A method and device for tls scanning

A network device, RSA algorithm technology, applied in the field of TLS scanning, can solve problems such as inefficiency, does not support client authentication, does not support certain algorithms, etc., and achieves improved processing performance, efficient algorithms and/or client authentication. Effect

Active Publication Date: 2016-06-15
HUAWEI TECH CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] Existing technology may not support a certain algorithm when performing server-side scanning, or may not support client authentication, or although the algorithm can be supported, the efficiency is not high

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method and device for tls scanning
  • A method and device for tls scanning
  • A method and device for tls scanning

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0048] Figure 4 It is a schematic diagram of the interaction between the client, agent, and server when supporting the export RSA algorithm without ServerKeyExchange or the standard RSA algorithm without ServerKeyExchange. Reference Figure 4 The TLS scanning method provided in this embodiment may include:

[0049] Deploy the server certificate on the proxy.

[0050] When the agent receives the ServerHello message, it checks the cipher_suite (algorithm suite) field in ServerHello to determine whether the key exchange algorithm is RSA or export RSA (RSA_Export) algorithm.

[0051] If the agent determines that the key exchange algorithm is the RSA algorithm or the export RSA algorithm and does not receive the ServerKeyExchange message, the agent works in the monitoring mode and does not modify any messages. At this time, the specific process of interaction between the client, agent and server is as follows Figure 4 Shown.

[0052] When the agent receives the ClientKeyExchange message...

Embodiment 2

[0056] Figure 5 with Image 6 It is a schematic diagram of the interaction between the client, the proxy and the server when the DH algorithm is supported. The TLS scanning method provided in this embodiment may include:

[0057] Deploy the server certificate on the proxy.

[0058] When the agent receives the ServerHello, it confirms whether it is the RSA algorithm or the export RSA algorithm.

[0059] If it is the RSA algorithm or the export RSA algorithm, and the ServerKeyExchange message is not received, the agent works in the monitoring mode and does not modify any messages. The agent obtains the pre-master key by decrypting the ClientKeyExchange message, and derives the session key according to the TLS standard to decrypt subsequent TLS record messages. The process ends.

[0060] If it is a DH algorithm, the agent works in a proxy mode and regenerates a new ServerHello or ServerKeyExchange message. The agent can make this selection according to local policies.

[0061] Specifi...

Embodiment 3

[0096] Figure 7 It is a schematic diagram of the interaction between the client, the agent and the server when the export RSA algorithm with ServerKeyExchange or the non-standard RSA algorithm with ServerKeyExchange is supported. Reference Figure 7 The TLS scanning method provided in this embodiment may include:

[0097] Deploy the server certificate on the proxy.

[0098] When the agent receives the ServerHello, it confirms whether it is the RSA algorithm or the export RSA algorithm.

[0099] If it is the RSA algorithm or the export RSA algorithm, and the ServerKeyExchange message is not received, the agent works in the monitoring mode and does not modify any messages. The agent obtains the pre-master key by decrypting the ClientKeyExchange message, and derives the session key according to the TLS standard to decrypt subsequent TLS record messages. The process ends.

[0100] If the agent receives the export RSA algorithm or the RSA algorithm in ServerHello, and receives the Serve...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The embodiments of the invention provide a TLS (Transport Layer Security) scanning method, relating to the field of enciphered communication. During server-side scanning, the method can efficiently support the certification of various algorithms and / or clients. The method comprises the following steps that: a proxy receives a server initial message sent by a server, wherein the server initial message comprises algorithms selected by the server; and the proxy selects working modes correspondingly according to the algorithms selected by the server, wherein the working modes comprise a monitor mode and a proxy mode so as to support the certification of the algorithms and / or clients selected by the server, and the proxy does not change any message in the monitor mode and changes the message in the proxy mode. The embodiments of the invention further provide a corresponding network device.

Description

Technical field [0001] The present invention relates to the field of encrypted communication, in particular to a method and device for TLS (Transport Layer Security, Transport Layer Security) scanning. Background technique [0002] TLS is a widely used identity authentication and secure transmission protocol. The session key shared by both parties is obtained through identity authentication, which is used for subsequent encryption and authentication of communication content. [0003] TLS is now increasingly used to encrypt applications on the web. While TLS protects the confidentiality and integrity of these applications, it also brings some problems. Some application layer attack traffic is encrypted by TLS, so that IPS (Intrusion Prevention System, intrusion prevention system) devices cannot detect them. For example, an attack on an encrypted website, IPS can't do anything about it. [0004] When performing server-side scanning in the prior art, a certain algorithm may not be s...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06
Inventor 朱贤
Owner HUAWEI TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap