Secure session capability using public-key cryptography without access to the private key
First Claim
Patent Images
1. A method in a first server for establishing and using a secure session with a client device, the method comprising:
- transmitting a plurality of messages between the client device and a second server that has access to a private key used in establishing the secure session, wherein the private key is not available on the first server, and wherein the plurality of messages transmitted between the client device and the second server includes a Client Hello message received from the client device, a Server Hello message received from the second server, a Certificate message received from the second server, a Server Key Exchange message received from the second server, a Server Hello Done message received from the second server, and a Client Key Exchange message received from the client device;
receiving, from the second server, a master secret that was generated using a premaster secret that was generated using a Diffie-Hellman public value selected by the client device and a Diffie-Hellman public value selected by the second server;
receiving, from the client device, a first Change Cipher Spec message and a first Finished message;
verifying information in the first Finished message including,calculating a first value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, and first Change Cipher Spec message, andcomparing the calculated first value with a second value included in the first Finished message, wherein a same first value and second value indicates a successful key exchange;
transmitting a second Change Cipher Spec message to the client device;
receiving, from the second server, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using the master secret;
calculating a third value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, first Change Cipher Spec message, first Finished message, and second Change Cipher Spec message; and
transmitting a second Finished message to the client device that includes the third value;
receiving, from the client device over the secure session, an encrypted request for a resource;
decrypting, using the set of session keys, the encrypted request for the resource;
retrieving the requested resource;
generating a response that includes the retrieved resource;
encrypting the generated response using the set of session keys; and
transmitting, to the client device over the secure session, the encrypted response.
2 Assignments
0 Petitions
Accused Products
Abstract
A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.
-
Citations
15 Claims
-
1. A method in a first server for establishing and using a secure session with a client device, the method comprising:
-
transmitting a plurality of messages between the client device and a second server that has access to a private key used in establishing the secure session, wherein the private key is not available on the first server, and wherein the plurality of messages transmitted between the client device and the second server includes a Client Hello message received from the client device, a Server Hello message received from the second server, a Certificate message received from the second server, a Server Key Exchange message received from the second server, a Server Hello Done message received from the second server, and a Client Key Exchange message received from the client device; receiving, from the second server, a master secret that was generated using a premaster secret that was generated using a Diffie-Hellman public value selected by the client device and a Diffie-Hellman public value selected by the second server; receiving, from the client device, a first Change Cipher Spec message and a first Finished message; verifying information in the first Finished message including, calculating a first value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, and first Change Cipher Spec message, and comparing the calculated first value with a second value included in the first Finished message, wherein a same first value and second value indicates a successful key exchange; transmitting a second Change Cipher Spec message to the client device; receiving, from the second server, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using the master secret; calculating a third value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, first Change Cipher Spec message, first Finished message, and second Change Cipher Spec message; and transmitting a second Finished message to the client device that includes the third value; receiving, from the client device over the secure session, an encrypted request for a resource; decrypting, using the set of session keys, the encrypted request for the resource; retrieving the requested resource; generating a response that includes the retrieved resource; encrypting the generated response using the set of session keys; and transmitting, to the client device over the secure session, the encrypted response. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable storage medium storing instructions, which when executed by a set of one or more processors of a first server, cause the set of processors to perform operations comprising:
-
transmitting a plurality of messages between the client device and a second server that has access to a private key used in establishing a secure session between the client device and the first server, wherein the private key is not available on the first server, and wherein the plurality of messages transmitted between the client device and the second server includes a Client Hello message received from the client device, a Server Hello message received from the second server, a Certificate message received from the second server, a Server Key Exchange message received from the second server, a Server Hello Done message received from the second server, and a Client Key Exchange message received from the client device; receiving, from the second server, a master secret that was generated using a premaster secret that was generated using a Diffie-Hellman public value selected by the client device and a Diffie-Hellman public value selected by the second server; receiving, from the client device, a first Change Cipher Spec message and a first Finished message; verifying information in the first Finished message including, calculating a first value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, and first Change Cipher Spec message, and comparing the calculated first value with a second value included in the first Finished message, wherein a same first value and second value indicates a successful key exchange; transmitting a second Change Cipher Spec message to the client device; receiving, from the second server, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using the master secret; calculating a third value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, first Change Cipher Spec message, first Finished message, and second Change Cipher Spec message; and transmitting a second Finished message to the client device that includes the third value; receiving, from the client device over the secure session, an encrypted request for a resource; decrypting, using the set of session keys, the encrypted request for the resource; retrieving the requested resource; generating a response that includes the retrieved resource; encrypting the generated response using the set of session keys; and transmitting, to the client device over the secure session, the encrypted response. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a first server including a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations; transmit a plurality of messages between the client device and a second server that has access to a private key used in establishing a secure session between the client device and the first server, wherein the private key is not available on the first server, wherein the plurality of messages to be transmitted between the client device and the second server includes a Client Hello message received from the client device, a Server Hello message received from the second server, a Certificate message received from the second server, a Server Key Exchange message received from the second server, a Server Hello Done message received from the second server, and a Client Key Exchange message received from the client device; receive, from the second server, a master secret that was generated using a premaster secret that was generated using a Diffie-Hellman public value selected by the client device and a Diffie-Hellman public value selected by the second server; receive, from the client device, a first Change Cipher Spec message and a first Finished message; verify information in the first Finished message including, calculate a first value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, and first Change Cipher Spec message, and compare the calculated first value with a second value included in the first Finished message, wherein a same first value and second value indicates a successful key exchange; transmit a second Change Cipher Spec message to the client device; receive, from the second server, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using the master secret; calculate a third value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, first Change Cipher Spec message, first Finished message, and second Change Cipher Spec message; and transmit a second Finished message to the client device that includes the third value; receive, from the client device over the secure session, an encrypted request for a resource; decrypt, using the set of session keys, the encrypted request for the resource; retrieve the requested resource; generate a response that includes the retrieved resource; encrypt the generated response using the set of session keys; and transmit, to the client device over the secure session, the encrypted response. - View Dependent Claims (12, 13, 14, 15)
-
Specification