Security policy enforcement
US-9288234-B2 · Mar 15, 2016 · US
Dynamically managing, from a centralized service, valid cipher suites allowed for secured sessions
US10218686B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10218686-B2 |
| Application number | US-201615332234-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 24, 2016 |
| Priority date | Oct 24, 2016 |
| Publication date | Feb 26, 2019 |
| Grant date | Feb 26, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
At a centralized service in a hosted environment, a permission list is established of at least one cipher suite valid for secure connections across multiple network environments. Responsive to the centralized service receiving a request from a socket indicating the socket is negotiating a secure connection with another socket, the centralized service sends the permission list to the socket, wherein the socket negotiates for a mutual cipher suite specified in the permission list with the another socket. Responsive to the centralized service identifying that a particular cipher suite matching the mutual cipher suite used in an ongoing secure session for the socket is revoked, the centralized service notifies the socket that the mutual cipher suite is revoked.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: establishing, at a centralized service available in a hosted network, a permission list of at least one cipher suite valid for secure connections; responsive to receiving, at the centralized service, a request from a socket indicating the socket is negotiating a secure connection with another socket, sending the permission list to the socket, wherein the socket negotiates with the another socket for a mutual cipher suite from among the at least one cipher suite specified in the permission list; receiving, at the centralized service, from the socket, a session identifier specifying the socket and the mutual cipher suite for a new session established between the socket and the another socket; adding, by the centralized service, the session identifier specifying the socket and the mutual cipher suite to a current session log; in response to identifying a particular cipher suite is vulnerable, searching, by the centralized service, the current session log to determine if the particular cipher suite matches one or more previously stored mutual cipher suites; in response to the particular cipher suite matching one or more previously stored mutual cipher suites, generating, by the centralized service, an alert to send to each socket specified in each entry for the matching one or more previously stored cipher suites; and responsive to identifying that the particular cipher suite matching the mutual cipher suite used in an ongoing secure session for the socket is revoked, notifying, by the centralized service, the socket that the mutual cipher suite is revoked. 2. The method according to claim 1 , further comprising: registering, by the centralized service, a subscriber comprising an SSL application for creating the socket, the centralized service comprising a plurality of subscribers comprising a plurality of separate secure socket layer applications, the centralized service accessible to the plurality of subscribers as a cloud service in the hosted network. 3. The method according to claim 2 , further comprising: establishing, at the centralized service in the hosted network, the permission list available for distribution to the plurality of separate secure socket layer applications, the centralized service accessible in the hosted network that is separate from the plurality of separate secure socket layer applications infrastructure comprising one or more of a client, a server, a firewall, and a gateway. 4. The method according to claim 1 , wherein responsive to receiving, at the centralized service, a request from a socket indicating the socket is negotiating a secure connection with another socket, sending the permission list to the socket, wherein the socket negotiates with the another socket for a mutual cipher suite from among the at least one cipher suite specified in the permission list further comprises: receiving, at the centralized service, the request from a service interface specified in a secure socket layer configuration for specifying the socket. 5. The method according to claim 1 , wherein responsive to receiving, at the centralized service, a request from a socket indicating the socket is negotiating a secure connection with another socket, sending the permission list to the socket, wherein the socket negotiates with the another socket for a mutual cipher suite from among the at least one cipher suite specified in the permission list further comprises: receiving, at the centralized service, the request from a service interface of the socket via an ad hoc network connection between the service interface of the socket and the centralized service. 6. The method according to claim 1 , wherein responsive to receiving, at the centralized service, a request from a socket indicating the socket is negotiating a secure connection with another socket, sending the permission list to the socket, wherein the socket negotiates with the another socket for a mutual cipher suite from among the at least onecipher suite specified in the permission list further comprises: receiving, at the centralized service, the request from a service interface of a gateway providing an interface for the socket to a network hosting the another socket. 7. The method according to claim 1 , wherein responsive to receiving, at the centralized service, a request from a socket indicating the socket is negotiating a secure connection with another socket, sending the permission list to the socket, wherein the socket negotiates with the another socket for a mutual cipher suite from among the at least one cipher suite specified in the permission list further comprises: receiving, at the centralized service, the request from the socket indicating the socket is negotiating a secure connection with the another socket to establish a secure connection during a handshake phase of a secure socket layer protocol or transport layer secured protocol. 8. The method according to claim 1 , further comprising: responsive to identifying that a particular cipher suite matching the mutual cipher suite used in an ongoing secure session for the socket is revoked, notifying an administrative interface for a network environment hosting the socket that the mutual cipher suite is revoked and one or more risks associated with the mutual cipher suite. 9. A computer system comprising: one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions, stored on at least one of the one or more storage devices for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising: program instructions to establish, at a centralized service available in a hosted network, a permission list of at least one cipher suite valid for secure connections; program instructions to, responsive to receiving, at the centralized service, a request from a socket indicating the socket is negotiating a secure connection with another socket, send the permission list to the socket, wherein the socket negotiates with the another socket for a mutual cipher suite from among the at least one cipher suite specified in the permission list; program instructions to receive, at the centralized service, from the socket, a session identifier specifying the socket and the mutual cipher suite for a new session established between the socket and the another socket; program instructions to add, by the centralized service, the session identifier specifying the socket and the mutual cipher suite to a current session log; program instructions, in response to identifying a particular cipher suite is vulnerable, to search, by the centralized service, the current session log to determine if the particular cipher suite matches one or more previously stored mutual cipher suites; and program instructions, in response to the particular cipher suite matching one or more previously stored mutual cipher suites, to generate, by the centralized service, an alert to send to each socket specified in each entry for the matching one or more previously stored cipher suites; and program instructions to, responsive to identifying that a particular cipher suite matching the mutual cipher suite used in an ongoing secure session for the socket is revoked, notify the socket, by the centralized service, that the mutual cipher suite is revoked. 10. The computer system according to claim 9 , the stored program instructions further comprising: program instructions to register, by the centralized service, a subscriber comprising an SSL application for creating the socket, the centralized service comprising a plurality of subscribers co
Assignees
Inventors
Classifications
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
the keys or algorithms being changed during operation · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10218686B2 cover?
- At a centralized service in a hosted environment, a permission list is established of at least one cipher suite valid for secure connections across multiple network environments. Responsive to the centralized service receiving a request from a socket indicating the socket is negotiating a secure connection with another socket, the centralized service sends the permission list to the socket, whe…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/061. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 26 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).