| 摘要 |
According to one embodiment, a transparent security gateway is coupled between a client end station (CES) and a web application server (WAS). The security gateway monitors an encryption protocol handshake between the CES and the WAS to capture, using a provided private key of the WAS, a generated symmetric key to be used for an encryption layer connection. Using the captured symmetric key, the security gateway receives an encrypted connection record of the encryption layer connection, decrypts the encrypted connection record to yield a plaintext connection record, modifies the plaintext connection record, encrypts the modified plaintext connection record using the symmetric key, and transmits one or more packets carrying the encrypted modification plaintext connection record instead of the received encrypted connection record such that neither the CES or WAS is aware of the modification of the encrypted data. |
| 主权项 |
1. A method in a security gateway coupled between a client end station and a web application server (WAS), wherein a protocol stack used between the client end station and the WAS includes an application layer that carries application layer data, an encryption layer under the application layer to carry and encrypt the application layer data, and a transport layer to carry the encryption layer, wherein the encryption layer and the transport layer respectively allow for an encryption layer connection carried over a transport layer connection to be established between the client end station and the WAS to encrypt and transmit application layer data between them, wherein the security gateway includes a transport protocol layer manipulation module capable of making necessary changes at the transport layer to accommodate modifications made to the traffic transmitted between the client end station and the WAS at higher layers of the protocol stack, wherein the changes comprise modifying transport layer headers of packets and generating additional packets to acknowledge or retransmit modified data, the method to improve security through modification in the security gateway of application layer data even though that application layer data was encrypted and transmitted using the encryption layer connection that is between the client end station and WAS and is not terminated by the security gateway, the method comprising:
monitoring, in the security gateway implemented in an electronic device, a handshake between the client end station and the WAS that follows a handshake protocol to establish the encryption layer connection over the transport layer connection, wherein the security gateway is transparent and thus does not terminate the encryption layer connection or the underlying transport layer connection, wherein the handshake is to generate a symmetric key to be utilized by the client end station and the WAS when encrypting and decrypting application layer data to be sent using the encryption layer connection, wherein the monitoring includes the security gateway learning the symmetric key using a private key of the WAS, wherein the monitoring comprises,
receiving, at the security gateway, a handshake message sent from the client end station and destined to the WAS over the transport layer connection as part of the handshake,modifying, by the security gateway, the handshake message, wherein the modified handshake message participates in the establishment of the encryption layer connection by the client end station and the WAS,transmitting, to the WAS over the transport layer connection, the modified handshake message as part of the handshake instead of the handshake message,receiving, at the security gateway, an encrypted finished handshake message sent from the client end station and destined to the WAS over the encryption layer connection as part of the handshake, the encrypted finished handshake message being the result of the client end station having encrypted a plaintext finished handshake message, the plaintext finished handshake message being the result of the client end station utilizing a hash function and a plurality of handshake messages received by and transmitted from the client end station during the handshake,generating, by the security gateway, a plaintext modified handshake message by utilizing a hash function and a second plurality of handshake messages received from the client end station and transmitted to the client end station by the security gateway during the handshake, wherein at least one of the second plurality of handshake messages is different than a corresponding at least one of the plurality of handshake messages, and wherein the second plurality of handshake messages include the modified handshake message but not the handshake message,generating, by the security gateway, an encrypted modified finished handshake message by encrypting the generated plaintext modified handshake message, andtransmitting, from the security gateway to the WAS over the encryption layer connection, the encrypted modified finished handshake message instead of the encrypted finished handshake message; receiving, at the security gateway, an encrypted connection record sent from the WAS and destined to the client end station using the encryption layer connection, the encrypted connection record being the result of the WAS having encrypted a plaintext connection record comprising one or more application layer payloads; generating, by the security gateway, a set of one or more encrypted modified connection records, wherein the generating comprises:
decrypting the received encrypted connection record using the symmetric key to yield a plaintext connection record,modifying the plaintext connection record, andencrypting the modified plaintext connection record using the symmetric key; and transmitting, from the security gateway to the client end station using the encryption layer connection carried on the transport layer connection, the set of encrypted modified connection records generated by the security gateway instead of the encrypted connection record sent by the WAS. |
