Inline secret sharing

US 9,967,292 B1
Filed: 10/25/2017
Issued: 05/08/2018
Est. Priority Date: 10/25/2017
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:

monitoring a plurality of network packets that are communicated between the one or more computers;

employing the one or more NMCs to identify a secure communication session established between two of the one or more computers based on an exchange of handshake information that is associated with the secure communication session, wherein the one or more NMCs are inline with the secure communication session;

obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information is encrypted by the key provider;

employing the one or more NMCs to decrypt the key information;

employing the one or more NMCs to derive the session key based on the decrypted key information and the handshake information;

employing the one or more NMCs to decrypt one or more network packets that are included in the secure communication session; and

employing the one or more NMCs to inspect the one or more decrypted network packets to execute one or more rule-based policies.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

151 Citations

30 Claims

1. A method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising:
- monitoring a plurality of network packets that are communicated between the one or more computers;
  
  employing the one or more NMCs to identify a secure communication session established between two of the one or more computers based on an exchange of handshake information that is associated with the secure communication session, wherein the one or more NMCs are inline with the secure communication session;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information is encrypted by the key provider;
  
  employing the one or more NMCs to decrypt the key information;
  
  employing the one or more NMCs to derive the session key based on the decrypted key information and the handshake information;
  
  employing the one or more NMCs to decrypt one or more network packets that are included in the secure communication session; and
  
  employing the one or more NMCs to inspect the one or more decrypted network packets to execute one or more rule-based policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - providing correlation information associated with the secure communication session, wherein the correlation information includes one or more of tuple information associated with the secure communication session, some or all of the handshake information, or one or more other network characteristics associated with the secure communication session; and
      
      storing the key information and the correlation information in a data store, wherein the stored key information is indexed based on the correlation information.
  - 3. The method of claim 1, wherein the key provider is a secret sharing engine executing on one or more of the one or more computers or a network hardware security module.
  - 4. The method of claim 1, wherein obtaining the key information, further comprises, deriving the key information from one or more network packets that provide one or more of the handshake information or the secure communication session.
  - 5. The method of claim 1, further comprising:
    - employing the one or more NMCs to internally modify the one or more network packets; and
      
      employing the one or more NMCs to forward the modified one or more network packets to their next destination.
  - 6. The method of claim 1, wherein decrypting the one or more network packets included in the secure communication session, further comprises:
    - obtaining keys or related key material from a server or a client that is part of the secure communication session, wherein the obtained keys or related key material are associated with one or more of one or more resources or one or more applications associated with the secure communication session; and
      
      initiating one or more traffic management policies based on the obtained keys or related key material.
  - 7. The method of claim 1, further comprising, employing the one or more NMCs to selectively decrypt one or more network flows associated with the secure communication session based on one or more characteristics of one or more other network flows.
  - 8. The method of claim 1, further comprising, employing the one or more NMCs to selectively decrypt the one or more network packets based on characteristics of the selected one or more network flows.

9. A system for monitoring communication over a network between one or more computers comprising:
- one or more network monitoring computers (NMCs), comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  monitoring a plurality of network packets that are communicated between the one or more computers;
  
  employing the one or more NMCs to identify a secure communication session established between two of the one or more computers based on an exchange of handshake information that is associated with the secure communication session, wherein the one or more NMCs are inline with the secure communication session;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information is encrypted by the key provider;
  
  employing the one or more NMCs to decrypt the key information;
  
  employing the one or more NMCs to derive the session key based on the decrypted key information and the handshake information;
  
  employing the one or more NMCs to decrypt one or more network packets that are included in the secure communication session; and
  
  employing the one or more NMCs to inspect the one or more decrypted network packets to execute one or more rule-based policies; and
  
  the one or more computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more of the plurality of network packets.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - providing correlation information associated with the secure communication session, wherein the correlation information includes one or more of tuple information associated with the secure communication session, some or all of the handshake information, or one or more other network characteristics associated with the secure communication session; and
      
      storing the key information and the correlation information in a data store, wherein the stored key information is indexed based on the correlation information.
  - 11. The system of claim 9, wherein the key provider is a secret sharing engine executing on one or more of the one or more computers or a network hardware security module.
  - 12. The system of claim 9, wherein obtaining the key information, further comprises, deriving the key information from one or more network packets that provide one or more of the handshake information or the secure communication session.
  - 13. The system of claim 9, further comprising:
    - employing the one or more NMCs to internally modify the one or more network packets; and
      
      employing the one or more NMCs to forward the modified one or more network packets to their next destination.
  - 14. The system of claim 9, wherein decrypting the one or more network packets included in the secure communication session, further comprises:
    - obtaining keys or related key material from a server or client that is part of the secure communication session, wherein the obtained keys or related key material are associated with one or more of one or more resources or one or more applications associated with the secure communication session; and
      
      initiating one or more traffic management policies based on the obtained keys or related key material.
  - 15. The system of claim 9, further comprising, employing the one or more NMCs to selectively decrypt one or more network flows associated with the secure communication session based on one or more characteristics of one or more other network flows.
  - 16. The system of claim 9, further comprising, employing the one or more NMCs to selectively decrypt the one or more network packets based on characteristics of the selected one or more network flows.

17. A processor readable non-transitory storage media that includes instructions for monitoring communication over a network between one or more computers, wherein execution of the instructions by one or more processors on one or more network monitoring computers (NMCs) performs actions, comprising:
- monitoring a plurality of network packets that are communicated between the one or more computers;
  
  employing the one or more NMCs to identify a secure communication session established between two of the one or more computers based on an exchange of handshake information that is associated with the secure communication session, wherein the one or more NMCs are inline with the secure communication session;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information is encrypted by the key provider;
  
  employing the one or more NMCs to decrypt the key information;
  
  employing the one or more NMCs to derive the session key based on the decrypted key information and the handshake information;
  
  employing the one or more NMCs to decrypt one or more network packets that are included in the secure communication session; and
  
  employing the one or more NMCs to inspect the one or more decrypted network packets to execute one or more rule-based policies.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The media of claim 17, further comprising:
    - providing correlation information associated with the secure communication session, wherein the correlation information includes one or more of tuple information associated with the secure communication session, some or all of the handshake information, or one or more other network characteristics associated with the secure communication session; and
      
      storing the key information and the correlation information in a data store, wherein the stored key information is indexed based on the correlation information.
  - 19. The media of claim 17, wherein the key provider is a secret sharing engine executing on one or more of the one or more computers or a network hardware security module.
  - 20. The media of claim 17, wherein obtaining the key information, further comprises, deriving the key information from one or more network packets that provide one or more of the handshake information or the secure communication session.
  - 21. The media of claim 17, further comprising:
    - employing the one or more NMCs to internally modify the one or more network packets; and
      
      employing the one or more NMCs to forward the modified one or more network packets to their next destination.
  - 22. The media of claim 17, wherein decrypting the one or more network packets included in the secure communication session, further comprises:
    - obtaining keys or related key material from a server or a client that is part of the secure communication session, wherein the obtained keys or related key material are associated with one or more of one or more resources or one or more applications associated with the secure communication session; and
      
      initiating one or more traffic management policies based on the obtained keys or related key material.
  - 23. The media of claim 17, further comprising, employing the one or more NMCs to selectively decrypt one or more network flows associated with the secure communication session based on one or more characteristics of one or more other network flows.

24. A network monitoring computer (NMC) for monitoring communication over a network between one or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  monitoring a plurality of network packets that are communicated between the one or more computers;
  
  employing the one or more NMCs to identify a secure communication session established between two of the one or more computers based on an exchange of handshake information that is associated with the secure communication session, wherein the one or more NMCs are inline with the secure communication session;
  
  obtaining key information that corresponds to the secure communication session from a key provider, wherein the key information is encrypted by the key provider;
  
  employing the one or more NMCs to decrypt the key information;
  
  employing the one or more NMCs to derive the session key based on the decrypted key information and the handshake information;
  
  employing the one or more NMCs to decrypt one or more network packets that are included in the secure communication session; and
  
  employing the one or more NMCs to inspect the one or more decrypted network packets to execute one or more rule-based policies.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The network computer of claim 24, further comprising:
    - providing correlation information associated with the secure communication session, wherein the correlation information includes one or more of tuple information associated with the secure communication session, some or all of the handshake information, or one or more other network characteristics associated with the secure communication session; and
      
      storing the key information and the correlation information in a data store, wherein the stored key information is indexed based on the correlation information.
  - 26. The network computer of claim 24, wherein the key provider is a secret sharing engine executing on one or more of the one or more computers or a network hardware security module.
  - 27. The network computer of claim 24, wherein obtaining the key information, further comprises, deriving the key information from one or more network packets that provide one or more of the handshake information or the secure communication session.
  - 28. The network computer of claim 24, further comprising:
    - employing the one or more NMCs to internally modify the one or more network packets; and
      
      employing the one or more NMCs to forward the modified one or more network packets to their next destination.
  - 29. The network computer of claim 24, wherein decrypting the one or more network packets included in the secure communication session, further comprises:
    - obtaining keys or related key material from a server or client that is part of the secure communication session, wherein the obtained keys or related key material are associated with one or more of one or more resources or one or more applications associated with the secure communication session; and
      
      initiating one or more traffic management policies based on the obtained keys or related key material.
  - 30. The network computer of claim 24, further comprising, employing the one or more NMCs to selectively decrypt one or more network flows associated with the secure communication session based on one or more characteristics of one or more other network flows.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Higgins, Benjamin Thomas, Rothstein, Jesse Abraham
Primary Examiner(s)
Boutah, Alina A

Application Number

US15/793,880
Time in Patent Office

195 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/606   by securing the transmissio...

H04L 43/026   using flow identification

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 63/0218   Distributed architectures, ...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

Inline secret sharing

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Inline secret sharing

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links