Enterprise network internal https service bypass resolution method and system

By employing an IP + port + private key binding mechanism and PRF key derivation in the enterprise network's internal HTTPS service, the high cost and inconvenient management issues of existing technologies are resolved, achieving efficient and secure traffic parsing and a simplified protocol parsing process.

CN122372298APending Publication Date: 2026-07-10JIANGSU FUTURE NETWORKS INNOVATION

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JIANGSU FUTURE NETWORKS INNOVATION
Filing Date
2026-04-27
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies for analyzing traffic in HTTPS services within enterprise networks require manual or value-added services for statistical analysis, which increases costs, is inconvenient to manage, and lacks efficient resolution solutions.

Method used

It adopts an "IP + port + private key binding" mechanism, and realizes the parsing of HTTPS traffic through a private key management module, a key negotiation module, and a key decryption module. This includes defining a key list, obtaining a private key, parsing random numbers and keys, and performing PRF calculation to obtain plaintext data.

Benefits of technology

It achieves efficient and secure HTTPS traffic decryption, improves query efficiency and system performance, reduces the risk of key leakage, simplifies the protocol parsing process, and is suitable for security analysis scenarios with high throughput and high compliance requirements.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372298A_ABST
    Figure CN122372298A_ABST
Patent Text Reader

Abstract

The application relates to an enterprise network internal https service bypass resolution method and system, which realizes efficient and safe HTTPS traffic decryption through the mechanism of "IP+port+private key binding", accurately matches service instances and decryption keys, and realizes two-stage PRF key derivation, realizes key separation, reduces the probability of systematic risk caused by leakage of a single key, and improves the security and flexibility of key generation. Through optimization of the password generation logic and the decoding logic, the application is more simple and efficient compared with the full-amount https protocol resolution process, and the business processing performance can be effectively improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer technology, and in particular relates to a bypass resolution method and system for HTTPS services within an enterprise network. Background Technology

[0002] In current traffic analysis systems, the statistical analysis of external service requests for HTTPS services within an enterprise network can be performed based on a single device management backend. This analysis is generally done manually or through the service's own value-added services, which are usually unrelated to the services provided. Service developers typically do not provide these services unless additional custom development is performed, increasing costs. However, for a traffic analysis system, this requirement is reasonable and legitimate, and it can perform statistical analysis on all HTTPS services within the enterprise network, resulting in significant benefits in terms of both the operational efficiency of management personnel and the reduction of enterprise operating costs.

[0003] Therefore, there is a need for a convenient and efficient solution for resolving HTTPS within an enterprise network, so as to better understand the status of its services without increasing the enterprise's hardware and software costs. Summary of the Invention

[0004] The purpose of this invention is to provide a method and system for bypassing HTTPS service resolution within an enterprise network, so as to provide a basis for better control and decision-making of internal behavior and optimize the configuration of internal services.

[0005] To achieve one of the above-mentioned objectives, one embodiment of the present invention provides a bypass resolution method for HTTPS services within an enterprise network, comprising:

[0006] Step 1: Define a list, where each data entry includes a key consisting of an IP address and a TCP port number, and a corresponding value containing an RSA private key.

[0007] Step 2: Obtain the IP and TCP port information from the TLS traffic, and search in the key list to retrieve the corresponding RSA private key;

[0008] Step 3: Collect random numbers from the client's hello message and from the server's hello message;

[0009] Step 4: Use the password of the RSA private key obtained in Step 2 to parse the pre-master secret of the server to obtain the temporary session key of the client and the server.

[0010] Step 5: Based on the pre-master secret, the random number in the client's hello message, and the random number in the server's hello message, perform pseudo-random number (PRF) calculation to obtain the initialization vector iv;

[0011] Step 6: Based on the initialization vector IV and the temporary session key of the client and server, perform pseudo-random number PRF calculation again to obtain the key for this encryption.

[0012] Step 7: Based on the encryption key used in this step, retrieve the plaintext data from the TLS traffic and complete the parsing.

[0013] As a further improvement to one embodiment of the present invention, step 2 further includes,

[0014] Screen HTTPS traffic to identify TLS traffic and filter out other non-TLS traffic.

[0015] As a further improvement to one embodiment of the present invention, step 2 further includes,

[0016] After retrieving the RSA private key, extract the RSA private key ID and password respectively, and associate them with the flow information of the corresponding TLS traffic.

[0017] As a further improvement to one embodiment of the present invention, after step 2 and before step 3, the method further includes:

[0018] Extract the TLS version of the client and server. If the version is TLS 1.3, terminate the parsing process; otherwise, continue with the subsequent steps.

[0019] As a further improvement to one embodiment of the present invention, after step 2 and before step 3, the method further includes:

[0020] Based on the TLS hello message, the encryption suite is extracted. The encryption suite includes a key exchange encryption algorithm and a message encryption algorithm. If the key exchange encryption algorithm and the message encryption algorithm are not RSA, the parsing process is terminated; otherwise, authentication is performed. If the authentication is successful, the subsequent steps are executed; otherwise, the parsing process is terminated.

[0021] As a further improvement to one embodiment of the present invention, the authentication step includes,

[0022] Extract the certificate using Hello and parse it to obtain the corresponding ID. Compare this ID with the ID of the RSA private key. If the comparison fails, terminate the parsing process; otherwise, continue with the subsequent steps.

[0023] As a further improvement to one embodiment of the present invention, the method further includes,

[0024] The decrypted plaintext data is directly injected into the HTTP protocol parsing engine, maintaining the same processing pipeline as unencrypted HTTP traffic.

[0025] To achieve one of the above-mentioned objectives, an embodiment of the present invention also provides an enterprise network internal HTTPS service bypass resolution system, the system including a private key management module, a key negotiation module, and a key decryption module;

[0026] The private key management module is used to build a managed index. The index defines a list in which each data entry includes a key consisting of an IP address and a TCP port number, and a corresponding value containing an RSA private key.

[0027] The data filtering module is used to identify TLS traffic from HTTPS traffic, obtain the IP and TCP port information, and search the key list to retrieve the corresponding RSA private key;

[0028] The key negotiation module is used to perform a two-stage PRF key derivation based on the server's pre-master secret, the random number in the client's hello message, and the random number in the server's hello message to obtain the key for this encryption.

[0029] The key decryption module is used to retrieve plaintext data from TLS traffic based on the key used for encryption.

[0030] To achieve one of the above-mentioned objectives, an embodiment of the present invention also provides an electronic device, including a memory and a processor, wherein the memory stores a computer program that can run on the processor, and when the program is executed on the processor, it implements the steps in the above-described enterprise network internal HTTPS service bypass resolution method.

[0031] To achieve one of the above-mentioned objectives, an embodiment of the present invention also provides a storage medium storing a computer program, which, when executed by a processor, implements the steps in the bypass resolution of the enterprise network internal HTTPS service as described above.

[0032] Compared with existing technologies, the bypass resolution method and system for HTTPS services within an enterprise network provided by this invention have the following advantages:

[0033] 1. The "IP + port + private key binding" mechanism can accurately match service instances with decryption keys, achieving efficient and secure HTTPS traffic decryption. It locates specific services through IP and port, combines private keys to ensure decryption permissions, supports multiple domain name expansion, improves query efficiency and system performance, facilitates automated key management, and is suitable for passive security analysis scenarios with high throughput and high compliance requirements.

[0034] 2. The two-stage PRF key derivation achieves key separation, reduces the probability of systemic risks caused by the leakage of a single key, and improves the security and flexibility of key generation.

[0035] 3. Under the same effect, by optimizing the password generation and decoding logic, the process is simpler and more efficient than the full HTTPS protocol parsing process, thus improving business processing performance. Attached Figure Description

[0036] Figure 1 This is a flowchart illustrating the method described in this invention. Detailed Implementation

[0037] The present invention will now be described in detail with reference to the specific embodiments shown in the accompanying drawings. However, these embodiments do not limit the present invention, and any structural, methodological, or functional modifications made by those skilled in the art based on these embodiments are included within the scope of protection of the present invention.

[0038] Embodiments of the present invention are described in detail below. Examples of these embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present invention, and should not be construed as limiting the present invention.

[0039] In Embodiment 1 of the present invention, a bypass resolution method for HTTPS services within an enterprise network is provided, such as... Figure 1 As shown, the method includes,

[0040] 1. Define a new HTTPS service key. The key consists of the IP address and TCP port number, and the value contains the RSA private key. Insert the key into the managed key list. You can also delete or update the key from the list.

[0041] 2. Screen incoming and outgoing traffic. First, identify TLS traffic using the application recognition engine and filter out other non-TLS traffic. Use the IP and TCP port information obtained from the acquired TLS traffic to form a key. Use this key to search the key list from step 1. If a match is found, extract the RSA private key, along with its ID and password. These will serve as the basis for subsequent TLS decryption processing and will be associated with the flow information.

[0042] 3. Based on the TLS hello message, extract the cipher suite from the protocol negotiation message. This also allows you to extract the TLS versions of the client and server. If the version is TLS 1.3, terminate the entire TLS parsing process. If the cipher suite's encryption algorithm is not RSA, also terminate the TLS parsing process.

[0043] 4. Extract the key exchange encryption algorithm and message encryption algorithm, and perform authentication. First, use the certificate extracted from the hello message, then use x509 to parse the certificate and extract the ID. Compare this ID with the private key ID. If the comparison fails, the process terminates. Simultaneously, collect random numbers from both the client's and server's hello messages.

[0044] 5. Use RSA cryptography to parse the pre-master secret sent by the server, and obtain the temporary session keys for the client and server respectively. Then, according to the authentication algorithm requirements in step 4, cache the message for calculation. If the authentication is successful, you can continue to the next step. Calculate the intermediate IV value by using PRF with the pre-master secret and the two random numbers collected in step 4.

[0045] 6. After obtaining the IV, perform a second PRF calculation on the IV and the temporary session keys for the client and server obtained in step 5 to obtain the key for this encryption.

[0046] 7. After the aforementioned TLS key negotiation phase, the TLS key is used to decrypt the content. Unlike traditional TCP protocol reassembly, the TLS redocoder needs to obtain enough content based on the TLS protocol identifier length before it can be parsed. Therefore, the content needs to be cached. After caching, the content is parsed and finally sent to the HTTP protocol analysis module for processing.

[0047] 8. To avoid mixing with other unencrypted HTTP protocols, the strategy adopted in this invention is to embed the HTTP parsing module into the HTTPS parsing module, thereby maintaining the consistency of the entire business. Each traffic has only one processing pipeline, and finally the HTTP protocol parsing module completes the output of the entire business.

[0048] In a second embodiment of the present invention, an enterprise network internal HTTPS service bypass resolution system is provided, the system including a private key management module, a key negotiation module, and a key decryption module;

[0049] The private key management module is used to build a managed index. The index defines a list in which each data entry includes a key consisting of an IP address and a TCP port number, and a corresponding value containing an RSA private key.

[0050] The data filtering module is used to identify TLS traffic from HTTPS traffic, obtain the IP and TCP port information, and search the key list to retrieve the corresponding RSA private key;

[0051] The key negotiation module is used to perform a two-stage PRF key derivation based on the server's pre-master secret, the random number in the client's hello message, and the random number in the server's hello message to obtain the key for this encryption.

[0052] The key decryption module is used to retrieve plaintext data from TLS traffic based on the key used for encryption.

[0053] In a third embodiment of the present invention, an electronic device is provided, including a memory and a processor. The memory stores a computer program that can run on the processor. When the program is executed on the processor, it implements the steps in the bypass resolution method for HTTPS services within an enterprise network as described above.

[0054] In Embodiment 4 of the present invention, a storage medium is provided, which stores a computer program. When the computer program is executed by a processor, it implements the steps in the bypass resolution method for HTTPS services within an enterprise network as described above.

[0055] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process of the modules described above can be referred to the corresponding process in the aforementioned method implementation, and will not be repeated here.

[0056] The modules described as separate components may or may not be physically separate. Similarly, the components shown as modules may or may not be physical modules; they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of this embodiment, depending on actual needs.

[0057] Furthermore, the functional modules in the various embodiments of this application can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module. The integrated module can be implemented in hardware or in a combination of hardware and software functional modules.

[0058] The integrated modules implemented as software functional modules described above can be stored in a computer-readable storage medium. These software functional modules, stored in a storage medium, include several instructions to cause a computer system (which may be a personal computer, server, or network system, etc.) or processor to execute some steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0059] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.

Claims

1. A bypass resolution method for HTTPS services within an enterprise network, characterized in that: include, Step 1: Define a list, where each data entry includes a key consisting of an IP address and a TCP port number, and a corresponding value containing an RSA private key. Step 2: Obtain the IP and TCP port information from the TLS traffic, and search in the key list to retrieve the corresponding RSA private key; Step 3: Collect random numbers from the client's hello message and from the server's hello message; Step 4: Use the password of the RSA private key obtained in Step 2 to parse the pre-master secret of the server to obtain the temporary session key of the client and the server. Step 5: Based on the pre-master secret, the random number in the client's hello message, and the random number in the server's hello message, perform pseudo-random number (PRF) calculation to obtain the initialization vector iv; Step 6: Based on the initialization vector IV and the temporary session key of the client and server, perform pseudo-random number PRF calculation again to obtain the key for this encryption. Step 7: Based on the encryption key used in this step, retrieve the plaintext data from the TLS traffic and complete the parsing.

2. The method according to claim 1, characterized in that: Step 2 also includes, Screen HTTPS traffic to identify TLS traffic and filter out other non-TLS traffic.

3. The method according to claim 1, characterized in that: Step 2 also includes, After retrieving the RSA private key, extract the RSA private key ID and password respectively, and associate them with the flow information of the corresponding TLS traffic.

4. The method according to claim 1, characterized in that: After step 2 and before step 3, the following steps are also included: Extract the TLS version of the client and server. If the version is TLS 1.3, terminate the parsing process; otherwise, continue with the subsequent steps.

5. The method according to claim 1, characterized in that: After step 2 and before step 3, the following steps are also included: Based on the TLS hello message, the encryption suite is extracted. The encryption suite includes a key exchange encryption algorithm and a message encryption algorithm. If the key exchange encryption algorithm and the message encryption algorithm are not RSA, the parsing process is terminated; otherwise, authentication is performed. If the authentication is successful, the subsequent steps are executed; otherwise, the parsing process is terminated.

6. The method according to claim 5, characterized in that: The authentication steps include, Extract the certificate from Hello and parse it to obtain the corresponding ID. Compare this ID with the ID of the RSA private key. If the comparison fails, terminate the parsing process; otherwise, continue with the subsequent steps.

7. The method for generating pseudo-random numbers based on a hybrid entropy source according to claim 1, characterized in that: The method also includes, The decrypted plaintext data is directly injected into the HTTP protocol parsing engine, maintaining the same processing pipeline as unencrypted HTTP traffic.

8. A system using the method as described in any one of claims 1 to 7, characterized in that: It includes a private key management module, a key negotiation module, and a key decryption module; The private key management module is used to build a managed index. The index defines a list in which each data entry includes a key consisting of an IP address and a TCP port number, and a corresponding value containing an RSA private key. The data filtering module is used to identify TLS traffic from HTTPS traffic, obtain the IP and TCP port information, and search the key list to retrieve the corresponding RSA private key; The key negotiation module is used to perform a two-stage PRF key derivation based on the server's pre-master secret, the random number in the client's hello message, and the random number in the server's hello message to obtain the key for this encryption. The key decryption module is used to retrieve plaintext data from TLS traffic based on the key used for encryption.

9. An electronic device, comprising a memory and a processor, characterized in that: The memory stores a computer program that can run on the processor, and when the program is executed on the processor, it implements the steps of the method as described in any one of claims 1-7.

10. A storage medium storing a computer program, characterized in that: When the computer program is executed by the processor, it implements the steps of the method as described in any one of claims 1-7.