System and method for innovative management of transport layer security session tickets in a network environment

US 9,680,869 B2
Filed: 04/17/2015
Issued: 06/13/2017
Est. Priority Date: 01/26/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

parsing a transport layer security (TLS) message to identify a session ticket that identifies a TLS session;

computing a hash value of a portion of the session ticket using a hashing algorithm;

incrementally computing a hash value of another portion of the session ticket when the TLS message is spread across more than one TLS protocol record;

repeating the incrementally computing and processing all portions of the session ticket;

assigning the incrementally computed hash value to a session token;

managing the TLS session using the session token by decrypting TLS traffic using the session token; and

detecting network attacks on the TLS session.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed.

126 Citations

20 Claims

1. A method, comprising:
- parsing a transport layer security (TLS) message to identify a session ticket that identifies a TLS session;
  
  computing a hash value of a portion of the session ticket using a hashing algorithm;
  
  incrementally computing a hash value of another portion of the session ticket when the TLS message is spread across more than one TLS protocol record;
  
  repeating the incrementally computing and processing all portions of the session ticket;
  
  assigning the incrementally computed hash value to a session token;
  
  managing the TLS session using the session token by decrypting TLS traffic using the session token; and
  
  detecting network attacks on the TLS session.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the session ticket accords with the Request for Comments 5077 standard.
  - 3. The method of claim 1, wherein the parsing includes identifying the session ticket from a ClientHello message, a ServerHello message, or a NewSessionTicket message.
  - 4. The method of claim 1, further comprising:
    - appending a single bit to an end of the session ticket, followed by at least one opposite bit, to bring a length of the session ticket up to 64 bits fewer than a multiple of 512 bits; and
      
      appending to the end of the session ticket a 64-bit little endian integer representing the length of the session ticket in bits.
  - 5. The method of claim 1, wherein a size of the session token ranges from 32 bytes to 64 bytes.
  - 6. The method of claim 1, wherein the more than one TLS protocol record contains information to manage an application of a message authentication code (MAC) to outgoing messages and to verify incoming messages using the MAC.

7. An apparatus, comprising:
- a memory element that stores instructions; and
  
  a processor configured to execute the instructions to parse a transport layer security (TLS) message to identify a session ticket that identifies a TLS session, to compute a hash value of a portion of the session ticket using a hashing algorithm, to perform an incremental computation of a hash value of another portion of the session ticket when the TLS message is spread across more than one TLS protocol record, to repeat the incremental computation and to process all portions of the session ticket, to assign the incrementally computed hash value to a session token, to manage the TLS session using the session token by decrypting TLS traffic using the session token, and to detect network attacks on the TLS session.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The apparatus of claim 7, wherein the session ticket accords with the Request for Comments 5077 standard.
  - 9. The apparatus of claim 7, wherein the processor is configured to parse the TLS message by identifying the session ticket from a ClientHello message, a ServerHello message, or a NewSessionTicket message.
  - 10. The apparatus of claim 7, wherein the processor is further configured to append a single bit to an end of the session ticket, followed by at least one opposite bit, to bring a length of the session ticket up to 64 bits fewer than a multiple of 512 bits, and to append to the end of the session ticket a 64-bit little endian integer representing the length of the session ticket in bits.
  - 11. The apparatus of claim 7, wherein a size of the session token ranges from 32 bytes to 64 bytes.
  - 12. The apparatus of claim 7, wherein the processor is configured to manage the TLS session by performing at least one activity selected from a group consisting of:
    - distributing the session token to one or more processing cores in a multi-core system;
      
      matching information in the session token with information contained in a session ticket table comprising information related to a state of a network flow; and
      
      inspecting the TLS traffic for a string that matches an attack signature.
  - 13. The apparatus of claim 7, wherein the more than one TLS protocol record contains information to manage an application of a message authentication code (MAC) to outgoing messages and to verify incoming messages using the MAC.

14. Logic, encoded in non-transitory media, that includes code for execution and, when executed by a processor, is operable to perform operations comprising:
- parsing a transport layer security (TLS) message to identify a session ticket that identifies a TLS session;
  
  computing a hash value of a portion of the session ticket using a hashing algorithm;
  
  incrementally computing a hash value of another portion of the session ticket when the TLS message is spread across more than one TLS protocol record;
  
  repeating the incrementally computing and processing all portions of the session ticket;
  
  assigning the incrementally computed hash value to a session token; and
  
  managing the TLS session using the session token by decrypting TLS traffic using the session token; and
  
  detecting network attacks on the TLS session.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The logic of claim 14, wherein the session ticket accords with the Request for Comments 5077 standard.
  - 16. The logic of claim 14, wherein the parsing includes identifying the session ticket from a ClientHello message, a ServerHello message, or a NewSessionTicket message.
  - 17. The logic of claim 14, the operations further comprising:
    - appending a single bit to an end of the session ticket, followed by at least one opposite bit, to bring a length of the session ticket up to 64 bits fewer than a multiple of 512 bits; and
      
      appending to the end of the session ticket a 64-bit little endian integer representing the length of the session ticket in bits.
  - 18. The logic of claim 14, wherein a size of the session token ranges from 32 bytes to 64 bytes.
  - 19. The logic of claim 14, wherein the managing comprises at least one activity selected from a group consisting of:
    - distributing the session token to one or more processing cores in a multi-core system;
      
      matching information in the session token with information contained in a session ticket table comprising information related to a state of a network flow; and
      
      inspecting the TLS traffic for a string that matches an attack signature.
  - 20. The logic of claim 14, wherein the more than one TLS protocol record contains information to manage an application of a message authentication code (MAC) to outgoing messages and to verify incoming messages using the MAC.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Buruganahalli, Shivakumar, Vissamsetty, Venu
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
GIDDINS, NELSON S

Application Number

US14/689,479
Publication Number

US 20160014152A1
Time in Patent Office

788 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/606   by securing the transmissio...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/146   Markers for unambiguous ide...

H04L 9/3242   involving keyed hash functi...

H04L 9/50   using hash chains, e.g. blo...

System and method for innovative management of transport layer security session tickets in a network environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for innovative management of transport layer security session tickets in a network environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links