Secure communication secret sharing

US 9,338,147 B1
Filed: 04/24/2015
Issued: 05/10/2016
Est. Priority Date: 04/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring communication over a network with a network monitoring device (NMD) that performs actions, comprising:

passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;

obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and

when the secure communication session is established between a client computer and a server computer, perform further actions, including;

obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider;

determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider;

decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and

providing analysis of the secure communication session based on the contents of the one or more decrypted network packets.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to sharing secure communication secrets with a network monitoring device (NMD). The NMD may passively monitor network packets communicated between client computers and server computers. If a secure communication session is established between a client computer and a server computer, a key provider may provide the NMD a session key that corresponds to the secure communication session. The NMD may buffer each network packet associated with the secure communication session until the NMD is provided a session key for the secure communication session. The NMD may use the session key to decrypt network packets communicated between the client computer and the server computer. The NMD may then proceed to analyze the secure communication session based on the contents of the decrypted network packets.

Citations

26 Claims

1. A method for monitoring communication over a network with a network monitoring device (NMD) that performs actions, comprising:
- passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;
  
  obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
  
  when the secure communication session is established between a client computer and a server computer, perform further actions, including;
  
  obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider;
  
  determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider;
  
  decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and
  
  providing analysis of the secure communication session based on the contents of the one or more decrypted network packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising, buffering each network packet that is associated with the secure communication session until the NMD is provided the session key that corresponds to the secure communication session.
  - 3. The method of claim 1, wherein the key provider, is at least one of the client computer, the server computer, a proxy, a session key broker, or a network hardware security module.
  - 4. The method of claim 1, wherein the correlation information comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL/TLS) session identifier, one or more network information tuples, one or more client random values, one or more server random values, transmission control protocol (TCP) sequence numbers, SSL/TLS Session Ticket, SSL/TLS random values from ClientHello, SSL/TLS random values from ServerHello, SSL/TLS ClientKeyExchange, SSL/TLS ServerKeyExchange, or one or more values derived from the one or more network packets.
  - 5. The method of claim 1, wherein obtaining the session key, further comprises, communicating a request from the NMD to the key provider to provide the session key.
  - 6. The method of claim 1, wherein obtaining the session key, further comprises, receiving a communication from the key provider that includes at least the session key.
  - 7. The method of claim 1, further comprising, communicating at least the session key to one or more other NMDs, wherein the one or more NMDs decrypt the one or more network packets that are associated with the secure communication session.

8. A system for monitoring communication over a network, comprising:
- a network monitoring device (NMD), comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  a processor device that executes instructions that perform actions, includingpassively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;
  
  obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
  
  when the secure communication session is established between a client computer and a server computer, perform further actions, including;
  
  obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider;
  
  determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider;
  
  decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and
  
  providing analysis of the secure communication session based on the contents of the one or more decrypted network packets; and
  
  the client computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  a processor device that executes instructions that perform actions, including;
  
  communicating the one or more network packets to the server computer.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the NMD processor device executes instructions that perform actions, further comprising, buffering each network packet that is associated with the secure communication session until the NMD is provided the session key that corresponds to the secure communication session.
  - 10. The system of claim 8, wherein the key provider, is at least one of the client computer, the server computer, a proxy, a session key broker, or a network hardware security module.
  - 11. The system of claim 8, wherein the correlation information comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL/TLS) session identifier, one or more network information tuples, one or more client random values, one or more server random values, transmission control protocol (TCP) sequence numbers, SSL/TLS Session Ticket, SSL/TLS random values from ClientHello, SSL/TLS random values from ServerHello, SSL/TLS ClientKeyExchange, SSL/TLS ServerKeyExchange, or one or more values derived from the one or more network packets.
  - 12. The system of claim 8, wherein obtaining the session key, further comprises, communicating a request from the NMD to the key provider to provide the session key.
  - 13. The system of claim 8, wherein obtaining the session key, further comprises, receiving a communication from the key provider that includes at least the session key.
  - 14. The system of claim 8, wherein the NMD processor device executes instructions that perform actions, further comprising, communicating at least the session key to one or more other NMDs, wherein the one or more NMDs decrypt the one or more network packets that are associated with the secure communication session.

15. A processor readable non-transitory storage media that includes instructions for monitoring communication over a network, wherein execution of the instructions by a processor device performs actions, comprising:
- passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;
  
  obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
  
  when the secure communication session is established between a client computer and a server computer, perform further actions, including;
  
  obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider;
  
  determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider;
  
  decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and
  
  providing analysis of the secure communication session based on the contents of the one or more decrypted network packets.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The media of claim 15, further comprising, buffering each network packet that is associated with the secure communication session until the NMD is provided the session key that corresponds to the secure communication session.
  - 17. The media of claim 15, wherein the key provider, is at least one of the client computer, the server computer, a proxy, a session key broker, or a network hardware security module.
  - 18. The media of claim 15, wherein the correlation information comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL/TLS) session identifier, one or more network information tuples, one or more client random values, one or more server random values, transmission control protocol (TCP) sequence numbers, SSL/TLS Session Ticket, SSL/TLS random values from ClientHello, SSL/TLS random values from ServerHello, SSL/TLS ClientKeyExchange, SSL/TLS ServerKeyExchange, or one or more values derived from the one or more network packets.
  - 19. The media of claim 15, wherein obtaining the session key, further comprises, communicating a request from the NMD to the key provider to provide the session key.
  - 20. The media of claim 15, wherein obtaining the session key, further comprises, receiving a communication from the key provider that includes at least the session key.

21. A network computer for monitoring communication over a network, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  a processor device that executes instructions that perform actions, including;
  
  passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;
  
  obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
  
  when the secure communication session is established between a client computer and a server computer, perform further actions, including;
  
  obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider;
  
  determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider;
  
  decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and
  
  providing analysis of the secure communication session based on the contents of the one or more decrypted network packets.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The network computer of claim 21, wherein the processor device executes instructions that perform actions, further comprising, buffering each network packet that is associated with the secure communication session until the NMD is provided the session key that corresponds to the secure communication session.
  - 23. The network computer of claim 21, wherein the key provider, is at least one of the client computer, the server computer, a proxy, a session key broker, or a network hardware security module.
  - 24. The network computer of claim 21, wherein the correlation information comprises, one or more of, an encrypted pre-master secret, Diffie-Hellman public information, a secure socket layer (SSL/TLS) session identifier, one or more network information tuples, one or more client random values, one or more server random values, transmission control protocol (TCP) sequence numbers, SSL/TLS Session Ticket, SSL/TLS random values from ClientHello, SSL/TLS random values from ServerHello, SSL/TLS ClientKeyExchange, SSL/TLS ServerKeyExchange, or one or more values derived from the one or more network packets.
  - 25. The network computer of claim 21, wherein obtaining the session key, further comprises, communicating a request from the NMD to the key provider to provide the session key.
  - 26. The network computer of claim 21, wherein the processor device executes instructions that perform actions, further comprising, communicating at least the session key to one or more other NMDs, wherein the one or more NMDs decrypt the one or more network packets that are associated with the secure communication session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Higgins, Benjamin Thomas, Hatch, Brian David, Rothstein, Jesse Abraham
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/695,690
Time in Patent Office

382 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

Secure communication secret sharing

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication secret sharing

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links