Secure session capability using public-key cryptography without access to the private key
First Claim
1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising the first server performing the following:
- receiving a message from the client device that initiates a procedure to establish a secure session between the client device and the first server;
transmitting a digital certificate to the client device that includes a public key;
transmitting, to the second server, a request to generate and sign a set of cryptographic parameters, wherein the second server has the private key that corresponds to the public key;
receiving from the second server, a first message that includes the set of cryptographic parameters that have been signed using the private key;
transmitting, to the client device, the set of cryptographic parameters that have been signed using the private key;
receiving, from the client device, a value generated by the client device based in part on the set of cryptographic parameters;
transmitting, to the second server, a second message that includes the received value and a request to generate a premaster secret using the received value;
receiving, from the second server, a third message that includes the premaster secret;
generating a master secret using the received premaster secret; and
generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server.
1 Assignment
0 Petitions
Accused Products
Abstract
A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.
-
Citations
20 Claims
-
1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising the first server performing the following:
-
receiving a message from the client device that initiates a procedure to establish a secure session between the client device and the first server; transmitting a digital certificate to the client device that includes a public key; transmitting, to the second server, a request to generate and sign a set of cryptographic parameters, wherein the second server has the private key that corresponds to the public key; receiving from the second server, a first message that includes the set of cryptographic parameters that have been signed using the private key; transmitting, to the client device, the set of cryptographic parameters that have been signed using the private key; receiving, from the client device, a value generated by the client device based in part on the set of cryptographic parameters; transmitting, to the second server, a second message that includes the received value and a request to generate a premaster secret using the received value; receiving, from the second server, a third message that includes the premaster secret; generating a master secret using the received premaster secret; and generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising the first server performing the following:
-
receiving, from the client device, a Client Hello message; in response to the received Client Hello message, transmitting a Server Hello message to the client device; transmitting, to the client device, a Server Certificate message that includes one or more digital certificates; transmitting, to the second server, a request to generate and sign a set of server key exchange parameters; receiving, from the second server, a message that includes the server key exchange parameters that are signed; transmitting, to the client device, a Server Key Exchange message that includes the signed server key exchange parameters; transmitting, to the client device, a Server Hello Done message; receiving, from the client device, a Client Key Exchange message that includes a value generated by the client device based in part on the server key exchange parameters; transmitting, to the second server, the received value and a request to generate a premaster secret using the received value; receiving, from the second server, the premaster secret; generating a master secret using the premaster secret; receiving, from the client device, a first Change Cipher Spec message; receiving, from the client device, a first Finished message; transmitting, to the client device, a second Change Cipher Spec message; and transmitting, to the client device, a second Finished message. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An apparatus, comprising:
a first server including a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations; receive a message from a client device that initiates a procedure to establish a secure session between the client device and the first server; transmit a digital certificate to the client device that includes a public key; transmit, to a second server, a request to generate and sign a set of cryptographic parameters, wherein the second server is to have a private key that corresponds to the public key; receive from the second server, a first message that includes the set of cryptographic parameters that have been signed using the private key; transmit, to the client device, the set of cryptographic parameters that have been signed using the private key; receive, from the client device, a value generated by the client device based in part on the set of cryptographic parameters; transmit, to the second server, a second message that is to include the received value and a request to generate a premaster secret using the received value; receive, from the second server, a third message that includes the premaster secret; generate a master secret using the received premaster secret; and generate, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server. - View Dependent Claims (15, 16, 17, 18, 19, 20)
Specification