Security enforcement point inspection of encrypted data in an encrypted end-to end communications path

US 9,021,250 B2
Filed: 04/22/2007
Issued: 04/28/2015
Est. Priority Date: 04/22/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the method comprising:

identifying a security enforcement point defined between endpoints;

establishing a persistent secure session between the identified enforcement point and a key server holding a security association (SA) for an end-to-end secure communications path between the endpoints, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the endpoints;

receiving, at the identified security enforcement point, the SA for the end-to-end secure communications path between the endpoints over the persistent secure session;

installing, at the identified security enforcement point, the SA upon receiving the SA;

decrypting, at the identified security enforcement point, an encrypted payload for the end-to-end secure communications path between the endpoints using session key data in the SA; and

performing, at the identified security enforcement point, a security function on the decrypted payload without requiring knowledge of the endpoints at the identified security enforcement point and also without the endpoints having knowledge of the identified security enforcement point.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention address deficiencies of the art in respect to security function processing of encrypted data in a security enforcement point and provide a method, system and computer program product for security enforcement point inspection of a traversing encrypted data in a secure, end-to-end communications path. In an embodiment of the invention, a method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path can be provided. The method can include establishing a persistent secure session with a key server holding an SA for an end-to-end secure communications path between endpoints, receiving the SA for the end-to-end secure communications path over the persistent secure session, decrypting an encrypted payload for the end-to-end secure communications path using session key data in the SA, and performing a security function on the decrypted payload.

4 Citations

18 Claims

1. A method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the method comprising:
- identifying a security enforcement point defined between endpoints;
  
  establishing a persistent secure session between the identified enforcement point and a key server holding a security association (SA) for an end-to-end secure communications path between the endpoints, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the endpoints;
  
  receiving, at the identified security enforcement point, the SA for the end-to-end secure communications path between the endpoints over the persistent secure session;
  
  installing, at the identified security enforcement point, the SA upon receiving the SA;
  
  decrypting, at the identified security enforcement point, an encrypted payload for the end-to-end secure communications path between the endpoints using session key data in the SA; and
  
  performing, at the identified security enforcement point, a security function on the decrypted payload without requiring knowledge of the endpoints at the identified security enforcement point and also without the endpoints having knowledge of the identified security enforcement point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving an additional SA for a different end-to-end secure communications path for a different security enforcement point over the persistent secure session;
      
      decrypting an additional encrypted payload for the different end-to-end secure communications path for the different security enforcement point using session key data in the additional SA; and
      
      performing, by the different security enforcement point, a security function on the decrypted additional payload.
  - 3. The method of claim 1, whereinthe security function includes packet filtering on the decrypted payload.
  - 4. The method of claim 1, whereinthe security function includes intrusion detection on the decrypted payload.
  - 5. The method of claim 1, whereinthe security function includes load balancing on the decrypted payload.
  - 6. The method of claim 1, whereinthe security function includes quality of service (QoS) management on the decrypted payload.
  - 7. The method of claim 1, whereinestablishing the persistent secure session between the identified enforcement point and the key server holding the SA comprises establishing a transport layer security (TLS) session with the key server and the identified security enforcement point.
  - 8. The method of claim 1, further comprisingwithholding a session authentication key associated with the SA so that cleartext in the decrypted payload provided to the identified security enforcement point is read-only.

9. A network data processing system configured for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the system comprising:
- two Internet security (Ipsec) endpointscoupled to one another over a computer communications network andconfigured to establish an end-to-end secure communications path defined between the IPsec endpoints andin association with a security association (SA) for the end-to-end secure communications path;
  
  at least one security enforcement point disposed intermediately to the IPsec endpoints configured to receive a security association (SA) for the end-to-end secure communications path defined between the IPsec endpoints, to install the SA upon receiving the SA, to decrypt an encrypted payload using session key data in the SA, to perform a security function on the decrypted payload without requiring knowledge of the IPsec endpoints at the security enforcement point and also without the IPsec endpoints having knowledge of the security enforcement point; and
  
  ,a key server configured for communicative linkage with the security enforcement point and at least one of the IPsec endpoints, the key server comprising program code enabledto identify a security enforcement pointto establish a secure session with the identified security enforcement point, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the IPsec endpoints andto provide the SA to the identified security enforcement point for use in decrypting an encrypted payload traversing the security enforcement point in the end-to-end secure communications path between the IPsec endpoints.
- View Dependent Claims (10)
- - 10. The system of claim 9, wherein the secure session is a transport layer security (TLS) session.

11. A computer program product comprising a computer usable storage medium having stored therein computer usable program code for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the computer usable program code which when executed by a security enforcement point hardware system, causing the security enforcement point hardware system to performidentifying a security enforcement point defined between endpoints;
- establishing a persistent secure session between the identified enforcement point and a key server holding a security association (SA) for an end-to-end secure communications path between the endpoints, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the endpoints;
  
  receiving, at the identified security enforcement point, the SA for the end-to-end secure communications path between the endpoints over the persistent secure session;
  
  installing, at the identified security enforcement point, the SA upon receiving the SA;
  
  decrypting, at the identified security enforcement point, an encrypted payload for the end-to-end secure communications path between the endpoints using session key data in the SA; and
  
  performing, at the identified security enforcement point, a security function on the decrypted payload without requiring knowledge of the endpoints at the identified security enforcement point and also without the endpoints having knowledge of the identified security enforcement point.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer program product of claim 11, wherein the security enforcement point hardware system is further caused to perform:
    - receiving an additional SA for a different end-to-end secure communications path for a different security enforcement point over the persistent secure session;
      
      decrypting an additional encrypted payload for the different end-to-end secure communications path for the different security enforcement point using session key data in the additional SA; and
      
      ,performing, by the different security enforcement, a security function on the decrypted additional payload.
  - 13. The computer program product of claim 11, whereinthe security function includes packet filtering on the decrypted payload.
  - 14. The computer program product of claim 11, whereinthe security function includes intrusion detection on the decrypted payload.
  - 15. The computer program product of claim 11, whereinthe security function includes load balancing on the decrypted payload.
  - 16. The computer program product of claim 11, whereinthe security function includes quality of service (QoS) management on the decrypted payload.
  - 17. The computer program product of claim 11, whereinestablishing the persistent secure session between the identified enforcement point and the key server holding the SA comprises establishing a transport layer security (TLS) session with the key server and the identified security enforcement point.
  - 18. The computer program product of claim 11, wherein the security enforcement point hardware system is further caused to perform:
    - withholding a session authentication key associated with the SA so that cleartext in the decrypted payload provided to the identified security enforcement point is read-only.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Overby, Linwood H. Jr.
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US11/738,500
Publication Number

US 20080263356A1
Time in Patent Office

2,928 Days
Field of Search

726/11, 726/12, 726/13, 726/15, 726/22, 726/23, 713/153, 713/154
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/168   above the transport layer

H04L 63/30   for supporting lawful inter...

H04L 63/306   intercepting packet switche...

Security enforcement point inspection of encrypted data in an encrypted end-to end communications path

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security enforcement point inspection of encrypted data in an encrypted end-to end communications path

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links