Secure communication secret sharing
First Claim
1. A method for monitoring communication over a network with a network monitoring device (NMD) that performs actions, comprising:
- passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;
obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
when the secure communication session is established between a client computer and a server computer, perform further actions, including;
obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider;
determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider;
decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and
providing analysis of the secure communication session based on the contents of the one or more decrypted network packets.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to sharing secure communication secrets with a network monitoring device (NMD). The NMD may passively monitor network packets communicated between client computers and server computers. If a secure communication session is established between a client computer and a server computer, a key provider may provide the NMD a session key that corresponds to the secure communication session. The NMD may buffer each network packet associated with the secure communication session until the NMD is provided a session key for the secure communication session. The NMD may use the session key to decrypt network packets communicated between the client computer and the server computer. The NMD may then proceed to analyze the secure communication session based on the contents of the decrypted network packets.
-
Citations
26 Claims
-
1. A method for monitoring communication over a network with a network monitoring device (NMD) that performs actions, comprising:
-
passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers; obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and when the secure communication session is established between a client computer and a server computer, perform further actions, including; obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider; determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider; decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and providing analysis of the secure communication session based on the contents of the one or more decrypted network packets. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for monitoring communication over a network, comprising:
-
a network monitoring device (NMD), comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and a processor device that executes instructions that perform actions, including passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers; obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and when the secure communication session is established between a client computer and a server computer, perform further actions, including; obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider; determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider; decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and providing analysis of the secure communication session based on the contents of the one or more decrypted network packets; and the client computer, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and a processor device that executes instructions that perform actions, including; communicating the one or more network packets to the server computer. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A processor readable non-transitory storage media that includes instructions for monitoring communication over a network, wherein execution of the instructions by a processor device performs actions, comprising:
-
passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers; obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and when the secure communication session is established between a client computer and a server computer, perform further actions, including; obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider; determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider; decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and providing analysis of the secure communication session based on the contents of the one or more decrypted network packets. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A network computer for monitoring communication over a network, comprising:
-
a transceiver that communicates over the network; a memory that stores at least instructions; and a processor device that executes instructions that perform actions, including; passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers; obtaining correlation information regarding a secure communication session, wherein the correlation information is determined from one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and when the secure communication session is established between a client computer and a server computer, perform further actions, including; obtaining a session key and other correlation information that corresponds to the secure communication session, wherein the session key and other correlation information is provided by a key provider; determining a network connection flow that corresponds to the secure communication session based on a match of the other correlation information with other correlation information provided by the key provider; decrypting one or more network packets in the network connection flow that are communicated between the client computer and the server computer over the secure communication session; and providing analysis of the secure communication session based on the contents of the one or more decrypted network packets. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification