Apparatus and method for adapting authorization information for a terminal
11159492 · 2021-10-26
Assignee
Inventors
Cpc classification
H04L63/0428
ELECTRICITY
H04L2463/101
ELECTRICITY
H04L67/34
ELECTRICITY
H04L63/06
ELECTRICITY
H04L67/10
ELECTRICITY
H04L12/4641
ELECTRICITY
H04L63/20
ELECTRICITY
H04L63/0876
ELECTRICITY
International classification
Abstract
An apparatus for adapting authorization information for a terminal is provided. The apparatus has a communication unit for communicating with the terminal, the communication unit being configured to carry out the communication as a test communication using an encryption protocol, a checking unit for checking a configuration of the encryption protocol on the terminal, and a control unit for adapting the authorization information for the terminal on the basis of a result of the check. A corresponding method for adapting authorization information for a terminal is also proposed. The proposed apparatus makes it possible to check the options supported by a terminal in an encryption protocol. In this case, the check can be carried out, in particular, using an encrypted communication connection which could not be monitored by a firewall.
Claims
1. An apparatus for changing authorization information for a terminal, the apparatus comprising: a hardware communication unit configured to transmit a test communication using an encryption protocol to the terminal before a communication between the terminal and second terminal or during a communication between the terminal and a second terminal by interrupting the communication between the terminal and the second terminal, such that in response to the test communication, the terminal transmits an item of information relating to the supported encryption protocol options or a configuration of the encryption protocol that will be used by the terminal to communicate with the second terminal, or that the terminal is currently using to communicate with the second terminal; a hardware checking unit configured to receive from the terminal the item of information relating to the supported encryption protocol options or the configuration of the encryption protocol on the terminal that will be use by the terminal to communicate with the second terminal, or that the terminal is currently using to communicate with the second terminal, wherein, during the test communication, the hardware checking unit is further configured to perform a comparison of the item of information relating to the supported encryption protocol options or the configuration of the encryption protocol on the terminal that will be use by the terminal to communicate with the second terminal, or that the terminal is currently using to communicate with the second terminal, with predefined permissible and impermissible encryption protocol options according to a predefined security policy; and a hardware control unit configured to change at least one of types of communication for which the terminal is allowed, communication partners with which the terminal is allowed to communicate, and configuration of the encryption protocol used by the terminal, based on whether the item of information relating to the supported options or the configuration of the encryption protocol on the terminal includes permissible or impermissible encryption protocol options of the predefined security policy, and block, restrict, abort, or enable communication between the terminal and the second terminal based on the change, wherein the apparatus is configured to exit the communication path with the terminal after blocking, restricting, aborting, or enabling the communication between the terminal and the second terminal.
2. The apparatus as claimed in claim 1, wherein the encryption protocol is a transport layer security protocol or a secure socket layer protocol.
3. The apparatus as claimed in claim 1, wherein the hardware control unit is configured to output a warning signal when a configuration of the encryption protocol on the terminal is identified by the apparatus as being a predefined impermissible encryption protocol option, during the test communication.
4. The apparatus as claimed in claim 1, wherein the second terminal is external to a network of the terminal, and wherein the hardware control unit is configured to transmit the changed at least one of types of communication for which the terminal is allowed, communication partners with which the terminal is allowed to communicate, and configuration of the encryption protocol used by the terminal to a firewall apparatus such that the firewall apparatus blocks, restricts, or enables communication between the terminal and the second terminal based on the at least one of types of communication for which the terminal is allowed, communication partners with which the terminal is allowed to communicate, and configuration of the encryption protocol used by the terminal based on a result of the comparison.
5. The apparatus as claimed in claim 1, wherein the hardware communication unit is configured to set up the test communication to the terminal using the encryption protocol.
6. The apparatus as claimed in claim 5, wherein the hardware communication unit is configured to receive an initiation message from the terminal and to set up the test communication to the terminal using the encryption protocol after the initiation message has been received.
7. The apparatus as claimed in claim 5, wherein the hardware communication unit is configured to set up the test communication to a plurality of ports of the terminal using the encryption protocol.
8. The apparatus as claimed in claim 1, wherein the hardware communication unit is configured to conclude the test communication after the check has been concluded.
9. The apparatus as claimed in claim 1, wherein the configuration of the encryption protocol contains guidelines, cryptographic parameters and/or protocol options.
10. A network system comprising: at least one terminal; and at least one apparatus as claimed in claim 1, wherein the predefined security policy defines security policy of the network system.
11. The apparatus for adapting authorization information for a terminal of claim 1, wherein the hardware checking unit is configured to determine, based on the configuration of the encryption protocol used by the terminal, whether cipher suites which are used for backwards compatibility are supported by the terminal, and wherein the change prevents cipher suites which are used for backwards compatibility being used by the terminal.
12. The apparatus for adapting authorization information for a terminal of claim 1, wherein the predefined impermissible encryption protocol options include non-secure configuration of the encryption protocol used by the terminal according to the predefined security policy.
13. The apparatus for adapting authorization information for a terminal of claim 1, wherein the apparatus is configured to determine the predefined permissible and impermissible encryption protocol options before transmitting the test communication to the terminal, wherein the predefined permissible and impermissible encryption protocol options of the encryption protocol include accepted authentication methods, accepted message integrity protections, accepted message confidentiality, and accepted cryptographic parameters.
14. A method for changing authorization information for a terminal, comprising: transmitting a test communication to the terminal using an encryption protocol before a communication between the terminal and second terminal or during a communication between the terminal and a second terminal by interrupting the communication between the terminal and the second terminal; receiving, in response to the test communication, from the terminal an item of information relating to the supported encryption protocol options or a configuration of the encryption protocol that will be used by the terminal to communicate with the second terminal, or that the terminal is currently using to communicate with the second terminal; performing a comparison during the test communication of the item of information relating to the supported encryption protocol options or the configuration of the encryption protocol that will be used by the terminal to communicate with the second terminal, or that the terminal is currently using to communicate with the second terminal with predefined permissible and impermissible options of the encryption protocol according to a predefined security policy for communication between the terminal and the second terminal; changing at least one of types of communication for which the terminal is allowed, communication partners with which the terminal is allowed to communicate, and the configuration of the encryption protocol used by the terminal, based on whether the item of information relating to the supported options or the configuration of the encryption protocol on the terminal includes permissible or impermissible options of the encryption protocol according to the predefined security policy, blocking, restricting, aborting, or enabling; and enabling or aborting a communication between the terminal and the second terminal based on the change; and exiting the communication path with the terminal after blocking, restricting, aborting, or enabling the communication between the terminal and the second terminal.
15. A computer program product which causes the method as claimed in claim 13 to be carried out on a program-controlled device.
16. The method for adapting authorization information for a terminal of claim 14, wherein the method includes determining, based on the configuration of the encryption protocol used by the terminal, whether cipher suites which are used for backwards compatibility are supported by the terminal, and performing the changing such that cipher suites which are used for backwards compatibility cannot be used by the terminal.
17. The method for adapting authorization information for a terminal of claim 14, wherein the predefined impermissible encryption protocol options include non-secure configuration of the encryption protocol used by the terminal according to the predefined security policy.
18. The method for adapting authorization information for a terminal of claim 14, including determining the predefined permissible and impermissible options of the encryption protocol before transmitting the test communication to the terminal, wherein the predefined permissible and impermissible options of the encryption protocol include accepted authentication methods, accepted message integrity protections, accepted message confidentiality, and accepted cryptographic parameters.
19. An apparatus for changing authorization information for a terminal, the apparatus comprising: a hardware communication unit configured to interrupt a communication between the terminal and a second terminal such that a connection between the terminal and second terminal is diverted to the apparatus, wherein the hardware communication unit is configured to transmit a test communication using an encryption protocol to the terminal after the connection is diverted to the apparatus, such that the terminal transmits information about the configuration of the encryption protocol used by the terminal to the apparatus; a hardware checking unit configured to receive from the terminal the configuration of the encryption protocol on the terminal, and perform a comparison of the configuration of the encryption protocol used by the terminal with predefined permissible and impermissible encryption protocol options according to a predefined security policy during the test communication; and a hardware control unit configured to change at least one of types of communication for which the terminal is allowed, communication partners with which the terminal is allowed to communicate, and configuration of the encryption protocol used by the terminal, based on whether the item of information relating to the supported options or the configuration of the encryption protocol on the terminal includes permissible or impermissible options of the predefined security policy, wherein the hardware control unit is configured to enable the communication between the terminal and second terminal based on the change of the at least one of types of communication for which the terminal is allowed, communication partners with which the terminal is allowed to communicate, and configuration of the encryption protocol used by the terminal based on a result of the comparison when the hardware checking unit identifies that permissible options are supported by the terminal, and wherein the hardware control unit is configured to abort the communication between the terminal and the second terminal based on the change of the at least one of types of communication for which the terminal is allowed, communication partners with which the terminal is allowed to communicate, and configuration of the encryption protocol used by the terminal based on a result of the comparison when the hardware checking unit identifies that impermissible options are supported by the terminal, wherein the apparatus is configured to exit the communication path with the terminal after enabling or aborting the communication between the terminal and the second terminal.
Description
BRIEF DESCRIPTION
(1) Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein:
(2)
(3)
(4)
(5)
DETAILED DESCRIPTION
(6) In the figures, identical or functionally identical elements have been provided with the same reference symbols unless indicated otherwise.
(7)
(8) The communication unit 11 communicates with the terminal 20. In this case, test communication is carried out using an encryption protocol.
(9) During the test communication, the checking unit 12 checks the configuration of the encryption protocol present on the terminal 20. In this case, the checking unit 12 can compare this configuration with predefined guidelines or policies which are intended to be complied with.
(10) The control unit 13 can finally adapt authorization information for the terminal 20 on the basis of a result of the check.
(11) The apparatus 10 makes it possible to check configurations of terminals 20, in particular the TLS protocol. For this purpose, a test connection to the test unit is set up. It is therefore possible to easily check the supported options or the configuration. They can also be captured when the authentication, key agreement and negotiation of options are carried out via an encrypted communication connection and therefore cannot be monitored by an intermediate node such as a firewall.
(12) The check by the apparatus 10 can be carried out at any desired times and not only when actually setting up a connection. In addition, there is no need for any specific software component on the component 20 being checked for this purpose since the existing functionality is used directly via the connection set-up. The results of the verification can be used, for example, as part of NAC measures (remediation).
(13) The apparatus 10 can also check special policies. TLS, for example, also implements prioritization using the sequence of the stated cipher suites. This can be tested by the apparatus 10 or the checking unit 12. It is likewise possible to test whether cipher suites which are used for backwards compatibility or have not been explicitly switched off are supported. Such problems are used, for example, at weak points such as Freak or Logjam.
(14)
(15) In this case, the apparatus 10 is configured using the local security policy of the network 100. It can derive this from the engineering data, for example in the case of an industrial installation. In an office network, corresponding policies can be queried using a group policy server in a domain.
(16) In another configuration, the apparatus 10 can also be a functionality of a policy enforcement server in the network 100. Depending on the compliance with a security policy, the apparatus 10 can dynamically reconfigure the infrastructure component closest to the test object 20, for example a switch or router, in order to make it possible to convert the policy of the test object 20. For this purpose, the test object 20 can be moved, for example, to a separate VLAN (virtual local area network), as is known from the NAC (network access control, also network admission control) approaches. In networks which are configured using software defined networking (SDN), this shift can be carried out by the SDN controller.
(17) On the basis of this security policy, the apparatus 10 now sets up a TLS connection or a corresponding different security protocol used in order to query the security policies of the server component 20 being tested as part of the protocol handshake and to compare them with the present policy.
(18)
(19) In step 301, communication with the terminal 20 is carried out, communication being carried out as test communication using an encryption protocol.
(20) In step 302, the configuration of the encryption protocol on the terminal 20 is checked.
(21) In step 303, the authorization information for the terminal 20 is finally adapted on the basis of a result of the check.
(22)
(23) In step 401, the apparatus 10 is started.
(24) In step 402, the security policy of the network 100 is first of all queried.
(25) In step 403, the terminal 20 is started and an initial message is transmitted to it in step 404.
(26) The configuration is checked here in two steps.
(27) First of all, a message is received from the terminal 20 in step 405. This message is checked for a protocol version used, a cipher suite or other protocol features.
(28) Step 406 determines whether the determined information corresponds to the security policy of the network 100. If this is not the case, the method continues with step 407 in which an alarm signal is output, for example.
(29) If the determined information corresponds to the security policy of the network 100, the method continues with step 408 and now checks the TLS handshake messages. These can be checked for Diffie-Hellman parameters, for example.
(30) Step 409 now again determines whether the determined information corresponds to the security policy of the network 100. If this is not the case, the method continues with step 407.
(31) If the determined information corresponds to the security policy of the network 100, the method continues with step 410 and adapts the authorization information for the terminal 20.
(32) The adaptation in step 410 is also carried out after a warning signal has been output in step 407.
(33) The method ends in step 411.
(34) Although the present invention has been disclosed in the form of preferred embodiments and variations thereon, it will be understood that numerous additional modifications and variations could be made thereto without departing from the scope of the invention.
(35) For the sake of clarity, it is to be understood that the use of ‘a’ or ‘an’ throughout this application does not exclude a plurality, and ‘comprising’ does not exclude other steps or elements.