Security enforcement point inspection of encrypted data in an encrypted end-to end communications path

摘要

Embodiments of the present invention address deficiencies of the art in respect to security function processing of encrypted data in a security enforcement point and provide a method, system and computer program product for security enforcement point inspection of a traversing encrypted data in a secure, end-to-end communications path. In an embodiment of the invention, a method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path can be provided. The method can include establishing a persistent secure session with a key server holding an SA for an end-to-end secure communications path between endpoints, receiving the SA for the end-to-end secure communications path over the persistent secure session, decrypting an encrypted payload for the end-to-end secure communications path using session key data in the SA, and performing a security function on the decrypted payload.

主权项

1. A method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path, the method comprising:
identifying a security enforcement point defined between endpoints; establishing a persistent secure session between the identified enforcement point and a key server holding a security association (SA) for an end-to-end secure communications path between the endpoints, such that a separate end-to-end secure communication path exists between the key server and the identified security enforcement point from the end-to-end secure communications path that exists between the endpoints; receiving, at the identified security enforcement point, the SA for the end-to-end secure communications path between the endpoints over the persistent secure session; installing, at the identified security enforcement point, the SA upon receiving the SA; decrypting, at the identified security enforcement point, an encrypted payload for the end-to-end secure communications path between the endpoints using session key data in the SA; and performing, at the identified security enforcement point, a security function on the decrypted payload without requiring knowledge of the endpoints at the identified security enforcement point and also without the endpoints having knowledge of the identified security enforcement point.