Nondestructive interception of secure data in transit
First Claim
1. A computer-implemented method of intercepting encrypted data in transit comprising:
- locating a database access process in a host computer system, the database access process operable as an endpoint of an encrypted sequence of data in transit and including at least decryption of the encrypted sequence;
identifying, in the database access process, a transition of encrypted to decrypted data indicated by a transfer of processing control of the host computer system to a cryptographic operation, the cryptographic operation operable to generate decrypted data from the encrypted sequence of data;
replacing the transfer of processing control of the host computer system to the cryptographic operation with an interception to extract the decrypted data;
intercepting the decrypted data for analysis by a database monitor; and
returning processing control of the host computer system from the interception to the database access process along with unhindered decrypted data returned from the cryptographic operation.
3 Assignments
0 Petitions
Accused Products
Abstract
In a data level security environment, the data level security mechanism operates on plaintext data. Data level security operations identify a point in the information stream where plaintext data is available for interception. Typically this is a point in the processing stream just after the native DBMS decryption functionality has been invoked. A database monitor intercepts and scrutinizes data in transit between an application and a database by identifying a transition point between the encrypted and plaintext data where the cryptographic operations are invoked, and transfers control of the data in transit to a database monitor application subsequent to the availability of the data in plaintext form.
183 Citations
29 Claims
-
1. A computer-implemented method of intercepting encrypted data in transit comprising:
-
locating a database access process in a host computer system, the database access process operable as an endpoint of an encrypted sequence of data in transit and including at least decryption of the encrypted sequence; identifying, in the database access process, a transition of encrypted to decrypted data indicated by a transfer of processing control of the host computer system to a cryptographic operation, the cryptographic operation operable to generate decrypted data from the encrypted sequence of data; replacing the transfer of processing control of the host computer system to the cryptographic operation with an interception to extract the decrypted data; intercepting the decrypted data for analysis by a database monitor; and returning processing control of the host computer system from the interception to the database access process along with unhindered decrypted data returned from the cryptographic operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for monitoring secure data in transit in a database environment comprising:
a host computer system including at least one processor configured for; identifying a transition of encrypted to decrypted data indicated by a transfer of control of the host computer system in a processing sequence to a cryptographic operation; determining an appropriate interception sequence operable to receive plaintext data returned from the cryptographic operation; replacing the identified transfer of control of the host computer system with the determined interception sequence, the interception sequence operable to forward plaintext data from the cryptographic operation to a database monitor application; and return the transfer of control of the host computer system and the plaintext data in an unmodified form to the processing sequence. - View Dependent Claims (11)
-
12. A computer-implemented method for defining database security comprising:
-
identifying a stream of encrypted data in transit from a client to a host; determining a transition from encrypted data to decrypted data within the host, the transition indicated by an invocation of a cryptographic operation by the host to generate decrypted data from the encrypted data; determining an interception point following the determined transition in the host; and selecting, based on the cryptographic invocation, a manner of accessing the decrypted data in the host at the determined interception point. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A database security monitor for intercepting encrypted data in transit comprising:
-
a host computer system including a database monitor agent operable to locate a database access control point in the host computer system, the database access control point operable as an endpoint of an encrypted sequence of data in transit, the database monitor agent configured to identify, based on the database access control point, a transition of encrypted to decrypted data indicated by a transfer of processing control of the host computer system to a cryptographic operation, the cryptographic operation operable to generate decrypted data from the encrypted sequence of data, the database monitor agent further operable to; replace the transfer of processing control of the host computer system to the cryptographic operation with an interception to extract the decrypted data; intercept the decrypted data for analysis by a database monitor; and return processing control of the host computer system from the interception to a database access process of the host computer system along with unhindered decrypted data returned from the cryptographic operation. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer program product having a computer readable memory device operable to store computer program logic embodied in computer program code encoded thereon for defining database security for encrypted data in transit comprising:
-
computer program code for identifying a stream of encrypted data in transit from a client to a host; computer program code for determining a transition from encrypted data to decrypted data within the host, the transition indicated by invocation of a cryptographic operation by the host to generate decrypted data from the encrypted data; computer program code for determining an interception point following the determined transition in the host; and computer program code for selecting, based on the cryptographic invocation, a manner of accessing the decrypted data at the determined interception point, further including; computer program code for identifying availability of plaintext data in a processing sequence of data in transit to a database; computer program code for locating a control point from which control is obtainable; computer program code for inserting a control branch to direct the plaintext data to a database monitor, the database monitor operable to intercept the plaintext data, including computer program code for examining an executable image to identify machine instructions operable to branch to the cryptographic operation, and overwrite the identified machine instructions with machine instructions to call a function for communicating the decrypted data to the database monitor; and computer program code for allowing control to resume in the processing sequence unhindered from the control point following interception of the plaintext data.
-
-
26. A computer-implemented method of intercepting encrypted data in transit comprising:
-
identifying in a host computer system a transition from encrypted to decrypted data indicated by an invocation of a cryptographic operation in the host computer system, the invocation performing a transfer of processing control of the host computer system to the cryptographic operation operable to generate decrypted data from the encrypted data in transit, identifying the invocation further comprising; identifying a cryptographic service responsive to an application receiving the encrypted data in transit; and identifying a manner of accessing the cryptographic service from the application; replacing the transfer of processing control of the host processing system to the cryptographic operation with an interception to extract the decrypted data; intercepting the decrypted data for analysis by a database monitor; and returning processing control of the host computer system from the interception to a database access process along with undisturbed decrypted data returned from the cryptographic operation. - View Dependent Claims (27, 28, 29)
-
Specification