Client-driven randomized and changing media access control (mac) address (rcm) mechanism
US-2024422202-A1 · Dec 19, 2024 · US
Security policy enforcement
US9288234B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9288234-B2 |
| Application number | US-201214235829-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 31, 2012 |
| Priority date | Aug 4, 2011 |
| Publication date | Mar 15, 2016 |
| Grant date | Mar 15, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method of operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the method comprising the steps of: intercepting a handshake message transmitted over the network between the first and second endpoints; extracting from the handshake message an identification of a security standard selected for the communication between the first and second endpoints; determining a validity status of the identified security standard based on the security policy; and preventing communication between the first and second endpoints based on a negatively determined validity status of the identified security standard.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method of operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second network endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the method comprising: intercepting, by one or more processors, a handshake message transmitted over the network between the first and second network endpoints; extracting, by one or more processors, from the handshake message an identification of a security standard selected for the communication between the first and second network endpoints; determining, by one or more processors, a validity status of the identified security standard based on the security policy, wherein the security policy defines characteristics of predetermined acceptable security standards for communication over the network; preventing, by one or more processors, communication between the first and second network endpoints based on a negatively determined validity status of the identified security standard; extracting, by one or more processors, an identification of a security standard selected for communication between the first and second network endpoints from the handshake message, wherein the identification of the security standard is determined by extracting a cipher suite from an initial “Server Hello” message from the first network endpoint to the second network endpoint, and wherein the cipher suite is used by the security standard to encrypt communications between the first and second network endpoints; referencing, by one or more processors, a predefined security policy to determine a validity status of the identified security standard from the handshake message, wherein the predefined security policy includes a definition of supported cipher suites used in the communication between the first and second network endpoints, and wherein the predefined security policy further prevents a resumption of previous communication sessions between the first and second network endpoints; verifying, by one or more processors, that the first network endpoint is in possession of a private key associated with a public key in the certificate by intercepting a “Certificate Verify” message from the first network endpoint to the second network endpoint, wherein the “Certificate Verify” message consists of a concatenation of all messages in a handshake between the first and second network endpoints, wherein said all messages in the handshake between the first network endpoint and the second network endpoint include a “Client Hello” message from the first network endpoint to the second network endpoint, a “Server Hello” message from the second network endpoint to the first network endpoint, a “Server Certificate” message from the second network endpoint to the first network endpoint, a “Client Certificate Request” message from the second network endpoint to the first network endpoint, and a “Client Certificate” message from the first network endpoint to the second network endpoint; and further preventing, by one or more processors, communication between the first and second network endpoints based on the first and second endpoints complying with the security standard selected for communication between the first and second network endpoints, the first and second endpoints complying with the predefined security policy, and verification that the first network endpoint is in possession of the private key associated with the public key in the certificate based on the “Certificate Verify” message from the first network endpoint to the second network endpoint. 2. The method of claim 1 , further comprising: permitting, by one or more processors, communication between the first and second network endpoints based on a positively determined validity status of the identified security standard. 3. The method of claim 1 , further comprising: preventing, by one or more processors, communication between the first and second network endpoints based on a determination by an authorization component using an identification of each of the first and second network endpoints. 4. The method of claim 1 , wherein the security standard is a cipher suite. 5. The method of claim 1 , wherein the security policy identifies at least one of: at least one key exchange method; at least one encryption algorithm; at least one message digest algorithm; and at least one minimum key length. 6. The method of claim 5 , wherein the security standard identifies at least one of: a key exchange method; an encryption algorithm; and a message digest algorithm. 7. The method of claim 2 , wherein the security policy indicates whether resumption of a communication session is allowable. 8. The method of claim 2 , wherein the interceptor is a transparent proxy. 9. A network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the network message interceptor being in communication with the network and external to the first and second network endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, wherein the network message interceptor comprises one or more processors, and a non-transitory computer readable storage device storing instructions, the one or more processors executing the instructions to: intercept a handshake message transmitted over the network between the first and second network endpoints; extract from the handshake message an identification of a security standard selected for the communication between the first and second network endpoints; determine a validity status of the identified security standard based on the security policy, wherein the security policy defines characteristics of predetermined acceptable security standards for communication over the network; prevent communication between the first and second network endpoints based on a negatively determined validity status of the identified security standard; extract an identification of a security standard selected for communication between the first and second network endpoints from the handshake message, wherein the identification of the security standard is determined by extracting a cipher suite from an initial “Server Hello” message from the first network endpoint to the second network endpoint, and wherein the cipher suite is used by the security standard to encrypt communications between the first and second network endpoints; reference a predefined security policy to determine a validity status of the identified security standard from the handshake message, wherein the predefined security policy includes a definition of supported cipher suites used in the communication between the first and second network endpoints, and wherein the predefined security policy further prevents a resumption of previous communication sessions between the first and second network endpoints; verify that the first network endpoint is in possession of a private key associated with a public key in the certificate by intercepting a “Certificate Verify” message from the first network endpoint to the second network endpoint, wherein the “Certificate Verify” message consists of a concatenation of all messages in a handshake between the first and second network endpoints, wherein said all messages in the handshake between the first network endpoint and the second network endpoint include a “Client Hello” message from the
Assignees
Inventors
Classifications
for controlling access to devices or network resources · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
- H04L63/205Primary
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9288234B2 cover?
- A method of operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for commun…
- Who is the assignee on this patent?
- Barr Arthur J, Deakin Oliver M, Nicholson Robert B, and 2 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/205. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 15 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).