Network security using encrypted subfields

US 9,288,186 B2
Filed: 06/04/2013
Issued: 03/15/2016
Est. Priority Date: 06/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving from a secure device at a first network device, an encrypted rule encrypted with a key at the secure device;

storing the encrypted rule at the first network device, wherein content of the rule is hidden from the first network device;

receiving at the first network device, a packet containing at least one encrypted subfield from a second network device, said subfield encrypted based on the key received at the second network device from the secure device; and

processing the packet, wherein processing comprises using the encrypted rule to inspect the packet and determine if said encrypted subfield in the packet matches said encrypted rule received from the secure device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method includes receiving from a secure device, an encrypted rule at a first network device, receiving at the first network device, a packet containing at least one encrypted subfield from a second network device, the subfield encrypted based on a key received at the second network device from the secure device, and determining if the encrypted subfield matches the encrypted rule. An apparatus and logic are also disclosed herein.

Citations

20 Claims

1. A method comprising:
- receiving from a secure device at a first network device, an encrypted rule encrypted with a key at the secure device;
  
  storing the encrypted rule at the first network device, wherein content of the rule is hidden from the first network device;
  
  receiving at the first network device, a packet containing at least one encrypted subfield from a second network device, said subfield encrypted based on the key received at the second network device from the secure device; and
  
  processing the packet, wherein processing comprises using the encrypted rule to inspect the packet and determine if said encrypted subfield in the packet matches said encrypted rule received from the secure device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the first network device comprises an intrusion protection or detection system.
  - 3. The method of claim 1 wherein the first network device comprises a firewall.
  - 4. The method of claim 1 further comprising forwarding the packet if said encrypted subfield matches said encrypted rule and filtering the packet if said encrypted subfield does not match said encrypted rule.
  - 5. The method of claim 4 wherein forwarding the packet comprises forwarding the packet to a third network device configured to decrypt the packet based on the key received from the secure device, and forward the decrypted packet.
  - 6. The method of claim 4 wherein filtering comprises dropping, marking, redirecting, or modifying the packet.
  - 7. The method of claim 1 wherein determining comprises inspecting the packet and further comprising transmitting inspection results.
  - 8. The method of claim 7 wherein said inspection results are transmitted to a third network device configured to forward an unencrypted packet received from the second network device.
  - 9. The method of claim 1 further comprising receiving an unencrypted packet from the second network device and forwarding the unencrypted packet if said encrypted subfield matches said encrypted rule.

10. An apparatus comprising:
- a processor for receiving from a secure device, an encrypted rule at a first network device, the rule encrypted with a key at the secure device, storing said encrypted rule, wherein content of the rule is hidden at the apparatus, processing a packet containing at least one encrypted subfield from a second network device, said subfield encrypted based on a key received at the second network device from the secure device, and determining if said encrypted subfield matches said encrypted rule; and
  
  memory for storing said encrypted rule.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10 wherein the apparatus comprises an intrusion protection or detection system.
  - 12. The apparatus of claim 10 wherein the apparatus comprises a firewall.
  - 13. The apparatus of claim 10 wherein the processor is further configured to forward the packet if said encrypted subfield matches said encrypted rule and filter the packet if said encrypted subfield does not match said encrypted rule.
  - 14. The apparatus of claim 13 wherein the processor is configured to transmit the packet to a third device configured to decrypt the packet based on the key received from the secure device and forward the decrypted packet.
  - 15. The apparatus of claim 10 wherein determining comprises inspecting the packet and wherein the processor is configured to transmit inspection results.
  - 16. The apparatus of claim 15 wherein the processor is configured to transmit said inspection results to a third network device configured to forward an unencrypted packet received from the second network device.
  - 17. The apparatus of claim 10 wherein the processor is further configured to forward an unencrypted packet received from the second network device if said encrypted subfield matches said encrypted rule.
  - 18. The apparatus of claim 10 wherein the apparatus further comprises the second network device.

19. Logic encoded on one or more non-transitory computer readable media for execution and when executed configured to:
- store an encrypted rule received from a secure device at a first network device, said encrypted rule encrypted with a key at the secure device;
  
  store the encrypted rule at the first network device, wherein content of the rule is hidden from the first network device;
  
  inspect a packet received from a second network device and containing at least one encrypted subfield, said subfield encrypted based on a key received at the second network device from the secure device; and
  
  process the packet to determine if said encrypted subfield matches said encrypted rule received from the secure device.
- View Dependent Claims (20)
- - 20. The logic of claim 19 further configured to transmit the packet, if said encrypted subfield matches said encrypted rule, to a third network device configured to decrypt the packet based on the key received from the secure device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McGrew, David
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/909,735
Publication Number

US 20140359277A1
Time in Patent Office

1,015 Days
Field of Search

713/154, 726/11, 726/23
US Class Current

1/1
CPC Class Codes

H04L 63/0245 Filtering by information in...

Network security using encrypted subfields

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network security using encrypted subfields

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links