Caching network generated security certificates

US 10,187,377 B2
Filed: 02/08/2017
Issued: 01/22/2019
Est. Priority Date: 02/08/2017
Status: Active Grant

First Claim

Patent Images

1. A system for caching network generated security certificates, the system comprising:

a security gateway node operable to;

receive, from a client, a session request to establish a secure connection with a server;

based on the session request, establish a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server;

upon establishing the second secure session, receive a server certificate from the server;

match the server certificate against a gateway certificate table based on one or more predetermined criteria to find a gateway certificate entry matching the server certificate, the gateway certificate table operable to cache a plurality of gateway certificates associated with one or more previous secure sessions between the client and the server;

based on the matching, receive a gateway certificate, the gateway certificate being associated with the gateway certificate entry matching the server certificate and being used for performing the first secure session; and

upon receiving the gateway certificate, forge the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate; and

a storage module operable to store at least the gateway certificate table.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods and systems for caching network generated security certificates. An example system may include a security gateway node and a storage module. The security gateway node may be operable to receive, from a client, a session request to establish a secure connection with a server. Based on the session request, the security gateway node may establish a first secure session between the client and the security gateway node and a second secure session between the security gateway node and the server. The security gateway node may receive a server certificate from the server. The security gateway node may match the server certificate against a gateway certificate table. Based on the matching, the security gateway node may receive a gateway certificate associated with the gateway certificate entry that matches the server certificate. The gateway certificate may be used for performing the first secure session.

Citations

18 Claims

1. A system for caching network generated security certificates, the system comprising:
- a security gateway node operable to;
  
  receive, from a client, a session request to establish a secure connection with a server;
  
  based on the session request, establish a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server;
  
  upon establishing the second secure session, receive a server certificate from the server;
  
  match the server certificate against a gateway certificate table based on one or more predetermined criteria to find a gateway certificate entry matching the server certificate, the gateway certificate table operable to cache a plurality of gateway certificates associated with one or more previous secure sessions between the client and the server;
  
  based on the matching, receive a gateway certificate, the gateway certificate being associated with the gateway certificate entry matching the server certificate and being used for performing the first secure session; and
  
  upon receiving the gateway certificate, forge the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate; and
  
  a storage module operable to store at least the gateway certificate table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the security gateway node is further operable to:
    - based on the matching, determine that no gateway certificate entry matching the server certificate exists;
      
      upon the determination, generate a further gateway certificate based on the server certificate; and
      
      store the further gateway certificate to the gateway certificate table.
  - 3. The system of claim 1, wherein the security gateway node is further operable to, upon the receiving of the gateway certificate, validate the gateway certificate, wherein the validating is based at least on time information associated with the gateway certificate.
  - 4. The system of claim 3, wherein the security gateway node is further operable to:
    - based on the validating, determine that the gateway certificate is invalid;
      
      based on the determining, generate a further gateway certificate, the further gateway certificate being associated with the server certificate; and
      
      store the further gateway certificate to the gateway certificate table.
  - 5. The system of claim 1, wherein the security gateway node is further operable to:
    - based on the matching, determine a partial match of the server certificate and the gateway certificate entry;
      
      upon the determining, modify the gateway certificate entry based on the server certificate to obtain a modified gateway certificate, the modified gateway certificate being associated with the server certificate; and
      
      store the modified gateway certificate to the gateway certificate table.
  - 6. The system of claim 1, wherein the security gateway node is further operable to:
    - exchange one or more gateway certificates with a further security gateway node, wherein the exchanging includes sending by the security gateway node one or more of the plurality of gateway certificates to the further security gateway node and receiving, by the security gateway node, a further plurality of gateway certificates from the further security gateway node.
  - 7. The system of claim 1, wherein the security gateway node is further operable to:
    - continuously monitor the gateway certificate table based on a current time and time information associated with the plurality of gateway certificates stored in the gateway certificate table; and
      
      determine that one of the plurality of gateway certificates has expired.
  - 8. The system of claim 7, wherein the security gateway node is further operable to:
    - based on the determining that one of the plurality of gateway certificates has expired, query the server to receive an updated server certificate;
      
      upon receipt of the updated server certificate, generate a further gateway certificate based on the one of the plurality of gateway certificates; and
      
      replace the one of the plurality of gateway certificates with the further gateway certificate in one of gateway certificate entries of the gateway certificate table.

9. A method for caching network generated security certificates, the method comprising:
- receiving, by a security gateway node, from a client, a session request to establish a secure connection with a server;
  
  based on the session request, establishing, by the security gateway node, a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server;
  
  upon establishing the second secure session, receiving, by the security gateway node, a server certificate from the server;
  
  matching, by the security gateway node, the server certificate against a gateway certificate table based on one or more predetermined criteria to find a gateway certificate entry matching the server certificate, the gateway certificate table operable to cache a plurality of gateway certificates associated with one or more previous secure sessions between the client and the server;
  
  based on the matching, receiving, by the security gateway node, a gateway certificate, the gateway certificate being associated with the gateway certificate entry matching the server certificate and being used for performing the first secure session; and
  
  upon receiving the gateway certificate, forging the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, further comprising:
    - based on the matching, determining that no gateway certificate entry matching the server certificate exists;
      
      upon the determination, generating a further gateway certificate based on the server certificate; and
      
      storing the further gateway certificate to the gateway certificate table.
  - 11. The method of claim 9, further comprising, upon the receiving of the gateway certificate, validating, by the security gateway node, the gateway certificate, wherein the validating is based at least on time information associated with the gateway certificate.
  - 12. The method of claim 11, further comprising:
    - based on the validating, determining, by the security gateway node, that the gateway certificate is invalid;
      
      based on the determining, generating, by the security gateway node, a further gateway certificate, the further gateway certificate being associated with the server certificate; and
      
      storing the further gateway certificate to the gateway certificate table.
  - 13. The method of claim 12, further comprising removing the gateway certificate from the gateway certificate table.
  - 14. The method of claim 9, further comprising:
    - based on the matching, determining a partial match of the server certificate and the gateway certificate entry;
      
      upon the determining, modifying the gateway certificate entry based on the server certificate to obtain a modified gateway certificate, the modified gateway certificate being associated with the server certificate; and
      
      storing the modified gateway certificate to the gateway certificate table.
  - 15. The method of claim 9, further comprising:
    - exchanging, by the security gateway node, one or more gateway certificates with a further security gateway node, wherein the exchanging includes sending by the security gateway node one or more of the plurality of gateway certificates to the further security gateway node and receiving, by the security gateway node, a further plurality of gateway certificates from the further security gateway node.
  - 16. The method of claim 9, further comprising:
    - continuously monitoring the gateway certificate table based on a current time and time information associated with the plurality of gateway certificates stored in the gateway certificate table; and
      
      determining that one of the plurality of gateway certificates has expired.
  - 17. The method of claim 16, further comprising:
    - based on the determining that one of the plurality of gateway certificates has expired, querying the server to receive an updated server certificate;
      
      upon receipt of the updated server certificate, generating a further gateway certificate based on the one of the plurality of gateway certificates; and
      
      replacing the one of the plurality of gateway certificates with the further gateway certificate in one of gateway certificate entries of the gateway certificate table.

18. A system for caching network generated security certificates, the system comprising:
- a security gateway node operable to;
  
  receive, from a client, a session request to establish a secure connection with a server;
  
  based on the session request, establish a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server;
  
  upon establishing the second secure session, receive a server certificate from the server;
  
  match the server certificate against a gateway certificate table based on one or more predetermined criteria to find a gateway certificate entry matching the server certificate, the gateway certificate table operable to cache a plurality of gateway certificates associated with one or more previous secure sessions between the client and the server;
  
  based on the matching, receive a gateway certificate, the gateway certificate being associated with the gateway certificate entry matching the server certificate and being used for performing the first secure session;
  
  upon the receiving of the gateway certificate, validate the gateway certificate, wherein the validating is based at least on time information associated with the gateway certificate and forge the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate;
  
  based on the matching, determine that no gateway certificate entry matching the server certificate exists;
  
  upon the determining, generate a further gateway certificate based on the server certificate; and
  
  store the further gateway certificate to the gateway certificate table; and
  
  a storage module operable to store at least the gateway certificate table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Golshan, Ali, Jiang, Xuyang, Yang, Yang
Primary Examiner(s)
Dinh, Minh

Application Number

US15/428,036
Publication Number

US 20180227292A1
Time in Patent Office

713 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281 Proxies

H04L 63/0823 using certificates cryptogr...

Caching network generated security certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Caching network generated security certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links