Granular offloading of a proxied secure session
US-2018234388-A1 · Aug 16, 2018 · US
Engagement and disengagement of transport layer security proxy services with encrypted handshaking
US10911409B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10911409-B2 |
| Application number | US-201815984637-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 21, 2018 |
| Priority date | May 21, 2018 |
| Publication date | Feb 2, 2021 |
| Grant date | Feb 2, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of establishing a secure connection across a network, comprising: intercepting, at a proxy device, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device, wherein the first initial message includes at least first key exchange information for encrypting the first encrypted handshaking procedure; storing a copy of the first initial message of the first encrypted handshaking procedure at the proxy device; sending a second initial message of a second encrypted handshaking procedure from the proxy device to the second device for a second secure communication session between the proxy device and the second device, wherein the second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure; determining, based on the second encrypted handshaking procedure, whether the proxy device is to remain engaged between the first device and the second device during the first secure communication session, or is to disengage such that inspection of communication traffic during the first secure communication session is not to be performed by the proxy device; and upon determining that the first device is attempting to resume a previous secure communication session with the second device when the first initial message includes information associated with a previous encrypted handshaking procedure: determining whether previous session credentials are stored at the proxy device; and upon determining that previous session credentials are not stored and the proxy device is to remain engaged: establishing the first secure communication session between the first device and the proxy device; establishing the second secure communication session between the proxy device and the second device; and at the proxy device, examining communication traffic between the first device and the second device. 2. The method of claim 1 , upon determining that the proxy device is to remain engaged between the first device and the second device, further comprising: maintaining the second secure communication session between the proxy device and the second device; sending a response to the first initial message of the first encrypted handshaking procedure to the first device to establish the first secure communication session between the first device and the proxy device; and at the proxy device, examining communication traffic between the first device and the second device. 3. The method of claim 1 , upon determining that the proxy device is to disengage between the first device and the second device, further comprising: sending a reset request to the second device; forwarding the copy of the first initial message of the first encrypted handshaking procedure to the second device, wherein the copy of the first initial message includes the first key exchange information for performing the first encrypted handshaking procedure; and passing a response from the second device to the first device to establish the first secure communication session between the first device and the second device without examination of communication traffic by the proxy device. 4. The method of claim 3 , further comprising the proxy device disengaging from the first secure communication session between the first device and the second device without resetting the first encrypted handshaking procedure at the first device. 5. The method of claim 1 , wherein determining whether the proxy device is to remain engaged or is to disengage is based on a policy determination. 6. The method of claim 5 , wherein the policy determination is based on examining a certificate contained in a message from the second device. 7. The method of claim 1 , wherein the first encrypted handshaking procedure and the second encrypted handshaking procedure are in accordance with a transport layer security protocol. 8. The method of claim 1 , upon determining that previous sessions credentials are stored at the proxy device and upon determining that the proxy device is to remain engaged between the first device and the second device, further comprising: responding to the first initial message from the first device using the previous session credentials stored at the proxy device to establish the first secure communication session between the first device and the proxy device, wherein the previous session credentials include information associated with a previous encrypted handshaking procedure between the first device and the proxy device; and sending the previous session credentials stored at the proxy device in the second initial message of the second encrypted handshaking procedure from the proxy device to the second device to establish the second secure communication session between the proxy device and the second device, wherein the previous session credentials include information associated with a previous encrypted handshaking procedure between the proxy device and the second device; and at the proxy device, examining communication traffic between the first device and the second device. 9. The method of claim 1 , upon determining that previous session credentials are not stored at the proxy device and the proxy device is to remain engaged between the first device and the second device, further comprising: sending a retry request to the first device to re-initiate the first encrypted handshaking procedure; and sending a reset request to the second device. 10. The method of claim 1 , upon determining that previous sessions credentials are stored at the proxy device and the proxy device is to disengage between the first device and the second device, further comprising: sending a retry request to the first device to re-initiate the first encrypted handshaking procedure; and permitting the first device to establish the first secure communication session between the first device and the second device without examination of communication traffic by the proxy device. 11. The method of claim 1 , upon determining that previous session credentials are not stored at the proxy device and the proxy device is to disengage between the first device and the second device, further comprising: sending a reset request to the second device; forwarding the copy of the first initial message from the first device to the second device, wherein the first initial message includes information associated with the previous encrypted handshaking procedure between the first device and the second device; and passing a response from the second device to the first device to establish the first secure communication session between the first device and the second device without examination of communication traffic by the proxy device. 12. An apparatus comprising: a network interface unit configured to enable communications over a network; a memory; and a processor of a proxy device, the processor coupled to the memory and the network interface unit, and configured to: intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device, wherein the first initial message includes at least first key exchange information for encrypting the first encrypted handshaking procedure; store a copy of the first initial message of the first encrypted handshaking procedure; send a second initial message of a second encrypted handshaking procedure to the second device for a second secure communication session between the apparatus and the second device, wherein the second initial message includes second key excha
Assignees
Inventors
Classifications
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
at the transport layer · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
- H04L63/0281Primary
Proxies · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10911409B2 cover?
- Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange inf…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0281. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 02 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).