the intended secure session to be established, comprising; means for mapping one or more attributes of the intended key to a respective one or more entries within a data store; and means for applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and means for enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of; means for disallowing communications; means for allowing secure communications pending further key usage authorization results; means for logging communications; and means for allowing secure communications.
-
Specification