Load balancing with handshake offload

US 10,122,689 B2
Filed: 06/16/2015
Issued: 11/06/2018
Est. Priority Date: 06/16/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

establishing a network connection between a client computer system and a load balancer;

for a first set of messages of a handshake, with the client computer system, of a cryptographically protected communications protocol received by the load balancer, routing the first set of messages from the load balancer to a handshake server computer system thereby facilitating negotiation of a set of cryptographic keys for a cryptographically protected communications session; and

for a second set of messages outside of the handshake, with the client computer system, of the cryptographically protected communications protocol received by the load balancer, the second set of messages transmitted over the cryptographically protected communications session, routing the second set of messages from the load balancer to another server computer system different from the handshake server computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cryptographically protected communications sessions are established using a distributed process. A load balancer proxies handshake messages to a first computer system that negotiates a cryptographically protected communications session with the client. When the client and first computer system complete negotiation of the session, the first computer system provides a set of session keys to a second computer system, through the load balancer or another channel. The second computer system then uses the session keys to communicate with the client over the cryptographically protected communications session.

330 Citations

20 Claims

1. A computer-implemented method, comprising:
- establishing a network connection between a client computer system and a load balancer;
  
  for a first set of messages of a handshake, with the client computer system, of a cryptographically protected communications protocol received by the load balancer, routing the first set of messages from the load balancer to a handshake server computer system thereby facilitating negotiation of a set of cryptographic keys for a cryptographically protected communications session; and
  
  for a second set of messages outside of the handshake, with the client computer system, of the cryptographically protected communications protocol received by the load balancer, the second set of messages transmitted over the cryptographically protected communications session, routing the second set of messages from the load balancer to another server computer system different from the handshake server computer system.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving the set of cryptographic keys; and
      
      providing the set of cryptographic keys to the other server computer system.
  - 3. The computer-implemented method of claim 1, wherein the cryptographically protected communications protocol is a Secure Sockets Layer/Transport Layer Security protocol or Internet Protocol Security.
  - 4. The computer-implemented method of claim 1, further comprising:
    - performing a set of tests on one or more messages associated with the cryptographically protected communications session to determine whether the one or more messages is not encrypted; and
      
      as a result of determining that a message associated with the cryptographically protected communications session is not encrypted, performing one or more mitigating actions.

5. A system, comprising:
- one or more processors; and
  
  memory storing instructions that, as a result of execution by the one or more processors, cause the system to;
  
  receive, at a load balancer, a first message from a client computer system;
  
  determine whether the first message is for a handshake;
  
  as a result of the first message being for a handshake, route the first message from the load balancer to a first computer system to enable the first computer system to negotiate, with the client computer system, a cryptographically protected communications session; and
  
  as a result of a second message being outside of the handshake but over the cryptographically protected communications session, route the second message from the load balancer to a second computer system.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the cryptographically protected communications session is a Sockets Layer Security or Transport Layer Security session.
  - 7. The system of claim 5, wherein the instructions further include instructions that, when executed by the one or more processors, cause the computer system to:
    - as a result of a third message not being a handshake message, perform a set of tests on the third message to determine whether the third message comprises potentially malicious data; and
      
      perform a mitigating action if determined that the third message comprises potentially malicious data.
  - 8. The system of claim 5, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
    - as a result of receiving the second message from the first computer system, where the second message comprises a set of session keys for the cryptographically protected communications session, route the set of session keys to the second computer system.
  - 9. The system of claim 5, wherein the system comprises the first computer system.
  - 10. The system of claim 9, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the system to select, for the cryptographically protected communications session, the second computer system from a plurality of computer systems, excluding the first computer system, to which the system is capable of routing messages.
  - 11. The system of claim 5, wherein:
    - the system comprises the first computer system;
      
      the system comprises a load balancer computer system that executes the instructions to determine whether the first message is for the handshake; and
      
      the first computer system is configured to provide a set of cryptographic keys for the cryptographically protected communications session to the second computer system through a communication channel that excludes the load balancer computer system.
  - 12. The system of claim 5, wherein the instructions further comprise instructions that, when executed by the one or more processors cause the computer system to use information associated with the client computer system to select the first computer system from a plurality of computer systems configured to perform handshakes.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a first computer system, cause the first computer system to at least:
- receive, at a load balancer, messages from a client computer system;
  
  proxy, from the load balancer, handshake messages of a protocol for cryptographically protected communications sessions between the client computer system and a second computer system, the handshake messages for a negotiation of a cryptographically protected communications session; and
  
  proxy, from the load balancer, non-handshake messages of the protocol for the cryptographically protected communications session to a third computer system.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the cryptographically protected communications session utilizes encryption; and
      
      the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the first computer system to;
      
      as a result of the cryptographically protected communications session having been established, determine whether a message from the client computer system includes non-encrypted data; and
      
      if determined that the message from the client computer system includes non-encrypted data, perform a mitigating action.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the first computer system to:
    - parse a message received from the client computer system to determine whether the message comprises a set of fields indicating that the message is part of a handshake; and
      
      if determined that the message is part of a handshake, route the message to the second computer system.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the cryptographically protected communications session is a transport layer security session.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the first computer system to proxy handshake messages of the protocol for cryptographically protected communications sessions between the client computer system and the second computer system, as a result of execution by the one or more processors, cause the first computer system to digitally sign messages to the second computer system to enable the second computer system to authenticate the messages.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the first computer system to:
    - receive a set of cryptographic keys for the cryptographically protected communications session from the second computer system; and
      
      provide the received set of cryptographic keys to the third computer system.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the first computer system to proxy handshake messages of the protocol for cryptographically protected communications sessions between the client computer system and the second computer system, as a result of execution by the one or more processors, cause the first computer system to:
    - determine one or more characteristics of the client computer system; and
      
      select, based at least in part on the determined one or more characteristics of the client computer system, the second computer system from a plurality of computer systems configured to perform handshakes.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the computer system to;
      
      determine one or more characteristics of the client computer system;
      
      determine, based at least in part on the determined one or more characteristics, a policy applicable to the client computer system; and
      
      apply the policy to determine whether to proxy the handshake messages to the second computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
MacCarthaigh, Colm
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/741,386
Publication Number

US 20160373412A1
Time in Patent Office

1,239 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/168   above the transport layer

Load balancing with handshake offload

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

330 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Load balancing with handshake offload

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

330 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links