×

Secure session capability using public-key cryptography without access to the private key

  • US 10,033,529 B2
  • Filed: 07/05/2016
  • Issued: 07/24/2018
  • Est. Priority Date: 04/08/2014
  • Status: Active Grant
First Claim
Patent Images

1. A method in a first server for establishing and using a secure session with a client device, the method comprising:

  • transmitting a plurality of messages between the client device and a second server that has access to a private key used in establishing the secure session, wherein the private key is not available on the first server, and wherein the plurality of messages transmitted between the client device and the second server includes a Client Hello message received from the client device, a Server Hello message received from the second server, a Certificate message received from the second server, a Server Key Exchange message received from the second server, a Server Hello Done message received from the second server, and a Client Key Exchange message received from the client device;

    receiving, from the second server, a master secret that was generated using a premaster secret that was generated using a Diffie-Hellman public value selected by the client device and a Diffie-Hellman public value selected by the second server;

    receiving, from the client device, a first Change Cipher Spec message and a first Finished message;

    verifying information in the first Finished message including,calculating a first value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, and first Change Cipher Spec message, andcomparing the calculated first value with a second value included in the first Finished message, wherein a same first value and second value indicates a successful key exchange;

    transmitting a second Change Cipher Spec message to the client device;

    receiving, from the second server, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using the master secret;

    calculating a third value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, first Change Cipher Spec message, first Finished message, and second Change Cipher Spec message; and

    transmitting a second Finished message to the client device that includes the third value;

    receiving, from the client device over the secure session, an encrypted request for a resource;

    decrypting, using the set of session keys, the encrypted request for the resource;

    retrieving the requested resource;

    generating a response that includes the retrieved resource;

    encrypting the generated response using the set of session keys; and

    transmitting, to the client device over the secure session, the encrypted response.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×