CN-122027281-A - HTTPS encrypted flow auditing method, equipment, system and medium

Abstract

The application relates to an HTTPS encrypted flow auditing method, equipment, a system and a medium. The method comprises the steps of receiving and processing a key package from a client to obtain a premaster secret key and TLS session metadata, wherein the session metadata comprise a client random number, a server random number and a password suite identifier, conducting key derivation processing on the premaster secret key based on the TLS session metadata to obtain secret key parameters required by decrypting HTTPS traffic, decrypting the HTTPS traffic by utilizing the secret key parameters when mirrored HTTPS traffic is obtained to obtain clear text application layer data, and conducting content audit on the application layer data. The system effectively avoids single-point failure and certificate trust risk of the man-in-the-middle agent, overcomes invalidity of a private key decryption scheme to a forward secret algorithm, avoids system resource occupation and deployment complexity of the client agent, and realizes efficient, compliance and bypass audit of national secret and standard encryption traffic including ECDHE and the like.

Inventors

• ZHENG CHUANG
• Liu Yatan
• JIANG MINHUA

Assignees

• 杭州迪普科技股份有限公司

Dates

Publication Date

20260512

Application Date

20260211

Claims (10)

1. 1. An HTTPS encrypted traffic auditing method, said method comprising: Receiving and processing a key package from a client to acquire a premaster secret and TLS session metadata, wherein the session metadata comprises a client random number, a server random number and a cipher suite identifier; performing key derivation processing on the premaster secret key based on the TLS session metadata to obtain a secret key parameter required for decrypting HTTPS traffic; When the mirrored HTTPS flow is obtained, decrypting the HTTPS flow by utilizing the key parameter to obtain plaintext application layer data; and performing content audit on the application layer data.
2. 2. The method of claim 1, wherein receiving and processing the key package from the client to obtain the premaster secret and TLS session metadata comprises: Receiving encrypted transmission data sent by the client through a transport layer security TLS channel through a security service port; Performing TLS layer decryption on the encrypted transmission data to obtain a key package, wherein the key package comprises a premaster secret key ciphertext and TLS session metadata; and decrypting the premaster secret key ciphertext by using a private key of the auditing equipment to obtain the premaster secret key.
3. 3. The method of claim 2, wherein the TLS session metadata further comprises a timestamp and a message authentication code; Before decrypting the premaster secret ciphertext using the private key of the auditing device, the method further comprises: Comparing and verifying the recalculated message authentication value with the message authentication code; Comparing the time stamp with the current time to verify whether the time stamp is in a preset effective time window, if the verification of the message authentication code is passed and the verification of the time stamp is effective, continuing to execute the decryption operation of the premaster secret key ciphertext, and if the verification of the message authentication code is failed or the verification of the time stamp is ineffective, discarding the secret key package and ending the processing flow of the secret key package.
4. 4. The method of claim 1, wherein performing a key derivation process on the premaster secret based on the TLS session metadata to obtain key parameters required for decrypting HTTPS traffic, comprises: determining a corresponding hash algorithm according to the password suite identifier; Taking the premaster secret key as an input secret key material, and executing a secret key derivative function extraction operation based on the hash algorithm to obtain an intermediate secret key; And performing key derivation function expansion operation with labels by taking the intermediate key, the client random number and the server random number as inputs to obtain the key parameters.
5. 5. The method of claim 4, wherein the key parameters include a client write key and a server write key; The decrypting the HTTPS traffic using the key parameter includes: identifying the transmission direction of the HTTPS flow; If the transmission direction is from the client to the server, decrypting by using the client writing key; If the transmission direction is from the server to the client, the server write key is used for decryption.
6. 6. The method of claim 1, wherein decrypting the HTTPS traffic with the key parameter when mirrored HTTPS traffic is acquired comprises: Determining a corresponding key parameter for the HTTPS flow based on an association relationship between the HTTPS flow and the key parameter; and decrypting the HTTPS traffic by using the determined key parameter.
7. 7. The method of claim 1, wherein said content auditing said application layer data comprises: Matching sensitive data in the application layer data by using a regular expression engine, wherein the sensitive data comprises at least one of credit card numbers and identity card numbers; When the sensitive data are matched and the preset blocking strategy is met, based on the connection quintuple of the HTTPS flow, respectively forging TCP RST packets pointing to the client and the server and injecting the TCP RST packets into a network so as to forcibly terminate the corresponding HTTPS connection; the connection quintuple comprises a source IP address, a source port, a destination IP address, a destination port and a protocol type.
8. 8. An HTTPS encrypted traffic auditing apparatus, said apparatus comprising: The receiving processing module is configured to receive and process a key package from a client to acquire a premaster key and TLS session metadata, wherein the session metadata comprises a client random number, a server random number and a cipher suite identifier; the key derivation module is configured to perform key derivation processing on the premaster key based on the TLS session metadata to obtain key parameters required for decrypting HTTPS traffic; The traffic decryption module is configured to decrypt the HTTPS traffic by using the key parameter when the mirrored HTTPS traffic is acquired, so as to obtain plaintext application layer data; And the content auditing module is configured to audit the content of the application layer data.
9. 9. An electronic device comprising a processor and a memory, the memory storing a computer program, the processor implementing the steps of the method of any one of claims 1 to 7 when the computer program is executed.
10. 10. A computer readable storage medium having stored thereon computer readable instructions which, when executed by a processor of a computer, cause the computer to perform the method of any of claims 1 to 7.

Description

HTTPS encrypted flow auditing method, equipment, system and medium Technical Field The present application relates to the field of communications technologies, and in particular, to an HTTPS encrypted traffic auditing method, device, system, and medium. Background With the widespread rise of internet security awareness, HTTPS (Hypertext Transfer Protocol Secure) protocol has become a global standard for network communications. By introducing an SSL/TLS encryption layer on the basis of an HTTP protocol, the HTTPS realizes end-to-end communication encryption and effectively protects user privacy and data transmission safety. However, the widespread use of HTTPS also presents serious challenges for network security administration and compliance auditing. In the fields of finance, government affairs, enterprises and the like with strict requirements on data security, content audit needs to be carried out on network traffic so as to prevent security risks such as data leakage, illegal transmission and the like. For example, the third level of protection for the security level 2.0 standard of the chinese network explicitly requires "audit of encrypted communication", the european union GDPR, item 32, also specifies that sensitive data transmissions need to be monitored. However, the encryption characteristic of HTTPS makes the traditional auditing means based on plaintext analysis completely ineffective, and the encrypted traffic becomes a supervision blind area. At present, the auditing of HTTPS encrypted traffic mainly comprises the following technical schemes: 1. Man-in-the-Middle Proxy scheme The scheme deploys a proxy server between the client and the server, and the proxy establishes independent TLS connection with the client and the server respectively. The proxy server falsifies the server certificate to communicate with the client and establishes connection with the real server at the same time, thereby realizing decryption and audit of traffic at the proxy node. This method has the following disadvantages: 1) The proxy server needs to be serially deployed in the communication link, and single-point fault risks exist; 2) The client needs to forcedly trust the CA certificate of the proxy, so that the browser safety warning is easy to trigger, and the user experience is influenced; 3) A website that enables HSTS (HTTP STRICT Transport Security) forced encryption cannot be audited; 4) Only the current session can be audited, and the historical encrypted traffic cannot be retrospectively analyzed. 2. Server private key decryption scheme The scheme decrypts the premaster secret (Pre-MASTER SECRET) in the TLS handshake with the HTTPS server's private key, thereby generating a session key to decrypt the traffic. This method has the following disadvantages: 1) Only for TLS connections using Non-forward security (Non-Forward Secrecy) algorithms such as RSA; 2) For connections that employ forward secret algorithms such as ECDHE (Elliptic Curve Diffie-HELLMAN EPHEMERAL), the server private key cannot decrypt the history session because the forward secret algorithm uses temporary key agreement; 3) The centralized hosting of the private key of the server has leakage risk, so that the security is difficult to guarantee; 4) The compatibility to the cryptographic algorithms (e.g., SM2, SM 4) is poor. 3. Client proxy scheme A local proxy process is deployed on the client device, all network traffic is redirected to the local proxy port, and the proxy completes the decryption, auditing and re-encryption of HTTPS traffic. This method has the following disadvantages: 1) The root certificate or the configuration agent is required to be manually installed on each client, so that the deployment and maintenance cost is high; 2) The cross-platform support is insufficient, and different operating systems need to be realized differently; 3) The agent process is resident and operates, occupies system resources, and influences the performance of the client; 4) Also, historical traffic auditing cannot be supported. Statistically, most TLS 1.3 connections in modern HTTPS communications employ forward security algorithms such as ECDHE. Such algorithms implement a "forward secret" (Forward Secrecy, FS) feature by using a temporary key agreement per session, i.e., an attacker cannot decrypt the historical communications even if the server private key is compromised. This security feature protects the user's long-term privacy while also completely defeating the traditional audit scheme based on the server's private key. Therefore, the core technical contradiction faced by the current HTTPS flow audit is how to realize the effective audit and control of the encrypted flow on the premise of supporting the modern encryption technologies such as a forward secret algorithm, a national secret algorithm and the like. This need is particularly acute in the fields of financial transaction monitoring, government data leakage prevention, enterprise