1. Field of the Invention
The present invention is related to the field of networking. In particular, the present invention is related to a method and apparatus for monitoring encrypted communications in a network.
2. Description of the Related Art
Network security is a growing concern of organizations that employ networked computer systems. As a security measure, a corporation may wish to limit the communications between different groups of employees within the organization, or may desire to keep individuals from within the corporate structure from snooping in on the transmission of other employees within the corporation, or the corporation may wish to monitor the content of information that is transmitted between different employees within the corporate network.
A corporation may use a firewall to keep internal network segments secure and insulated from each other. For example, a research or accounting subnet might be vulnerable to snooping from within, and a firewall to prevent snooping may be employed.
A corporation may have in place a network policy (NP) as part of its security measures. A NP may include a communication scheme that defines which computers, or groups of computers are granted permission to communicate with each other, the type of encryption and authentication algorithms that are used by each computer, and the duration of time during which the encryption and authentication keys are valid. A NP may be installed on a policy server responsible for distributing and managing the NP on all network elements within its jurisdiction.
Traditionally a secret key such as the Data Encryption Standard (DES) standard that is well known in the art has been used to encrypt data. FIG. 1 illustrates a network element 203 transmitting an email message, and another network element 204 receiving the transmitted message using the same key to encrypt and decrypt messages. However, transmitting the secret key to the recipient poses a problem because the method employed in transferring the key from the sender to the receiver may not be secure. Moreover, even if a secure method were available to transmit the secret key from network element 203 to network element 204, network monitoring element 202 would be unable to monitor the encrypted communications between because it would not be in possession of the key. Alternatively, a corporation may use a public-key cryptography method, also well known in the art. This method uses both a private and a public key. Each recipient has a private key that is kept secret and a public key that is published. The sender looks up the recipient's public key and uses it to encrypt the message. The recipient uses the private key to decrypt the message. Thus, the private keys are not transmitted and are thereby secure. In this method too, a network monitoring element such as a network administrator will be unable to monitor the encrypted communications between two computers on the network as the network monitoring element is not in possession of the key that is needed to decrypt the data. The prior art fails to describe a method or an apparatus for monitoring encrypted communications in a network, by a network administrator or by a network element such as another computer that has the authority to do so.