SSL gateway with integrated hardware security module

US 10,341,118 B2
Filed: 08/01/2016
Issued: 07/02/2019
Est. Priority Date: 08/01/2016
Status: Active Grant

First Claim

Patent Images

1. A security network system for providing secure data communication, the system comprising:

a security gateway operable to;

establish a client session between the security gateway and a client device, wherein the client session is an unencrypted session;

receive client session information from the client session, wherein the client session information includes an identification of a server with which the client device needs to exchange data; and

a hardware security module (HSM) being a stand-alone hardware device in communication with the security gateway, wherein the HSM is operable to;

store a public key received by the security gateway from the server based on the identification of the server;

upon the storing of the public key, create a secret for encryption and decryption;

encrypt the secret using the public key of the server; and

provide the secret encrypted by the HSM to the security gateway;

wherein the security gateway is further configured to establish a secure session between the security gateway and the server based on client session data, the secure session being encrypted by the security gateway using the secret, wherein the client device communicates with the server via the client session between the security gateway and the client device and the secure session between the security gateway and the server, wherein the server decrypts the secure session using the public key of the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security network system may include a security gateway operable to establish a client session between the security gateway and a client device. The security gateway is operable to receive client session information from the client session. The client session information includes an identification of a server with which the client device needs to exchange data. The security network system may also include a Hardware Security Module (HSM) in communication with the security gateway. The HSM is operable to establish, in concert with the security gateway, a secure session between the security gateway and the server based on the client session data, a public key, a secret key, and context attributed to the secure session.

158 Citations

20 Claims

1. A security network system for providing secure data communication, the system comprising:
- a security gateway operable to;
  
  establish a client session between the security gateway and a client device, wherein the client session is an unencrypted session;
  
  receive client session information from the client session, wherein the client session information includes an identification of a server with which the client device needs to exchange data; and
  
  a hardware security module (HSM) being a stand-alone hardware device in communication with the security gateway, wherein the HSM is operable to;
  
  store a public key received by the security gateway from the server based on the identification of the server;
  
  upon the storing of the public key, create a secret for encryption and decryption;
  
  encrypt the secret using the public key of the server; and
  
  provide the secret encrypted by the HSM to the security gateway;
  
  wherein the security gateway is further configured to establish a secure session between the security gateway and the server based on client session data, the secure session being encrypted by the security gateway using the secret, wherein the client device communicates with the server via the client session between the security gateway and the client device and the secure session between the security gateway and the server, wherein the server decrypts the secure session using the public key of the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the security gateway is further operable to:
    - send a first request to the server, wherein the first request includes at least a part of the client session information;
      
      in response to the first request, receive a security certificate and the public key from the server; and
      
      determine that the security certificate obtained from the server is a valid security certificate.
  - 3. The system of claim 2, wherein the security gateway is further operable to send a second request to the HSM, wherein the second request includes the public key obtained from the server;
    - andwherein the HSM is further operable to generate a key entry in a storage of the HSM in response to the receipt of the second request, wherein the key entry includes the public key obtained from the server.
  - 4. The system of claim 3, wherein the HSM is further operable to generate a key handle associated with the public key, wherein the key handle is configured to uniquely identify the public key;
    - andwherein the key entry further includes the key handle.
  - 5. The system of claim 4, wherein the security gateway is further operable to:
    - receive the key handle from the HSM;
      
      generate a key handle entry in a storage of the security gateway; and
      
      store the key handle received from the HSM in the key handle entry.
  - 6. The system of claim 5, wherein the security gateway is further operable to send by the security gateway a third request to the HSM;
    - andwherein the HSM is further operable to;
      
      generate, in response to the receipt of the third request, a context of the secure session between the security gateway and the server; and
      
      generate, in response to the receipt of the third request, the secret, wherein the secret includes at least one secret key for data encryption or decryption.
  - 7. The system of claim 6, wherein the security gateway is further operable to send by the security gateway a fourth request to the HSM, wherein the fourth request includes the key handle from the storage of the security gateway;
    - andwherein the HSM is further operable to;
      
      in response to the receipt of the fourth request, match the key handle from the storage of the security gateway with the key entry stored in the storage of the HSM;
      
      based on a result of the matching, retrieve the public key from the key entry; and
      
      based on the result of the matching, retrieve the secret.
  - 8. The system of claim 7, wherein the HSM is further operable to:
    - generate a Secure Sockets Layer (SSL) message including the secret encrypted using the public key; and
      
      send the SSL message to the security gateway.
  - 9. The system of claim 8, wherein the security gateway is further operable to:
    - send the SSL message to the server, wherein the SSL message causes the server to decrypt the SSL message and retrieve the secret from the SSL message;
      
      wherein the establishing of the secure session between the security gateway and the server enables the security gateway to exchange encrypted data packets with the server encrypted, wherein the encrypted data packets can be decrypted by the server by decrypting the secret using the public key.

10. A method for providing secure data communication through a security network system, the security network system including a security gateway and at least one Hardware Security Module (HSM), the HSM being a stand-alone hardware device in communication with the security gateway, the method comprising:
- establishing, by the security gateway, a client session between the security gateway and a client device, wherein the client session is an unencrypted session;
  
  receiving, by the security gateway, client session information from the client session, wherein the client session information includes an identification of a server with which the client device needs to exchange data;
  
  storing, by the HSM, a public key received by the security gateway from the server based on the identification of the server;
  
  upon the storing of the public key, creating, by the HSM, a secret for encryption and decryption;
  
  encrypting, by the HSM, the secret using the public key of the server;
  
  providing, by the HSM, the secret encrypted by the HSM to the security gateway; and
  
  establishing, by the security gateway, a secure session between the security gateway and the server based on client session data, the secure session being encrypted by the security gateway using the secret, wherein the client device communicates with the server via the client session between the security gateway and the client device and the secure session between the security gateway and the server, wherein the server decrypts the secure session using the public key of the server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein the establishing of the secure session comprises:
    - sending by the security gateway a first request to the server, wherein the first request includes at least a part of the client session information; and
      
      in response to the first request, receiving by the security gateway a security certificate and the public key from the server.
  - 12. The method of claim 11, further comprising determining by the security gateway that the security certificate obtained from the server is a valid security certificate.
  - 13. The method of claim 12, further comprising:
    - sending by the security gateway a second request to the HSM, wherein the second request includes the public key obtained from the server; and
      
      in response to the receipt of the second request, generating by the HSM a key entry in a storage of the HSM, wherein the key entry includes the public key obtained from the server.
  - 14. The method of claim 13, further comprising generating by the HSM a key handle associated with the public key, wherein the key handle is configured to uniquely identify the public key;
    - andwherein the key entry further includes the key handle.
  - 15. The method of claim 14, further comprising:
    - receiving by the security gateway the key handle from the HSM;
      
      generating by the security gateway a key handle entry in a storage of the security gateway; and
      
      storing by the security gateway the key handle received from the HSM in the key handle entry.
  - 16. The method of claim 15, further comprising:
    - sending by the security gateway a third request to the HSM;
      
      in response to the receipt of the third request, generating by the HSM a context of the secure session between the security gateway and the server; and
      
      in response to the receipt of the third request, generating by the HSM the secret, wherein the secret includes at least one secret key for data encryption or decryption.
  - 17. The method of claim 16, further comprising:
    - sending by the security gateway a fourth request to the HSM, wherein the fourth request includes the key handle from the storage of the security gateway;
      
      in response to the receipt of the fourth request, matching by the HSM the key handle from the storage of the security gateway with the key entry stored in the storage of the HSM;
      
      based on a result of the matching, retrieving by the HSM the public key from the key entry; and
      
      based on the result of the matching, retrieving the secret by the HSM.
  - 18. The method of claim 17, further comprising:
    - generating by the HSM a SSL message including the secret encrypted using the public key; and
      
      sending the SSL message by the HSM to the security gateway.
  - 19. The method of claim 18, further comprising:
    - sending by the security gateway the SSL message to the server, wherein the SSL message causes the server to decrypt the SSL message and retrieve the secret from the SSL message; and
      
      wherein the establishing, by the security gateway and the server, of the secure session between the security gateway and the server enables the security gateway to exchange encrypted data packets with the server, wherein the encrypted data packets can be decrypted by the server by decrypting the secret using the public key.

20. A non-transitory processor-readable medium having instructions stored thereon, which when executed by one or more processors, cause the one or more processors to implement a method for providing secure data communication through a security network system, the security network system including a security gateway and at least one Hardware Security Module (HSM), the HSM being a stand-alone hardware device in communication with the security gateway, the method comprising:
- establishing, by the security gateway, a client session between the security gateway and a client device, wherein the client session is an unencrypted session;
  
  receiving, by the security gateway, client session information from the client session, wherein the client session information includes an identification of a server with which the client device needs to exchange data;
  
  storing, by the HSM, a public key received by the security gateway from the server based on the identification of the server;
  
  upon the storing of the public key, creating, by the HSM, a secret for encryption and decryption;
  
  encrypting, by the HSM, the secret using the public key of the server;
  
  providing, by the HSM, the secret encrypted by the HSM to the security gateway; and
  
  establishing, by the security gateway, a secure session between the security gateway and the server based on the client session data, the secure session being encrypted by the security gateway using the secret, wherein the client device communicates with the server via the client session between the security gateway and the client device and the secure session between the security gateway and the server, wherein the server decrypts the secure session using the public key of the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Yang, Yang, Jiang, Xuyang, Golshan, Ali
Primary Examiner(s)
Henning, Matthew T

Application Number

US15/225,818
Publication Number

US 20180034643A1
Time in Patent Office

1,065 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/00   Network architectures or ne...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 67/141   Setup of application sessio...

H04L 9/0827   involving distinctive inter...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3263   involving certificates, e.g...

SSL gateway with integrated hardware security module

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

158 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SSL gateway with integrated hardware security module

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links