Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security for data transmitted over the Internet. TLS and SSL utilize asymmetric cryptography for authentication during a key exchange, symmetric cryptography to encrypt application layer data, and message authentication codes (MACs) to ensure the integrity of each transmitted message. Many different versions of TLS and SSL are widely used for a variety of applications, including web browsing, electronic mail, instant messaging and voice-over-IP (VoIP). TLS is an Internet Engineering Task Force (IETF) standards track protocol, which was first defined in IETF Request for Comments (RFC) 2246 as TLS 1.0, updated in IETF RFC 4346 as TLS 1.1, and again updated as TLS 1.2 in both RFC 5246 and RFC 6176. TLS is based upon versions 1.0, 2.0, and 3.0 of SSL.
For the purposes of this disclosure, the term “encryption protocol” is used generically to describe TLS, SSL, or any other cryptographic protocol used for encrypting application layer data sent over a communications network (e.g., the Internet), and the term “encryption layer connection” is used to refer to communications between two electronic devices utilizing an encryption protocol.
Both the TLS and SSL encryption protocols utilize a “handshake” to generate a symmetric (session) key to be used for encrypting application layer data to be transmitted over the encryption layer connection. The handshake may include an exchange of multiple plaintext handshake messages between a client and a server, which results in both the client and the server generating a symmetric key. Then, the handshake terminates with each side transmitting an encrypted “finished” message indicating the completion of the handshake, and the encryption layer connection switches into a data exchange mode, where the client and server exchange encrypted application layer payloads. Accordingly, an “encryption layer connection” transmits “connection records” that include unencrypted handshake records, encrypted handshake records, and encrypted data records.
The Open Systems Interconnection (OSI) model (ISO/IEC 7498-1) was developed to establish standardization for linking heterogeneous communication systems, and describes the flow of information from a software application of a first electronic device to a software application of a second electronic device through a communications network. The OSI model has seven functional layers including a physical layer (layer 1), a data link layer (layer 2), a network layer (layer 3), a transport layer (layer 4), a session layer (layer 5), a presentation layer (layer 6), and an application layer (layer 7). Encryption protocols are typically described as being initialized at layer 5 (the session layer) and then operating at layer 6 (the presentation layer). First, the session layer is utilized to perform a handshake using an asymmetric cipher to establish cipher settings and a shared symmetric (session) key for that communication session (to establish the encryption layer connection). Then, the presentation layer is utilized to encrypt the application layer data for the rest of the communication session (the established encryption layer connection) using a negotiated symmetric cipher and the established shared symmetric key. Some examples of application layer data of application layer protocols that can be encrypted include, but are not limited to, Hypertext Transfer Protocol (HTTP) for web application communication, File Transfer Protocol (FTP) for file transmission, Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) for receiving email, Simple Mail Transfer Protocol (SMTP) for transmitting email, Internet Relay Chat (IRC) for real-time Internet text messaging, Session Initiation Protocol (SIP) for voice and video calling, Network News Transfer Protocol (NNTP) for transporting news articles, Extensible Messaging and Presence Protocol (XIVIPP) for messaging, and Network File System (NFS) for the remote access of files.
Security gateways, such as firewalls and web application firewalls (WAFs), are network security systems that protect software applications (e.g., web application servers) executing on electronic devices (e.g., server end stations) within a network by controlling the flow of network traffic passing through the security gateway. By analyzing packets flowing through the security gateway and determining whether those packets should be allowed to continue traveling through the network, the security gateway can prevent malicious traffic from reaching a protected application. Security gateways may be implemented using a dedicated network device, a shared network device, or another type of electronic device and can be software, hardware, or a combination of both.
Security gateways are sometimes deployed as transparent inline bridges or routers. Transparent inline bridges and routers are placed between clients and servers, but are “transparent” to both the clients and servers. Thus, packets sent by a client to a server will arrive at the security gateway, be analyzed by the security gateway, and be blocked or forwarded on to the server when the packets are deemed acceptable by the security gateway.
Accordingly, in transparent security gateway deployments, a client forms a communication connection directly with the server. Thus, in the case of secure websites using an encryption layer connection, a client forms the encryption layer connection directly with the server.