CN110622482B - Tls检查中的无高速缓存会话票证支持 - Google Patents

Tls检查中的无高速缓存会话票证支持 Download PDF

Info

Publication number
CN110622482B
CN110622482B CN201880031375.0A CN201880031375A CN110622482B CN 110622482 B CN110622482 B CN 110622482B CN 201880031375 A CN201880031375 A CN 201880031375A CN 110622482 B CN110622482 B CN 110622482B
Authority
CN
China
Prior art keywords
session
tls
ticket
session ticket
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201880031375.0A
Other languages
English (en)
Chinese (zh)
Other versions
CN110622482A (zh
Inventor
李承达
熊伟翔
孙维孝
吴明勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN110622482A publication Critical patent/CN110622482A/zh
Application granted granted Critical
Publication of CN110622482B publication Critical patent/CN110622482B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer And Data Communications (AREA)
CN201880031375.0A 2017-06-01 2018-05-31 Tls检查中的无高速缓存会话票证支持 Active CN110622482B (zh)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/611,229 US10542041B2 (en) 2017-06-01 2017-06-01 Cacheless session ticket support in TLS inspection
US15/611,229 2017-06-01
PCT/IB2018/053877 WO2018220570A1 (en) 2017-06-01 2018-05-31 Cacheless session ticket support in tls inspection

Publications (2)

Publication Number Publication Date
CN110622482A CN110622482A (zh) 2019-12-27
CN110622482B true CN110622482B (zh) 2022-02-22

Family

ID=64456398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201880031375.0A Active CN110622482B (zh) 2017-06-01 2018-05-31 Tls检查中的无高速缓存会话票证支持

Country Status (6)

Country Link
US (1) US10542041B2 (enExample)
JP (1) JP7436210B2 (enExample)
CN (1) CN110622482B (enExample)
DE (1) DE112018001559B4 (enExample)
GB (1) GB2577230B (enExample)
WO (1) WO2018220570A1 (enExample)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10812468B2 (en) * 2017-12-07 2020-10-20 Sonicwall Inc. Dynamic bypass
US10581948B2 (en) 2017-12-07 2020-03-03 Akamai Technologies, Inc. Client side cache visibility with TLS session tickets
US11019034B2 (en) 2018-11-16 2021-05-25 Akamai Technologies, Inc. Systems and methods for proxying encrypted traffic to protect origin servers from internet threats
US11233859B2 (en) * 2019-10-31 2022-01-25 Arm Ip Limited Machine-to-machine communications
CN111866172A (zh) * 2020-07-30 2020-10-30 北京金山云网络技术有限公司 会话票证的处理方法、装置及电子设备
CN113014454B (zh) * 2021-03-05 2022-06-14 中电积至(海南)信息技术有限公司 一种基于ssl、tls协议的用户代理标识及数量检测方法
JP7427145B2 (ja) * 2022-02-01 2024-02-02 三菱電機株式会社 動的認可システムおよび動的認可方法
CN115296847B (zh) * 2022-07-06 2024-02-13 杭州涂鸦信息技术有限公司 流量控制方法、装置、计算机设备和存储介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702611A (zh) * 2015-03-15 2015-06-10 西安电子科技大学 一种保护安全套接层会话密钥的设备及方法
CN106790285A (zh) * 2017-02-27 2017-05-31 杭州迪普科技股份有限公司 一种会话重用方法及装置

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050050316A1 (en) 2003-08-25 2005-03-03 Amir Peles Passive SSL decryption
US20060294366A1 (en) * 2005-06-23 2006-12-28 International Business Machines Corp. Method and system for establishing a secure connection based on an attribute certificate having user credentials
US7953861B2 (en) 2006-08-10 2011-05-31 International Business Machines Corporation Managing session state for web applications
US8190875B2 (en) 2007-03-22 2012-05-29 Cisco Technology, Inc. Reducing processing load in proxies for secure communications
JP5039146B2 (ja) * 2007-11-07 2012-10-03 日本電信電話株式会社 共通鍵設定方法、中継装置、及びプログラム
CN102026185B (zh) * 2009-09-18 2014-04-09 中兴通讯股份有限公司 票据的有效性检验方法及网络信令节点
US10091239B2 (en) * 2012-01-24 2018-10-02 Ssh Communications Security Oyj Auditing and policy control at SSH endpoints
US9026784B2 (en) * 2012-01-26 2015-05-05 Mcafee, Inc. System and method for innovative management of transport layer security session tickets in a network environment
US9176838B2 (en) * 2012-10-19 2015-11-03 Intel Corporation Encrypted data inspection in a network environment
US9124629B1 (en) * 2013-02-11 2015-09-01 Amazon Technologies, Inc. Using secure connections to identify systems
US10178181B2 (en) * 2014-04-02 2019-01-08 Cisco Technology, Inc. Interposer with security assistant key escrow
US9336391B2 (en) * 2014-06-17 2016-05-10 International Business Machines Corporation Verification of intellectual property core trusted state
US9499297B2 (en) * 2014-07-29 2016-11-22 Mott's Llp Carton blank, carton and container package
US10452850B2 (en) 2014-08-18 2019-10-22 International Business Machines Corporation Protected shell for risk validation
US9641590B2 (en) 2014-08-27 2017-05-02 Google Inc. Resuming session states
US9608963B2 (en) 2015-04-24 2017-03-28 Cisco Technology, Inc. Scalable intermediate network device leveraging SSL session ticket extension
JP2017046179A (ja) * 2015-08-26 2017-03-02 日本電信電話株式会社 端末支援システム、及び端末支援方法
US10887291B2 (en) * 2016-12-16 2021-01-05 Amazon Technologies, Inc. Secure data distribution of sensitive data across content delivery networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702611A (zh) * 2015-03-15 2015-06-10 西安电子科技大学 一种保护安全套接层会话密钥的设备及方法
CN106790285A (zh) * 2017-02-27 2017-05-31 杭州迪普科技股份有限公司 一种会话重用方法及装置

Also Published As

Publication number Publication date
DE112018001559T5 (de) 2019-12-05
CN110622482A (zh) 2019-12-27
GB2577230B (en) 2022-04-13
JP7436210B2 (ja) 2024-02-21
JP2020522164A (ja) 2020-07-27
US10542041B2 (en) 2020-01-21
WO2018220570A1 (en) 2018-12-06
GB201918298D0 (en) 2020-01-29
GB2577230A (en) 2020-03-18
US20180351998A1 (en) 2018-12-06
DE112018001559B4 (de) 2023-09-07

Similar Documents

Publication Publication Date Title
US11985239B2 (en) Forward secrecy in transport layer security (TLS) using ephemeral keys
CN110622482B (zh) Tls检查中的无高速缓存会话票证支持
US9961103B2 (en) Intercepting, decrypting and inspecting traffic over an encrypted channel
US9774631B2 (en) TLS connection abandoning
US10785198B2 (en) Secure session capability using public-key cryptography without access to the private key
US10547641B2 (en) Transparently converting a TLS session connection to facilitate session resumption
US11102191B2 (en) Enabling single sign-on authentication for accessing protected network services
JP6407926B2 (ja) ネットワーク環境における暗号化データ検査
US11146588B2 (en) Context-based adaptive encryption
CN111819824A (zh) 在无中间人代理的情况下解密传输层安全流量
JP2015115893A (ja) 通信方法、通信プログラム、および中継装置
US10291600B2 (en) Synchronizing secure session keys
US12019778B1 (en) Systems and methods to perform end to end encryption
EP3220604B1 (en) Methods for client certificate delegation and devices thereof
WO2025111130A1 (en) Systems and methods to perform end to end encryption
WO2015022701A2 (en) Method and system of routing and handover of secure communication without knowledge of private/secret key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant