APPARATUS AND METHOD FOR ADAPTING AUTHORIZATION INFORMATION FOR A TERMINAL
20170149744 ยท 2017-05-25
Inventors
Cpc classification
H04L63/0428
ELECTRICITY
H04L2463/101
ELECTRICITY
H04L67/34
ELECTRICITY
H04L63/06
ELECTRICITY
H04L67/10
ELECTRICITY
H04L12/4641
ELECTRICITY
H04L63/20
ELECTRICITY
H04L63/0876
ELECTRICITY
International classification
Abstract
An apparatus for adapting authorization information for a terminal is provided. The apparatus has a communication unit for communicating with the terminal, the communication unit being configured to carry out the communication as a test communication using an encryption protocol, a checking unit for checking a configuration of the encryption protocol on the terminal, and a control unit for adapting the authorization information for the terminal on the basis of a result of the check. A corresponding method for adapting authorization information for a terminal is also proposed. The proposed apparatus makes it possible to check the options supported by a terminal in an encryption protocol. In this case, the check can be carried out, in particular, using an encrypted communication connection which could not be monitored by a firewall.
Claims
1. An apparatus for adapting authorization information for a terminal, comprising: a communication unit for communicating with the terminal, the communication unit being configured to carry out the communication as a test communication using an encryption protocol; a checking unit for checking a configuration of the encryption protocol on the terminal; and a control unit for adapting the authorization information for the terminal on the basis of a result of the check.
2. The apparatus as claimed in claim 1, wherein the encryption protocol is a transport layer security protocol or a secure socket layer protocol.
3. The apparatus as claimed in claim 1, wherein the control unit is configured to output a warning signal on the basis of the adapted authorization information.
4. The apparatus as claimed in claim 1, wherein the control unit is configured to transmit the adapted authorization information to a firewall apparatus.
5. The apparatus as claimed in claim 1, wherein the communication unit is configured to set up the test communication to the terminal using the encryption protocol.
6. The apparatus as claimed in claim 5, wherein the communication unit is configured to receive an initiation message from the terminal and to set up the test communication to the terminal using the encryption protocol after the initiation message has been received.
7. The apparatus as claimed in claim 5, wherein the communication unit is configured to set up the test communication to a plurality of ports of the terminal using the encryption protocol.
8. The apparatus as claimed in claim 1, wherein the communication unit is configured to conclude the test communication after the check has been concluded.
9. The apparatus as claimed in claim 1, wherein the communication unit is configured to interrupt communication between the terminal and a server and to carry out the test communication with the terminal.
10. The apparatus as claimed in claim 9, wherein the control unit is configured to enable or abort the communication between the terminal and the server on the basis of the adapted authorization information.
11. The apparatus as claimed in claim 1, wherein the configuration of the encryption protocol contains guidelines, cryptographic parameters and/or protocol options.
12. A network system comprising: at least one terminal; and at least one apparatus as claimed in claim 1 for adapting the authorization information for the at least one terminal.
13. A method for adapting authorization information for a terminal, comprising: carrying out communication with the terminal, the communication being carried out as a test communication using an encryption protocol; checking a configuration of the encryption protocol on the terminal; and adapting the authorization information for the terminal on the basis of a result of the check.
14. A computer program product which causes the method as claimed in claim 13 to be carried out on a program-controlled device.
Description
BRIEF DESCRIPTION
[0052] Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein:
[0053]
[0054]
[0055]
[0056]
DETAILED DESCRIPTION
[0057] In the figures, identical or functionally identical elements have been provided with the same reference symbols unless indicated otherwise.
[0058]
[0059] The communication unit 11 communicates with the terminal 20. In this case, test communication is carried out using an encryption protocol.
[0060] During the test communication, the checking unit 12 checks the configuration of the encryption protocol present on the terminal 20. In this case, the checking unit 12 can compare this configuration with predefined guidelines or policies which are intended to be complied with.
[0061] The control unit 13 can finally adapt authorization information for the terminal 20 on the basis of a result of the check.
[0062] The apparatus 10 makes it possible to check configurations of terminals 20, in particular the TLS protocol. For this purpose, a test connection to the test unit is set up. It is therefore possible to easily check the supported options or the configuration. They can also be captured when the authentication, key agreement and negotiation of options are carried out via an encrypted communication connection and therefore cannot be monitored by an intermediate node such as a firewall.
[0063] The check by the apparatus 10 can be carried out at any desired times and not only when actually setting up a connection. In addition, there is no need for any specific software component on the component 20 being checked for this purpose since the existing functionality is used directly via the connection set-up. The results of the verification can be used, for example, as part of NAC measures (remediation).
[0064] The apparatus 10 can also check special policies. TLS, for example, also implements prioritization using the sequence of the stated cipher suites. This can be tested by the apparatus 10 or the checking unit 12. It is likewise possible to test whether cipher suites which are used for backwards compatibility or have not been explicitly switched off are supported. Such problems are used, for example, at weak points such as Freak or Logjam.
[0065]
[0066] In this case, the apparatus 10 is configured using the local security policy of the network 100. It can derive this from the engineering data, for example in the case of an industrial installation. In an office network, corresponding policies can be queried using a group policy server in a domain.
[0067] In another configuration, the apparatus 10 can also be a functionality of a policy enforcement server in the network 100. Depending on the compliance with a security policy, the apparatus 10 can dynamically reconfigure the infrastructure component closest to the test object 20, for example a switch or router, in order to make it possible to convert the policy of the test object 20. For this purpose, the test object 20 can be moved, for example, to a separate VLAN (virtual local area network), as is known from the NAC (network access control, also network admission control) approaches. In networks which are configured using software defined networking (SDN), this shift can be carried out by the SDN controller.
[0068] On the basis of this security policy, the apparatus 10 now sets up a TLS connection or a corresponding different security protocol used in order to query the security policies of the server component 20 being tested as part of the protocol handshake and to compare them with the present policy.
[0069]
[0070] In step 301, communication with the terminal 20 is carried out, communication being carried out as test communication using an encryption protocol.
[0071] In step 302, the configuration of the encryption protocol on the terminal 20 is checked.
[0072] In step 303, the authorization information for the terminal 20 is finally adapted on the basis of a result of the check.
[0073]
[0074] In step 401, the apparatus 10 is started.
[0075] In step 402, the security policy of the network 100 is first of all queried.
[0076] In step 403, the terminal 20 is started and an initial message is transmitted to it in step 404.
[0077] The configuration is checked here in two steps.
[0078] First of all, a message is received from the terminal 20 in step 405. This message is checked for a protocol version used, a cipher suite or other protocol features.
[0079] Step 406 determines whether the determined information corresponds to the security policy of the network 100. If this is not the case, the method continues with step 407 in which an alarm signal is output, for example.
[0080] If the determined information corresponds to the security policy of the network 100, the method continues with step 408 and now checks the TLS handshake messages. These can be checked for Diffie-Hellman parameters, for example.
[0081] Step 409 now again determines whether the determined information corresponds to the security policy of the network 100. If this is not the case, the method continues with step 407.
[0082] If the determined information corresponds to the security policy of the network 100, the method continues with step 410 and adapts the authorization information for the terminal 20.
[0083] The adaptation in step 410 is also carried out after a warning signal has been output in step 407.
[0084] The method ends in step 411.
[0085] Although the present invention has been disclosed in the form of preferred embodiments and variations thereon, it will be understood that numerous additional modifications and variations could be made thereto without departing from the scope of the invention.
[0086] For the sake of clarity, it is to be understood that the use of a or an throughout this application does not exclude a plurality, and comprising does not exclude other steps or elements.