Secure session capability using public-key cryptography without access to the private key

US 10,129,224 B2
Filed: 01/23/2017
Issued: 11/13/2018
Est. Priority Date: 03/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising the first server performing the following:

receiving a message from the client device that initiates a procedure to establish a secure session between the client device and the first server;

transmitting a digital certificate to the client device that includes a public key;

transmitting, to the second server, a request to generate and sign a set of cryptographic parameters, wherein the second server has the private key that corresponds to the public key;

receiving from the second server, a first message that includes the set of cryptographic parameters that have been signed using the private key;

transmitting, to the client device, the set of cryptographic parameters that have been signed using the private key;

receiving, from the client device, a value generated by the client device based in part on the set of cryptographic parameters;

transmitting, to the second server, a second message that includes the received value and a request to generate a premaster secret using the received value;

receiving, from the second server, a third message that includes the premaster secret;

generating a master secret using the received premaster secret; and

generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Citations

20 Claims

1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising the first server performing the following:
- receiving a message from the client device that initiates a procedure to establish a secure session between the client device and the first server;
  
  transmitting a digital certificate to the client device that includes a public key;
  
  transmitting, to the second server, a request to generate and sign a set of cryptographic parameters, wherein the second server has the private key that corresponds to the public key;
  
  receiving from the second server, a first message that includes the set of cryptographic parameters that have been signed using the private key;
  
  transmitting, to the client device, the set of cryptographic parameters that have been signed using the private key;
  
  receiving, from the client device, a value generated by the client device based in part on the set of cryptographic parameters;
  
  transmitting, to the second server, a second message that includes the received value and a request to generate a premaster secret using the received value;
  
  receiving, from the second server, a third message that includes the premaster secret;
  
  generating a master secret using the received premaster secret; and
  
  generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first server and the second server are owned by different entities.
  - 3. The method of claim 1, wherein the first server receives the message from the client device that initiates the procedure to establish the secure session between the client device and the first server as a result of a Domain Name System (DNS) request for a domain, for which the client device is attempting to establish the secure session, resolving to the first server.
  - 4. The method of claim 1, wherein the premaster secret is received over a secure session between the first server and the second server.
  - 5. The method of claim 4, further comprising:
    - as part of establishing the secure session between the first server and the second server, the first server transmitting a digital certificate of the first server to the second server.
  - 6. The method of claim 1, wherein the second server is an origin server, and wherein the method further comprises the first server performing the following:
    - receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server;
      
      decrypting the encrypted request;
      
      retrieving the requested resource from the second server;
      
      generating a response that includes the retrieved resource;
      
      encrypting the generated response; and
      
      transmitting, to the client device over the secure session, the encrypted response.
  - 7. The method of claim 6, wherein retrieving the requested resource from the second server includes transmitting an encrypted request for the requested resource over a secure session between the first server and the second server.

8. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising the first server performing the following:
- receiving, from the client device, a Client Hello message;
  
  in response to the received Client Hello message, transmitting a Server Hello message to the client device;
  
  transmitting, to the client device, a Server Certificate message that includes one or more digital certificates;
  
  transmitting, to the second server, a request to generate and sign a set of server key exchange parameters;
  
  receiving, from the second server, a message that includes the server key exchange parameters that are signed;
  
  transmitting, to the client device, a Server Key Exchange message that includes the signed server key exchange parameters;
  
  transmitting, to the client device, a Server Hello Done message;
  
  receiving, from the client device, a Client Key Exchange message that includes a value generated by the client device based in part on the server key exchange parameters;
  
  transmitting, to the second server, the received value and a request to generate a premaster secret using the received value;
  
  receiving, from the second server, the premaster secret;
  
  generating a master secret using the premaster secret;
  
  receiving, from the client device, a first Change Cipher Spec message;
  
  receiving, from the client device, a first Finished message;
  
  transmitting, to the client device, a second Change Cipher Spec message; and
  
  transmitting, to the client device, a second Finished message.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the first server and the second server are owned or operated by different entities.
  - 10. The method of claim 8, wherein the message that includes the server key exchange parameters that are signed is received over a secure session between the first server and the second server.
  - 11. The method of claim 10, further comprising:
    - as part of establishing the secure session between the first server and the second server, the first server transmitting, to the second server, a client Certificate message that includes a digital certificate of the first server.
  - 12. The method of claim 8, wherein the second server is an origin server, and wherein the method further comprises the first server performing the following:
    - receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server;
      
      decrypting the encrypted request;
      
      retrieving the requested resource from the second server;
      
      generating a response that includes the retrieved resource;
      
      encrypting the generated response; and
      
      transmitting, to the client device over the secure session, the encrypted response.
  - 13. The method of claim 12, wherein retrieving the requested resource from the second server includes transmitting an encrypted request for the requested resource over a secure session between the first server and the second server.

14. An apparatus, comprising:
- a first server including a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations;
  
  receive a message from a client device that initiates a procedure to establish a secure session between the client device and the first server;
  
  transmit a digital certificate to the client device that includes a public key;
  
  transmit, to a second server, a request to generate and sign a set of cryptographic parameters, wherein the second server is to have a private key that corresponds to the public key;
  
  receive from the second server, a first message that includes the set of cryptographic parameters that have been signed using the private key;
  
  transmit, to the client device, the set of cryptographic parameters that have been signed using the private key;
  
  receive, from the client device, a value generated by the client device based in part on the set of cryptographic parameters;
  
  transmit, to the second server, a second message that is to include the received value and a request to generate a premaster secret using the received value;
  
  receive, from the second server, a third message that includes the premaster secret;
  
  generate a master secret using the received premaster secret; and
  
  generate, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus of claim 14, wherein the first server and the second server are owned by different entities.
  - 16. The apparatus of claim 14, wherein the first server receives the message from the client device that initiates the procedure to establish the secure session between the client device and the first server as a result of a Domain Name System (DNS) request for a domain, in which the client device is attempting to establish the secure session, resolving to the first server.
  - 17. The apparatus of claim 14, wherein the premaster secret is received over a secure session between the first server and the second server.
  - 18. The apparatus of claim 17, wherein the set of non-transitory computer-readable storage mediums further stores instructions, that when executed by the set of processors, cause the set of processors to perform the following operations:
    - as part of the establishment of the secure session between the first server and the second server, the first server transmits a digital certificate of itself to the second server for the second server to authenticate an identity of the first server.
  - 19. The apparatus of claim 14, wherein the second server is an origin server, and wherein the set of non-transitory computer-readable storage mediums further stores instructions, that when executed by the set of processors, cause the set of processors to perform the following operations:
    - receive, from the client device over the secure session, an encrypted request for a resource of a domain of the origin server;
      
      decrypt the encrypted request;
      
      retrieve the requested resource from the origin server;
      
      generate a response that includes the retrieved resource;
      
      encrypt the generated response; and
      
      transmit, to the client device over the secure session, the encrypted response.
  - 20. The apparatus of claim 19, wherein the operation to retrieve the requested resource from the origin server includes a transmission of an encrypted request for the requested resource over a secure session between the first server and the origin server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Pahl, Sebastien Andreas Henry, Tourne, Matthieu Phillippe Francois, Sikora, Piotr, Bejjani, Ray Raymond, Knecht, Dane Orion, Prince, Matthew Browning, Graham-Cumming, John, Holloway, Lee Hahn, Strasheim, Albertus
Primary Examiner(s)
Shepperd, Eric W
Assistant Examiner(s)
Pan, Peiliang

Application Number

US15/413,187
Publication Number

US 20170134346A1
Time in Patent Office

659 Days
Field of Search

713169
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 2463/061   applying further key deriva...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0869   involving random numbers or...

H04L 9/3263   involving certificates, e.g...

Secure session capability using public-key cryptography without access to the private key

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure session capability using public-key cryptography without access to the private key

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links