TLS (Transport Layer Security) scanning method and device

A network device and algorithm technology, applied in the field of TLS scanning, can solve problems such as low efficiency, unsupported client authentication, and unsupported certain algorithm, etc., to achieve the effect of improving processing performance, efficient algorithm and/or client authentication

Active Publication Date: 2013-02-13
HUAWEI TECH CO LTD
View PDF4 Cites 14 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] Existing technology may not support a certain algorithm when performing server-side scanning, or ma

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • TLS (Transport Layer Security) scanning method and device
  • TLS (Transport Layer Security) scanning method and device
  • TLS (Transport Layer Security) scanning method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0048] Figure 4 It is a schematic diagram of the interaction between the client, the agent, and the server when the export RSA algorithm without ServerKeyExchange or the standard RSA algorithm without ServerKeyExchange is supported. refer to Figure 4 , the TLS scanning method provided in this embodiment may include:

[0049] The certificate of the deployment server on the proxy.

[0050] When the agent receives the ServerHello message, it checks the cipher_suite (algorithm suite) field in the ServerHello to determine whether the key exchange algorithm is RSA or RSA export (RSA_Export) algorithm.

[0051] If the agent determines that the key exchange algorithm is the RSA algorithm or the egress RSA algorithm, and no ServerKeyExchange message is received, the agent works in monitoring mode and does not modify any message. At this time, the specific process of the interaction between the client, the agent and the server is as follows: Figure 4 shown.

[0052] When the age...

Embodiment 2

[0056] Figure 5 and Figure 6 It is a schematic diagram of the interaction between the client, the agent, and the server when the DH algorithm is supported. The TLS scanning method provided in this embodiment may include:

[0057] The certificate of the deployment server on the proxy.

[0058] When the agent receives the ServerHello, it confirms whether it is an RSA algorithm or an egress RSA algorithm.

[0059] If it is an RSA algorithm or an egress RSA algorithm, and no ServerKeyExchange message is received, the agent works in monitoring mode and does not modify any message. The proxy obtains the pre-master key by decrypting the ClientKeyExchange message, and derives the session key according to the TLS standard, and decrypts the subsequent TLS record message. The process ends.

[0060] If it is a DH algorithm, the agent works in an agent mode to regenerate a new ServerHello or ServerKeyExchange message. The proxy can make this selection according to local policy.

...

Embodiment 3

[0096] Figure 7 It is a schematic diagram of the interaction between the client, agent and server when supporting the export RSA algorithm with ServerKeyExchange or the non-standard RSA algorithm with ServerKeyExchange. refer to Figure 7 , the TLS scanning method provided in this embodiment may include:

[0097] The certificate of the deployment server on the proxy.

[0098] When the agent receives the ServerHello, it confirms whether it is an RSA algorithm or an egress RSA algorithm.

[0099] If it is the RSA algorithm or the export RSA algorithm, and the ServerKeyExchange message is not received, the agent works in the monitoring mode and does not modify any message. The proxy obtains the pre-master key by decrypting the ClientKeyExchange message, and derives the session key according to the TLS standard, and decrypts the subsequent TLS record message. The process ends.

[0100] If the agent receives the export RSA algorithm or RSA algorithm in the ServerHello, and re...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The embodiments of the invention provide a TLS (Transport Layer Security) scanning method, relating to the field of enciphered communication. During server-side scanning, the method can efficiently support the certification of various algorithms and/or clients. The method comprises the following steps that: a proxy receives a server initial message sent by a server, wherein the server initial message comprises algorithms selected by the server; and the proxy selects working modes correspondingly according to the algorithms selected by the server, wherein the working modes comprise a monitor mode and a proxy mode so as to support the certification of the algorithms and/or clients selected by the server, and the proxy does not change any message in the monitor mode and changes the message in the proxy mode. The embodiments of the invention further provide a corresponding network device.

Description

technical field [0001] The invention relates to the field of encrypted communication, in particular to a TLS (Transport Layer Security, Transport Layer Security) scanning method and device. Background technique [0002] TLS is a widely used authentication and secure transport protocol. The session key shared by both parties is obtained through identity authentication, which is used for encryption and authentication of subsequent communication content. [0003] TLS is now increasingly used to encrypt applications on the web. While TLS protects the confidentiality and integrity of these applications, it brings some problems. Some application-layer attack traffic is encrypted by TLS, so that IPS (Intrusion Prevention System, intrusion prevention system) equipment cannot detect it. For example, an attack against an encrypted website, IPS can do nothing about it. [0004] The existing technology may not support a certain algorithm when performing server-side scanning, or may ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
Inventor 朱贤
Owner HUAWEI TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap