Security enforcement point inspection of encrypted data in an encrypted end-to end communications path
First Claim
1. A method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the method comprising:
- identifying a security enforcement point defined between endpoints;
establishing a persistent secure session between the identified enforcement point and a key server holding a security association (SA) for an end-to-end secure communications path between the endpoints, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the endpoints;
receiving, at the identified security enforcement point, the SA for the end-to-end secure communications path between the endpoints over the persistent secure session;
installing, at the identified security enforcement point, the SA upon receiving the SA;
decrypting, at the identified security enforcement point, an encrypted payload for the end-to-end secure communications path between the endpoints using session key data in the SA; and
performing, at the identified security enforcement point, a security function on the decrypted payload without requiring knowledge of the endpoints at the identified security enforcement point and also without the endpoints having knowledge of the identified security enforcement point.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the present invention address deficiencies of the art in respect to security function processing of encrypted data in a security enforcement point and provide a method, system and computer program product for security enforcement point inspection of a traversing encrypted data in a secure, end-to-end communications path. In an embodiment of the invention, a method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path can be provided. The method can include establishing a persistent secure session with a key server holding an SA for an end-to-end secure communications path between endpoints, receiving the SA for the end-to-end secure communications path over the persistent secure session, decrypting an encrypted payload for the end-to-end secure communications path using session key data in the SA, and performing a security function on the decrypted payload.
4 Citations
18 Claims
-
1. A method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the method comprising:
-
identifying a security enforcement point defined between endpoints; establishing a persistent secure session between the identified enforcement point and a key server holding a security association (SA) for an end-to-end secure communications path between the endpoints, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the endpoints; receiving, at the identified security enforcement point, the SA for the end-to-end secure communications path between the endpoints over the persistent secure session; installing, at the identified security enforcement point, the SA upon receiving the SA; decrypting, at the identified security enforcement point, an encrypted payload for the end-to-end secure communications path between the endpoints using session key data in the SA; and performing, at the identified security enforcement point, a security function on the decrypted payload without requiring knowledge of the endpoints at the identified security enforcement point and also without the endpoints having knowledge of the identified security enforcement point. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A network data processing system configured for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the system comprising:
-
two Internet security (Ipsec) endpoints coupled to one another over a computer communications network and configured to establish an end-to-end secure communications path defined between the IPsec endpoints and in association with a security association (SA) for the end-to-end secure communications path; at least one security enforcement point disposed intermediately to the IPsec endpoints configured to receive a security association (SA) for the end-to-end secure communications path defined between the IPsec endpoints, to install the SA upon receiving the SA, to decrypt an encrypted payload using session key data in the SA, to perform a security function on the decrypted payload without requiring knowledge of the IPsec endpoints at the security enforcement point and also without the IPsec endpoints having knowledge of the security enforcement point; and
,a key server configured for communicative linkage with the security enforcement point and at least one of the IPsec endpoints, the key server comprising program code enabled to identify a security enforcement point to establish a secure session with the identified security enforcement point, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the IPsec endpoints and to provide the SA to the identified security enforcement point for use in decrypting an encrypted payload traversing the security enforcement point in the end-to-end secure communications path between the IPsec endpoints. - View Dependent Claims (10)
-
-
11. A computer program product comprising a computer usable storage medium having stored therein computer usable program code for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the computer usable program code which when executed by a security enforcement point hardware system, causing the security enforcement point hardware system to perform
identifying a security enforcement point defined between endpoints; -
establishing a persistent secure session between the identified enforcement point and a key server holding a security association (SA) for an end-to-end secure communications path between the endpoints, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the endpoints; receiving, at the identified security enforcement point, the SA for the end-to-end secure communications path between the endpoints over the persistent secure session; installing, at the identified security enforcement point, the SA upon receiving the SA; decrypting, at the identified security enforcement point, an encrypted payload for the end-to-end secure communications path between the endpoints using session key data in the SA; and performing, at the identified security enforcement point, a security function on the decrypted payload without requiring knowledge of the endpoints at the identified security enforcement point and also without the endpoints having knowledge of the identified security enforcement point. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification