Pluggable cipher suite negotiation

US 10,033,703 B1
Filed: 06/16/2015
Issued: 07/24/2018
Est. Priority Date: 06/16/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

as part of a negotiation of a cryptographically protected communications session with a client computer system, receiving information to a server computer system that specifies a list of client-supported cipher suites from the client computer system and a list of pluggable capabilities from the client computer system;

determining, based at least in part on the negotiation of the cryptographically protected communications session, to provide a pluggable cipher suite to the client computer system;

identifying the pluggable cipher suite to the client computer system;

causing the client computer system to acquire, from a cipher suite server, executable code that, as a result of being executed by the client computer system, causes the client computer system to utilize the pluggable cipher suite that is supported by the server computer system; and

establishing the cryptographically protected communications session with the client computer system using the pluggable cipher suite.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present document describes systems and methods that provide pluggable cipher suites. In one embodiment, a client and a server perform a secure transport handshake that negotiates a set of supported cipher suites. The server determines if the cipher suites supported by the client are acceptable. When the server determines that the cipher suites supported by the client are not acceptable, the server provides a pluggable cipher suite to the client. The client runs the pluggable cipher suite in a sandboxed environment, and uses the pluggable cipher suite to add support for one or more additional cipher suites. In some implementations, the pluggable cipher suite is provided by a third-party server.

Citations

20 Claims

1. A computer-implemented method, comprising:
- as part of a negotiation of a cryptographically protected communications session with a client computer system, receiving information to a server computer system that specifies a list of client-supported cipher suites from the client computer system and a list of pluggable capabilities from the client computer system;
  
  determining, based at least in part on the negotiation of the cryptographically protected communications session, to provide a pluggable cipher suite to the client computer system;
  
  identifying the pluggable cipher suite to the client computer system;
  
  causing the client computer system to acquire, from a cipher suite server, executable code that, as a result of being executed by the client computer system, causes the client computer system to utilize the pluggable cipher suite that is supported by the server computer system; and
  
  establishing the cryptographically protected communications session with the client computer system using the pluggable cipher suite.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein establishing the cryptographically protected communications session with the client computer system using the pluggable cipher suite is performed by at least identifying a pluggable cipher suite that is compatible with the list of pluggable capabilities from a collection of pluggable cipher suites stored on the server computer system.
  - 3. The computer-implemented method of claim 1, wherein establishing the cryptographically protected communications session with the client computer system using the pluggable cipher suite is performed by at least:
    - identifying an additional server computer system that has access to a pluggable cipher suite that is compatible with the list of pluggable capabilities of the client computer system; and
      
      providing a reference to the additional server computer system to the client computer system.
  - 4. The computer-implemented method of claim 1, wherein receiving information to a server computer system that specifies a list of client-supported cipher suites from the client computer system and a list of pluggable capabilities from the client computer system is accomplished at least in part using a TLS handshake.
  - 5. The computer-implemented method of claim 1, wherein determining to provide a pluggable cipher suite to the client computer system is accomplished by determining that the server computer system fails to support at least one cipher suite from the list of client-supported cipher suites.

6. A system, comprising:
- one or more processors; and
  
  a memory storing executable instructions that, as a result of being executed on the one or more processors, cause the system to;
  
  receive information specifying a set of cipher suites supported by a client computer system;
  
  determine to provide a pluggable cipher suite that is not in the set of cipher suites;
  
  as a result of determining to provide the pluggable cipher suite, cause the client computer system to acquire, from a cipher suite server, executable code that, as a result of being executed by the client computer system, causes the client computer system to utilize the pluggable cipher suite; and
  
  establish a cryptographically protected communications session with the client computer system using the pluggable cipher suite.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The system of claim 6, wherein providing the pluggable cipher suite is accomplished at least in part by:
    - determining that there is not a compatible pluggable cipher suite stored on the system; and
      
      as a result of determining that there is not a compatible pluggable cipher suite stored on the system, providing a network address of a cipher-suite server that has the pluggable cipher suite.
  - 8. The system of claim 6, wherein establishing the cryptographically protected communications session with the client computer system using the pluggable cipher suite is accomplished at least in part by selecting the pluggable cipher suite from a plurality of pluggable cipher suites, based at least in part on a preference order of cipher suites maintained by the system.
  - 9. The system of claim 6, wherein the pluggable cipher suite is digitally signed with a cryptographic key associated with the system.
  - 10. The system of claim 6, wherein the system is further configured to provide a sandboxed execution environment compatible with the pluggable cipher suite.
  - 11. The system of claim 6, wherein:
    - the executable instructions further causes the system to receive a set of pluggable capabilities from the client computer system; and
      
      the set of pluggable capabilities describe a type of executable program, a maximum program size, and an environment version identifier.
  - 12. The system of claim 6, wherein the cipher suite server is a computer server that is separate from the system.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- as part of a negotiation of a cryptographically protected communications session, provide, to a server device, a set of supported cipher suites;
  
  receive, as a result of the negotiation, information that identifies a pluggable cipher suite that is compatible with a set of pluggable capabilities;
  
  acquire, from a cipher suite server, executable code that, as a result of being executed by the computer system, allows the computer system to use the pluggable cipher suite; and
  
  use the pluggable cipher suite to communicate over the cryptographically protected communications session with the server device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - receive, from the server device, a set of server-supported cipher suites;
      
      provide, to an additional server, the set of server-supported cipher suites; and
      
      receive, from the additional server, a pluggable cipher suite that is compatible with the set of pluggable capabilities, and that implements at least one cipher suite from the set of server-supported cipher suites.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further comprise instructions that, if executed by the one or more processors, cause the computer system to verify an origin of the pluggable cipher suite at least by validating a digital signature of the pluggable cipher suite.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions that cause the computer system to execute the pluggable cipher suite further include instructions that cause the computer system to:
    - identify a remote execution environment on a sandbox server, the remote execution environment being compatible with the pluggable cipher suite;
      
      upload the pluggable cipher suite to the sandbox server; and
      
      cause the pluggable cipher suite to be executed on the remote execution environment.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein using the pluggable cipher suite to communicate over the cryptographically protected communications session is accomplished at least by executing the pluggable cipher suite in a sandboxed execution environment.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein as part of the negotiation of the cryptographically protected communications session, the set of pluggable capabilities is additionally provided to the server device.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein using the pluggable cipher suite to communicate over the cryptographically protected communications session is accomplished at least by executing the pluggable cipher suite on a virtual machine that isolates a runtime environment of the pluggable cipher suite from other processes on the computer system that execute the protected communications session.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the pluggable cipher suite is a JavaScript program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sharifi Mehr, Nima
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/741,387
Time in Patent Office

1,134 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 8/60   Software deployment

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 9/0822   using key encryption key

H04L 9/14   using a plurality of keys o...

Pluggable cipher suite negotiation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Pluggable cipher suite negotiation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links