Secure communication secret sharing

US 9,621,523 B2
Filed: 05/09/2016
Issued: 04/11/2017
Est. Priority Date: 04/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring communication over a network with a network monitoring device (NMD) that performs actions, comprising:

providing correlation information for one or more network packets that are employed to establish a secure communication session; and

providing a session key and other correlation information that corresponds to the secure communication session;

providing one or more network connection flows that correspond to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with other correlation information provided by one or more key providers;

decrypting the one or more network packets in the one or more network connection flows communicated over the secure communication session; and

providing a display to a user of analysis of the secure communication session.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to sharing secure communication secrets with a network monitoring device (NMD). The NMD may passively monitor network packets communicated between client computers and server computers. If a secure communication session is established between a client computer and a server computer, a key provider may provide the NMD a session key that corresponds to the secure communication session. The NMD may buffer each network packet associated with the secure communication session until the NMD is provided a session key for the secure communication session. The NMD may use the session key to decrypt network packets communicated between the client computer and the server computer. The NMD may then proceed to analyze the secure communication session based on the contents of the decrypted network packets.

132 Citations

30 Claims

1. A method for monitoring communication over a network with a network monitoring device (NMD) that performs actions, comprising:
- providing correlation information for one or more network packets that are employed to establish a secure communication session; and
  
  providing a session key and other correlation information that corresponds to the secure communication session;
  
  providing one or more network connection flows that correspond to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with other correlation information provided by one or more key providers;
  
  decrypting the one or more network packets in the one or more network connection flows communicated over the secure communication session; and
  
  providing a display to a user of analysis of the secure communication session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method claim 1, further comprising:
    - determining the correlation information from the one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      determining each network connection flow that corresponds to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with the key provider'"'"'s other correlation information.
  - 3. The method of claim 1, further comprising providing the session key over a separate secure communication session.
  - 4. The method of claim 1, wherein the monitoring of the communication over the network with the NMD is one of passive monitoring, non-passive monitoring or a combination of passive monitoring and non-passive monitoring.
  - 5. The method of claim 1, further comprising:
    - providing a value that represents an amount of the one or more network packets in the one or more network connection flows over the secure communication session before the session key is provided; and
      
      when a next block of the one or more network packets in the one or more network connection flows is identified as communicated over the secure communication session based on the amount, employing the value to decrypt and analyze the one or more network packets.
  - 6. The method of claim 1, further comprising:
    - providing a digest from a hash of one or more visible fields in the one or more network packets communicated over the secure communication session; and
      
      employing the digest to provide the correlation information.
  - 7. The method of claim 1, further comprising multiple types of correlation information that are compatible with one or more key providers of the session key.
  - 8. The method of claim 1, further comprising a table associated with the secure communication session that is stored in the NMD, wherein the table lists one or more entries associated with each of the one or more network connection flows for the secure communication session, wherein the one or more entries include an identifier, a session key, correlation information, or separate additional information.

9. A system for monitoring communication over a network, comprising:
- a network monitoring device (NMD), comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  a processor device that executes instructions that perform actions, including;
  
  passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;
  
  providing one or more network connection flows that correspond to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with other correlation information provided by one or more key providers;
  
  decrypting the one or more network packets in the one or more network connection flows communicated over the secure communication session; and
  
  providing a display to a user of analysis of the secure communication session; and
  
  the client computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  a processor device that executes instructions that perform actions, including;
  
  communicating the one or more network packets to the server computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - determining the correlation information from the one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      determining each network connection flow that corresponds to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with the key provider'"'"'s other correlation information.
  - 11. The system of claim 9, further comprising providing the session key over a separate secure communication session.
  - 12. The system of claim 9, wherein the monitoring of the communication over the network with the NMD is one of passive monitoring, non-passive monitoring or a combination of passive monitoring and non-passive monitoring.
  - 13. The system of claim 9, further comprising:
    - providing a value that represents an amount of the one or more network packets in the one or more network connection flows over the secure communication session before the session key is provided; and
      
      when a next block of the one or more network packets in the one or more network connection flows is identified as communicated over the secure communication session based on the amount, employing the value to decrypt and analyze the one or more network packets.
  - 14. The system of claim 9, further comprising:
    - providing a digest from a hash of one or more visible fields in the one or more network packets communicated over the secure communication session; and
      
      employing the digest to provide the correlation information.
  - 15. The system of claim 9, further comprising multiple types of correlation information that are compatible with one or more key providers of the session key.
  - 16. The system of claim 9, further comprising a table associated with the secure communication session that is stored in the NMD, wherein the table lists one or more entries associated with each of one or more network connection flows for the secure communication session, wherein the one or more entries include an identifier, a session key, correlation information, or separate additional information.

17. A processor readable non-transitory storage media that includes instructions for monitoring communication over a network, wherein execution of the instructions by a network monitoring device (NMD) having one or more processors performs actions, comprising:
- providing correlation information for one or more network packets that are employed to establish a secure communication session; and
  
  providing a session key and other correlation information that corresponds to the secure communication session;
  
  providing one or more network connection flows that correspond to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with other correlation information provided by one or more key providers;
  
  decrypting the one or more network packets in the one or more network connection flows communicated over the secure communication session; and
  
  providing a display to a user of analysis of the secure communication session.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The media claim 17, further comprising:
    - determining the correlation information from the one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      determining each network connection flow that corresponds to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with the key provider'"'"'s other correlation information.
  - 19. The media of claim 17, further comprising providing the session key over a separate secure communication session.
  - 20. The media of claim 17, wherein the monitoring of the communication over the network with the NMD is one of passive monitoring, non-passive monitoring or a combination of passive monitoring and non-passive monitoring.
  - 21. The media of claim 17, further comprising:
    - providing a value that represents an amount of the one or more network packets in the one or more network connection flows over the secure communication session before the session key is provided; and
      
      when a next block of the one or more network packets in the one or more network connection flows is identified as communicated over the secure communication session based on the amount, employing the value to decrypt and analyze the one or more network packets.
  - 22. The media of claim 17, further comprising:
    - providing a digest from a hash of one or more visible fields in the one or more network packets communicated over the secure communication session; and
      
      employing the digest to provide the correlation information.
  - 23. The media of claim 17, further comprising multiple types of correlation information that are compatible with one or more key providers of the session key.
  - 24. The media of claim 17, further comprising a table associated with the secure communication session that is stored in the NMD, wherein the table lists one or more entries associated with each of one or more network connection flows for the secure communication session, wherein the one or more entries include an identifier, a session key, correlation information, or separate additional information.

25. A network computer for monitoring communication over a network, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  a processor device that executes instructions that perform actions, including;
  
  passively monitoring a plurality of network packets that are communicated between one or more client computers and one or more server computers;
  
  providing correlation information for one or more network packets that are employed to establish a secure communication session; and
  
  providing a session key and other correlation information that corresponds to the secure communication session;
  
  providing one or more network connection flows that correspond to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with other correlation information provided by one or more key providers;
  
  decrypting the one or more network packets in the one or more network connection flows communicated over the secure communication session; and
  
  providing a display to a user of analysis of the secure communication session.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The network computer of claim 25, further comprising:
    - determining the correlation information from the one or more network packets that are associated with one or more handshake messages used to establish the secure communication session; and
      
      determining each network connection flow that corresponds to the secure communication session based on a match of the secure communication session'"'"'s other correlation information with the key provider'"'"'s other correlation information.
  - 27. The network computer of claim 25, wherein the monitoring of the communication over the network with the NMD is one of passive monitoring, non-passive monitoring or a combination of passive monitoring and non-passive monitoring.
  - 28. The network computer of claim 25, further comprising:
    - providing a value that represents an amount of the one or more network packets in the one or more network connection flows over the secure communication session before the session key is provided; and
      
      when a next block of the one or more network packets in the one or more network connection flows is identified as communicated over the secure communication session based on the amount, employing the value to decrypt and analyze the one or more network packets.
  - 29. The network computer of claim 25, further comprising:
    - providing a digest from a hash of one or more visible fields in the one or more network packets communicated over the secure communication session; and
      
      employing the digest to provide the correlation information.
  - 30. The network computer of claim 25, further comprising multiple types of correlation information that are compatible with one or more key providers of the session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Rothstein, Jesse Abraham, Higgins, Benjamin Thomas, Hatch, Brian David
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US15/150,354
Publication Number

US 20160315916A1
Time in Patent Office

337 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

Secure communication secret sharing

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication secret sharing

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links