EXTRACTING DATA FROM ENCRYPTED PACKET FLOWS

US 20180262487A1
Filed: 03/13/2017
Published: 09/13/2018
Est. Priority Date: 03/13/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting a data packet that belongs to an encrypted data flow traversing a network;

determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake;

forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow; and

forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, the present disclosure describes a device, computer-readable medium, and method for extracting data from encrypted packet flows. For instance, in one example, a method includes detecting a data packet that belongs to an encrypted data flow traversing a network, determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake, forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow, and forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.

Citations

20 Claims

1. A method, comprising:
- detecting a data packet that belongs to an encrypted data flow traversing a network;
  
  determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake;
  
  forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow; and
  
  forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.
- View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the detecting comprises:
    - scanning a header of the data packet for a value that indicates that the data packet belongs to the encrypted data flow.
  - 3. The method of claim 2, wherein the value comprises a port number in a port number field of the header, and the port number indicates a port used for communications using secure sockets layer protocol.
  - 4. The method of claim 3, wherein the port number is 443.
  - 5. The method of claim 1, wherein the data packet is a replica of an original data packet.
  - 7. The device of claim 1, wherein the detecting comprises:
    - scanning a header of the data packet for a value that indicates that the data packet belongs to the encrypted data flow.
  - 8. The device of claim 7, wherein the value comprises a port number in a port number field of the header, and the port number indicates a port used for communications using secure sockets layer protocol.
  - 9. The device of claim 8, wherein the port number is 443.
  - 10. The device of claim 1, wherein the data packet is a replica of an original data packet.

6. A device, comprising:
- a processor; and
  
  a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising;
  
  detecting a data packet that belongs to an encrypted data flow traversing a network;
  
  determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake;
  
  forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow; and
  
  forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.

11. A method, comprising:
- inspecting payloads of data packets belonging to a new encrypted data flow for a secure sockets layer certificate, wherein evidence of a transport control protocol handshake has been previously detected in the new encrypted data flow;
  
  detecting the secure sockets layer certificate in a payload of one of the data packets; and
  
  extracting the secure sockets layer certificate from the payload of the one of the data packets.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the evidence of a transport control protocol handshake is detected by a first device that forwards the data packets to a device performing the inspecting, the detecting, and the extracting.
  - 13. The method of claim 11, further comprising:
    - ignoring future data packets of the new encrypted data flow subsequent to the detecting.
  - 14. The method of claim 11, further comprising:
    - extracting information from the secure sockets layer certificate.
  - 15. The method of claim 14, wherein the information includes an identity of a holder of the secure sockets layer certificate.
  - 16. The method of claim 14, wherein the information includes a serial number of the secure sockets layer certificate.
  - 17. The method of claim 14, wherein the information includes an expiration date of the secure sockets layer certificate.
  - 18. The method of claim 14, wherein the information includes a copy of a public key belonging to a holder of the secure sockets layer certificate.
  - 19. The method of claim 14, wherein the information includes a digital signature of an authority who issued the secure sockets layer certificate.
  - 20. The method of claim 11, further comprising:
    - forwarding the secure sockets layer certificate to a device for extraction of information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
ZAIFMAN, ARTHUR L., Mocenigo, John M.

Granted Patent

US 10,594,664 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

H04L 63/30   for supporting lawful inter...

EXTRACTING DATA FROM ENCRYPTED PACKET FLOWS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EXTRACTING DATA FROM ENCRYPTED PACKET FLOWS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links