Patent Issued for Method for performing TLS/SSL inspection based on verified subject name (USPTO 11411924): Check Point Software Technologies Ltd.
2022 AUG 26 (NewsRx) -- By a
The patent’s inventors are Isaev, Pavel (
This patent was filed on
From the background information supplied by the inventors, news correspondents obtained the following quote: “Transport Layer Security (TLS), and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. SSL and TLS are defined in a series of Request For Comments (RFCs), the latest is RFC 8446 (https://tools.ietf.org/html/rfc8446), this document is incorporated by reference herein. Several versions of the protocols find widespread use in applications such as serving web traffic. Encrypted web traffic typically needs to be inspected for security reasons, by security and other inspection devices. However, there are instances where web traffic should not be decrypted and inspected, such as in cases where it is needed to protect the privacy of an individual or an organization, or when following security policies, or regulations such as
“A Hypertext Transfer Protocol Secure (HTTPS) Inspection Rule Base is a set of rules used to define which HTTPS traffic will be decrypted and inspected by a Security Gateway, and which traffic including data, will be bypassed, for example, such that TLS/SSL inspection is not performed on the traffic. As a result of the bypass, the traffic passes through the security gateway to its intended destination. Rules in the rule base can match the connections by Internet Protocol (IP) addresses, transport layer information, such as Transmission Control Protocol (TCP) ports, as well as site’s identity. TCP is defined in a series of Request For Comments (RFCs), such as RFC 793 (https://tools.ietf.org/html/rfc793), this document is incorporated by reference herein. This categorization process requires knowledge of the “subject name” of the web site.
“One example for deciding on bypassing is shown in FIG. 1. Here, a contemporary bypass is performed by security gateways, e.g., a firewall 10, between a client, represented by the client computer 12 (“client” and “client computer” used interchangeably herein) and a server 14, along a communications network such as the Internet. The process involves a client side connection 20, between the client 12 and the firewall 10. The connection comprises a TCP handshake 20a between the firewall 10 and the client 12, followed by a Client Hello message 20b, sent from the client 12 to the firewall 10. The Client Hello message 20b is typically the first message of the connection. The firewall 10 analyzes the Client Hello message 20b, and Server Name Indication (SNI) information within the Client Hello message 20b. The SNI information is, for example, normally used in the TLS handshake 20a, to allow a server, which, for example, hosts multiple websites, to use the correct set of TLS/SSL credentials, for the requested web site. The Security Gateway, based on the SNI information, renders a decision 24, and then processes the traffic by either bypassing it, for example by forwarding encrypted and/or TLS/SSL handshake messages exchanged between the client and the server without altering them and/or decrypting them; inspecting it, for example by decrypting the traffic and performing additional security checks on the decrypted traffic; or blocking it, for example by dropping further packets belonging to the connection.
“However, this method is imprecise and could lead to violations of the enterprise security policy. For example, a malicious client could send a Client Hello message that includes an innocent looking SNI extension. This could lead the Security Gateway to assume that the client is connecting to a legitimate website. However, the client is actually circumventing the
Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “The present invention is directed to an inspection decision mechanism. This mechanism provides a precise site identity that facilities, for example, security, privacy and improved connectivity. Security devices with this mechanism apply a rule base that determines which cryptographically protected traffic should be inspected, bypassed, for example, excluded from decryption, or blocked.
“The present invention provides methods and systems for processing cryptographically secured connections by a gateway, between a client and a server. Upon receiving TCP and TLS/SSL handshakes associated with a client side connection, from a client (client computer) to the gateway, a probing connection is established. The probing connection completes the handshakes, and based on the completion of the handshakes, the gateway renders a decision, to bypass, block or inspect, the connections between the client and the server, allowing or not allowing data to pass through the connections between the client and the server.
“The present invention provides a verified subject name, based on certificate authentication, to a rule base before an inspection/bypass/block decision is made. For example, a gateway analyzes a server certificate to identify a site. It does so by using a probing connection, which provides an additional security layer in the aforementioned inspection/bypass/block decision.
“The probing connection allows the gateway to identify the site which is hosted on the server. The gateway opens a connection with the server, for example, by performing a TCP (Transmission Control Protocol) handshake with the server followed by a TLS/SSL handshake. In the TLS/SSL handshake, the gateway sends an SNI message (for example, based on an SNI message originally sent by the client to the gateway), followed by additional handshake messages between the gateway and the server, one of the messages being a server certificate message which includes, for example, a server certificate. The server certificate message is sent by the server to the gateway. The gateway analyzes the information sent by the server, including information found in the server certificate message, in order to determine the identity of the site.
“Embodiments of the invention are directed to a method for processing cryptographically secured connections by a gateway between a client and a server. The method comprises: receiving a connection request from a client, responding to the received connection request by initiating a probing connection to the server, the probing connection including: 1) performing a cryptographic protocol with the server, the cryptographic protocol including causing the server to provide an indicator to a site hosted by the server; 2) receiving data from the server including an indicator to a site hosted by the server; and, 3) analyzing the received indicator to determine the identity of the site hosted by the server; and, processing the connection based, at least in part, on the determined identity of the site hosted by the server.”
The claims supplied by the inventors are:
“1. A method for processing cryptographically secured connections by a gateway between a client and a server comprising: receiving from the client a connection request that includes an indication of a site hosted by the server to which the client is attempting to connect; upon receiving the connection request, always responding to the received connection request by initiating a probing connection to the server, the probing connection including: performing a cryptographic protocol with the server, the cryptographic protocol including causing the server to provide an indicator to a site hosted by the server; receiving data from the server including an indicator to a site hosted by the server; and, analyzing the received indicator to determine the identity of the site hosted by the server; and, processing the connection based, at least in part, on the determined identity of the site hosted by the server.
“2. The method of claim 1, wherein the processing the connection includes a decision to block, inspect, or bypass the connection, where the decision is, at least in part, based on the determined identity.
“3. The method of claim 1, wherein the cryptographic protocol includes a Transport Control Protocol (TCP) handshake and a Transport Layer Security (TLS) handshake.
“4. The method of claim 3, wherein the received connection request includes a Client Hello message, and the TLS handshake includes a copy of the Client Hello message sent by the client including a Server Name Indication (SNI) extension.
“5. The method of claim 4, wherein the indicator received from the server includes a server certificate.
“6. The method of claim 1, wherein the site includes a website hosted by the server.
“7. The method of claim 2 wherein the protocol includes at least one of: a Datagram Transport Layer Security (DTLS) handshake or a Quick UDP Internet Connections (QUIC) handshake.
“8. A computer system for processing cryptographically secured connections by a gateway between a client and a server comprising: a storage medium for storing computer components; and, at least one processor for executing the computer components comprising: a first computer component for receiving from the client a connection request that includes an indication of a site hosted by the server to which the client is attempting to connect; a second computer component for, upon receiving the connection request, always responding to the received connection request by initiating a probing connection to the server, the probing connection including: performing a cryptographic protocol with the server, the cryptographic protocol including causing the server to provide an indicator to a site hosted by the server; receiving data from the server including an indicator to a site hosted by the server; and, analyzing the received indicator to determine the identity of the site hosted by the server; and, a third component for processing the connection based, at least in part, on the determined identity of the site hosted by the server.
“9. The computer system of claim 8, additionally comprising a fourth component for deciding to block, inspect, or bypass the connection, where the decision is, at least in part, based on the determined identity.
“10. The computer system of claim 9, wherein the cryptographic protocol includes a Transport Control Protocol (TCP) handshake and a Transport Layer Security (TLS) handshake.
“11. The computer system of claim 10, wherein the received connection request includes a Client Hello message, and the TLS handshake includes a copy of the Client Hello message sent by the client including a Server Name Indication (SNI) extension.
“12. The computer system of claim 11, wherein the indicator received from the server includes a server certificate.
“13. The computer system of claim 8, wherein the site includes a website hosted by the server.
“14. The computer system of claim 9, wherein the protocol includes at least one of: a Datagram Transport Security Protocol (DTLS) handshake or a Quick UDP Internet Connections (QUIC) handshake.
“15. A computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitably programmed system to process cryptographically secured connections by a gateway between a client and a server, by performing the following steps when such program is executed on the system, the steps comprising: receiving from the client a connection request that includes an indication of a site hosted by the server to which the client is attempting to connect; upon receiving the connection request, always responding to the received connection request by initiating a probing connection to the server, the probing connection including: performing a cryptographic protocol with the server, the cryptographic protocol including causing the server to provide an indicator to a site hosted by the server; receiving data from the server including an indicator to a site hosted by the server; and, analyzing the received indicator to determine the identity of the site hosted by the server; and, processing the connection based, at least in part, on the determined identity of the site hosted by the server.
“16. The computer usable non-transitory storage medium of claim 15, wherein the processing the connection includes a decision to block, inspect, or bypass the connection, where the decision is, at least in part, based on the determined identity.
“17. The computer usable non-transitory storage medium of claim 16, wherein the cryptographic protocol includes a Transport Control Protocol (TCP) handshake and a Transport Layer Security (TLS) handshake.
“18. The computer usable non-transitory storage medium of claim 17, wherein the received connection request includes a Client Hello message, and the TLS handshake includes a copy of the Client Hello message sent by the client including a Server Name Indication (SNI) extension.
“19. The computer usable non-transitory storage medium of claim 18, wherein the indicator received from the server includes a server certificate.
“20. The computer usable non-transitory storage medium of claim 15, wherein the site includes a website hosted by the server.
“21. The computer usable non-transitory storage medium of claim 16, wherein the protocol includes at least one of: a Datagram Transport Security Protocol (DTLS) handshake or a Quick UDP Internet Connections (QUIC) handshake.”
For the URL and additional information on this patent, see: Isaev, Pavel. Method for performing TLS/SSL inspection based on verified subject name.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Patent Issued for Zero knowledge proof-based privacy protection method and system for authenticated data in smart contract (USPTO 11411737): Shandong University
Patent Application Titled “Systems And Methods For Assigning Damage Caused By An Insurance-Related Event” Published Online (USPTO 20220253949): Patent Application
Advisor News
- Jackson National study: vast underestimate of health care, LTC costs for retirement
- EDITORIAL: Home insurance, tax increases harm county’s housing options
- Nationwide Financial Services President John Carter to retire at year end
- FINRA, FBI warn about generative AI and finances
- Prudential study: Babies born today will likely need nearly $2M to retire
More Advisor NewsAnnuity News
- Brighthouse Financial Inc. (NASDAQ: BHF) Sees Notable Increase in Tuesday Morning Market Activity
- Hexure Integrates with DTCC’s Producer Authorization, Providing Real-Time Can-Sell Check within FireLight
- LIMRA: 2024 retail annuity sales set $432B record, but how does 2025 look?
- Perspectives: Should I trust my retirement to an insurance company?
- Prudential Financial to Reinsure $7B Japanese Whole Life Block with Prismic Life
More Annuity NewsHealth/Employee Benefits News
- 500 people, many undocumented immigrants, rally in CT Capitol for expanded health coverage
- Some settlements reached in fraud lawsuit involving Sunny Hostin’s husband
- REITS and FFOs
- Nebraska mental health providers say federal change puts vulnerable at risk
- NC bill would limit insurers' prior authorizations
Proposed NC bill limits reach of insurers' prior authorizations
More Health/Employee Benefits NewsLife Insurance News
- AM Best Affirms Credit Ratings of Members of Aegon Ltd.’s U.S. Subsidiaries
- Annual Report of Employee Stock Purchase/Savings Plan (Form 11-K)
- Fourth Quarter 2024 Press Release
- Brighthouse Financial Inc. (NASDAQ: BHF) Sees Notable Increase in Tuesday Morning Market Activity
- Jackson National study: vast underestimate of health care, LTC costs for retirement
More Life Insurance News