Browse Prior Art Database

Data-level access control in secure network environment

IP.com Disclosure Number: IPCOM000249996D
Publication Date: 2017-May-15
Document File: 6 page(s) / 204K

Publishing Venue

The IP.com Prior Art Database

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 22% of the total text.

1

Data-level access control in secure network environment

Disclosed is a method for data-level access control of secure Transport Layer Security (TLS) network traffic where the intercepting server agent (ISA) resides on the server and synchronously intercepts on the server operation system a kernel level TLS RSA "Client key exchange message," decrypts it with server private key, and immediately encrypts it with the ESM public key in place.

Many organizations protect sensitive information using external security mechanisms (ESM) intercepting and analyzing network data traffic between the client application and the server. The core function of such ESMs in data-level access control systems (DLACS) is to: 1) extract requests sent by the client application to the server from intercepted network packets, 2) parse these requests, and 3) validate possible request content violation against ESM security policies. If the DLACS ESM detects a security policies violation, then it prevents data from arriving at the destination.

Secure network traffic complies with Transport Layer Security (TLS) protocol. Currently, TLS is the most common and approved way of ensuring secure communication between networks. TLS network packets are encrypted. A lightweight intercepting server agent (ISA) is used to intercept encrypted (TLS) network packets in DLACS.

In one implementation, ISA resides on the server and takes control of cryptographic operation invocation at the server tier at which incoming data are going to be decrypted and outgoing data are going to be encrypted. ISA intercepts plain text data without disrupting the main flow, because it returns control to the original cryptographic operation without data flow changes. by The ISA groups intercepted plain text data into a session using the available cryptographic tier session identifier. ISA encrypts intercepted plain text data and forwards it to an ESM for further analysis.

The ISA intercepts all requests sent between client application and server upon a cryptographic method invocation (secured access) level. The ISA is not aware of protocol. It forwards intercepted requests through the network for further analysis at the ESM residing outside of the server. The ISA holds client request and waits for decision (verdict) from the ESM. The ESM extracts information about accessed data and validates session security policies. If a security policy is violated, then the ESM responds to the ISA with the command "stop request", which means that the ISA must interrupt the request to the server. If the security policy is not violated, then the ESM responds to the ISA with the command “allow”, which means that ISA must release client request to server.

The main DLACS problem is that using cryptographic operation invocation requires a specific approach for each server type and is server-version dependent. Such DLACS implementation is complex and not always feasible. The method (Fig. 1) is not efficient because it requires a...