The encryption of data that is transmitted through the Internet has become common place. Data messages may be encoded by a protocol known as SSL (Secure Socket Layer) which is intended to render the encoded data unintelligible to any recipient or eavesdropper, unless they are in possession of the key (decryption key) necessary for decoding the data. SSL was developed by Netscape Communications Corporation for securing data transmission in commercial transactions on the Internet. Using public-key cryptography, SSL provides server authentication, data encryption, and data integrity for client/server communications.
The SSL protocol has evolved over the years, and has become standardized, the term “SSL” being generally used to refer to any version of the protocol. The specification of a recent version of SSL may be found in the IETF (Internet Engineering Task Force) document RFC (Request For Comment) 4346, entitled “The Transport Layer Security (TLS) Protocol Version 1.1” [1]. The TLS protocol is thus a recent specification of the SSL protocol.
Briefly, the SSL includes a handshake protocol for setting up an encrypted session, methods for the authentication of messages, and methods for encrypting/decrypting the data.
The Internet also has become a place over which unwanted, potentially harmful, and otherwise unsolicited data traffic is transmitted. This phenomenon has given rise to an industry providing various tools for “defending” networks, servers and computer work stations against such traffic, while allowing legitimate traffic to pass unhindered. A “firewall” is typically software that is installed in a network node; traffic passing through a firewall is inspected by inspecting each packet and applying a set of rules to determine whether the packet should pass or be stopped. A firewall may be implemented in a networked computer such as a server or a work station, as well as in dedicated nodes such as network access nodes and routers.
The functionality of a firewall may range from simple address filtering in which packets with predetermined source addresses or ranges of addresses are discarded, to more complex processes which include: discriminating traffic on the basis of the protocol, for example ICMP (Internet Control Message Protocol), UDP (User Datagram Protocol), TCP (Transmission Control Protocol), etc; filtering based on source and destination ports of each packet; tracking the connection state to determine protocol violations; and the like. Even more sophisticated filtering may be done on the basis of the message content itself, so called “deep” packet inspection.
An added complication arises when the firewall is also required to guard against, and identify for discarding, unwanted messages that are encrypted. In the case of a network node that is flooded with a large amount of unwanted messages that are encrypted, it is very important to ensure that the filtering of such messages is performed efficiently and expeditiously. When deep packet inspection is required, each session comprising a stream of ultimately perhaps unwanted packets must first be set up according to the specified protocol, and packets decrypted correctly before a decision regarding the session's validity can be made.
While the specification, as well as much of the necessary software to handle SSL, are publicly available, the existing software is designed to deal with the traditional case of server to client communication, but is inadequate to process unwanted traffic efficiently enough to be used in a firewall that includes deep packet inspection.
Consequently there is a need for the development of improved techniques to efficiently enable monitoring the packet payload contents of encrypted data traffic, for example, for the purpose of monitoring and filtering of unwanted data traffic.