Verification of server certificates using hash codes

US 10,382,562 B2
Filed: 11/04/2016
Issued: 08/13/2019
Est. Priority Date: 11/04/2016
Status: Active Grant

First Claim

Patent Images

1. A system for verifying a server security certificate using a hash code, the system comprising:

a client secure socket layer (SSL) node operable to;

receive, from a client, a session request to establish an SSL communication session with a server, the session request including at least a server address of the server;

forward the session request to a service gateway node; and

based on determining that the server security certificate is a valid server security certificate of the server, establish the SSL communication session between the client and the server;

the service gateway node in communication with the client SSL node, the service gateway node being operable to;

send the session request to the server using the server address;

receive the server security certificate from the server, responsive to the session request;

query a server domain name system (DNS) module associated with the server to receive the hash code associated with the server, wherein the querying includes sending at least the server address to the server DNS module;

in response to the querying, receive the hash code associated with the server from the server DNS module, the hash code including at least a first hash value associated with the server and a hash function to be applied to the first hash value to obtain the valid server security certificate;

calculate a second hash value associated with the server by applying the hash function to the server security certificate;

match the first hash value associated with the server and the second hash value associated with the server; and

based on the matching, determine whether the server security certificate is the valid server security certificate; and

a storage node operable to store at least the server security certificate and the hash code associated with the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are systems and methods for verifying server security certificates using hash codes. The system may include a client secure socket layer (SSL) node, a service gateway node, and a storage node. The client SSL node may receive a session request from a client. The service gateway node may forward the session request to a server to receive a server security certificate. The service gateway node may query a server domain name system module to receive a hash code. The hash code may include a first hash value and a hash function to obtain the server security certificate based on the first hash value. The service gateway node may calculate a second hash value by applying the hash function to the server security certificate and match the second hash value and the first hash value to determine whether the server security certificate is valid.

Citations

20 Claims

1. A system for verifying a server security certificate using a hash code, the system comprising:
- a client secure socket layer (SSL) node operable to;
  
  receive, from a client, a session request to establish an SSL communication session with a server, the session request including at least a server address of the server;
  
  forward the session request to a service gateway node; and
  
  based on determining that the server security certificate is a valid server security certificate of the server, establish the SSL communication session between the client and the server;
  
  the service gateway node in communication with the client SSL node, the service gateway node being operable to;
  
  send the session request to the server using the server address;
  
  receive the server security certificate from the server, responsive to the session request;
  
  query a server domain name system (DNS) module associated with the server to receive the hash code associated with the server, wherein the querying includes sending at least the server address to the server DNS module;
  
  in response to the querying, receive the hash code associated with the server from the server DNS module, the hash code including at least a first hash value associated with the server and a hash function to be applied to the first hash value to obtain the valid server security certificate;
  
  calculate a second hash value associated with the server by applying the hash function to the server security certificate;
  
  match the first hash value associated with the server and the second hash value associated with the server; and
  
  based on the matching, determine whether the server security certificate is the valid server security certificate; and
  
  a storage node operable to store at least the server security certificate and the hash code associated with the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the hash function is selected from a group comprising:
    - a Message Digest 5 (MD5) algorithm, a 16-bit cyclic redundancy check (CRC), a 32-bit CRC, a 64-bit CRC, a Secure Hash Algorithm (SHA) Version 1, a SHA Version 2, and SHA-512.
  - 3. The system of claim 1, wherein the client includes a plurality of modules including at least a network application, an SSL module, and a client DNS module.
  - 4. The system of claim 1, wherein the client SSL node is further operable to:
    - based on the determination that the server security certificate is not the valid server security certificate, terminate the SSL communication session between the client and the server.
  - 5. The system of claim 1, wherein the service gateway node is further operable to:
    - based on the server address, query the storage node to obtain the hash code associated with the server from the storage node, the hash code being stored in the storage node during at least one previous SSL communication session between the client and the server.
  - 6. The system of claim 1, wherein the SSL communication session includes a secure session selected from a group comprising:
    - a Hypertext Transfer Protocol (HTTP) session, a file transfer session, a remote access session, a File Transfer Protocol (FTP) session, a voice over Internet Protocol (VoiP) session, a Session Initiation Protocol (SIP) session, a video streaming session, an audio streaming session, an e-commerce session, an enterprise application session, an email session, an online gaming session, a teleconference session, and a web-based communication session.
  - 7. The system of claim 1, wherein the client SSL node is further operable to:
    - forge the server security certificate to provide a forged server security certificate; and
      
      provide the forged server security certificate to the client to establish a secure connection between the client and the service gateway node based on the forged server security certificate and to establish a secure connection between the service gateway node and the server based on the server security certificate.
  - 8. The system of claim 1, wherein the client SSL node is further operable to:
    - query the storage node to obtain a forged server security certificate for the server security certificate, the forged server security certificate being stored in the storage node during at least one previous SSL communication session between the client and the server; and
      
      provide the forged server security certificate to the client to establish a secure connection between the client and the client SSL node based on the forged server security certificate and to establish a secure connection between the client SSL node and the server based on the server security certificate.
  - 9. The system of claim 1, wherein the hash code is selected from a group comprising:
    - an integer, a hexa-decimal number, and a string of characters.
  - 10. The system of claim 1, wherein the service gateway node is further operable to:
    - determine that the hash code includes a plurality of hash codes associated with one or more further server security certificates, each of the plurality of hash codes comprising a first further hash value;
      
      determine that the server security certificate is associated with the one or more further server security certificates, the one or more further server security certificates being previously stored in the storage node during at least one previous SSL communication session between the client and the server;
      
      determine a plurality of further second hash values, each further second hash value being associated with one of the one or more further server security certificates; and
      
      determine that at least one of the plurality of further second hash values matches the first further hash value to determine whether the server security certificate is valid.

11. A method for verifying a server security certificate using a hash code, the method comprising:
- receiving, by a client secure sockets layer (SSL) node, from a client, a session request to establish an SSL communication session with a server, the session request including at least a server address of the server;
  
  forwarding, by the client SSL node, the session request to a service gateway node;
  
  sending, by the service gateway node, the session request to the server based on the server address;
  
  receiving, by the service gateway node, the server security certificate from the server responsive to the session request;
  
  querying, by the service gateway node, a server domain name system (DNS) module associated with the server to receive the hash code associated with the server, wherein the querying includes sending at least the server address to the server DNS module;
  
  in response to the querying, receiving, by the service gateway node, the hash code associated with the server from the server DNS module, the hash code including at least a first hash value associated with the server and a hash function to be applied to the first hash value to obtain a valid server security certificate of the server;
  
  calculating, by the service gateway node, a second hash value associated with the server by applying the hash function to the server security certificate;
  
  matching, by the service gateway node, the first hash value associated with the server and the second hash value associated with the server;
  
  based on the matching, determining, by the service gateway node, whether the server security certificate is the valid server security certificate; and
  
  based on the determination that the server security certificate is the valid server security certificate, establishing, by the client SSL node, the SSL communication session between the client and the server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the hash function is selected from a group comprising:
    - a Message Digest 5 (MD5) algorithm, a 16-bit cyclic redundancy check (CRC), a 32-bit CRC, a 64-bit CRC, a Secure Hash Algorithm (SHA) Version 1, a SHA Version 2, and SHA 512.
  - 13. The method of claim 11, wherein the client includes a plurality of modules including at least a network application, an SSL module, and a client DNS module.
  - 14. The method of claim 11, further comprising:
    - based on the determination that the server security certificate is not the valid server security certificate, terminating, by the client SSL node, the SSL communication session between the client and the server.
  - 15. The method of claim 11, further comprising:
    - based on the server address, querying, by the service gateway node, a storage node to obtain the hash code associated with the server from the storage node, the hash code being stored in the storage node by the service gateway node during at least one previous SSL communication session between the client and the server.
  - 16. The method of claim 11, wherein the SSL communication session includes a secure session selected from a group comprising:
    - a Hypertext Transfer Protocol (HTTP) session, a file transfer session, a remote access session, a File Transfer Protocol (FTP) session, a voice over Internet Protocol (VoiP) session, a Session Initiation Protocol (SIP) session, a video streaming session, an audio streaming session, an e-commerce session, an enterprise application session, an email session, an online gaming session, a teleconference session, and a web-based communication session.
  - 17. The method of claim 11, further comprising:
    - forging, by the client SSL node, the server security certificate to provide a forged server security certificate; and
      
      providing, by the client SSL node, the forged server security certificate to the client to establish a secure connection between the client and the client SSL node based on the forged server security certificate and to establish a secure connection between the client SSL node and the server based on the server security certificate.
  - 18. The method of claim 11, further comprising:
    - querying, by the client SSL node, a storage node to obtain a forged server security certificate for the server security certificate, the forged server security certificate being stored in the storage node by the client SSL node during at least one previous SSL communication session between the client and the server; and
      
      providing, by the client SSL node, the forged server security certificate to the client to establish a secure connection between the client and the client SSL node based on the forged server security certificate and to establish a secure connection between the client SSL node and the server based on the server security certificate.
  - 19. The method of claim 11, further comprising:
    - determining, by the service gateway node, that the hash code includes a plurality of hash codes associated with one or more further server security certificates, each of the plurality of hash codes comprising a first further hash value;
      
      determining, by the service gateway node, that the server security certificate is associated with the one or more further server security certificates, the one or more further server security certificates being previously stored in a storage node during at least one previous SSL communication session between the client and the server;
      
      determining, by the service gateway node, a plurality of further second hash values, each further second hash value being associated with one of the one or more further server security certificates; and
      
      determining, by the service gateway node, that at least one of the plurality of further second hash values matches the first further hash value to determine whether the server security certificate is valid.

20. A system for verifying a server security certificate using a hash code, the system comprising:
- a client secure socket layer (SSL) node operable to;
  
  receive, from a client, a session request to establish an SSL communication session with a server, the session request including at least a server address of the server;
  
  forward the session request to a service gateway node;
  
  based on determining that the server security certificate is a valid server security certificate of the server, establish the SSL communication session between the client and the server;
  
  based on determining that the server security certificate is not the valid server security certificate, terminate the SSL communication session between the client and the server;
  
  query a storage node to obtain a forged server security certificate for the server security certificate, the forged server security certificate being stored in the storage node during at least one previous SSL communication session between the client and the server; and
  
  provide the forged server security certificate to the client to establish a secure connection between the client and the client SSL node based on the forged server security certificate and to establish a secure connection between the client SSL node and the server based on the server security certificate;
  
  the service gateway node in communication with the client SSL node, the service gateway node being operable to;
  
  send the session request to the server based on the server address;
  
  receive the server security certificate from the server responsive to the session request;
  
  query a server domain name system (DNS) module associated with the server to receive the hash code associated with the server, wherein the querying includes sending at least the server address to the server DNS module;
  
  in response to the querying, receive the hash code associated with the server from the server DNS module, the hash code including at least a first hash value associated with the server and a hash function to be applied to the first hash value to obtain the valid server security certificate;
  
  calculate a second hash value associated with the server by applying the hash function to the server security certificate, wherein the hash function is selected from a group comprising;
  
  a Message Digest 5 (MD5) algorithm, a 16-bit cyclic redundancy check (CRC), a 32-bit CRC, a 64-bit CRC, a Secure Hash Algorithm (SHA) Version 1, a SHA Version , and SHA-512;
  
  match the first hash value associated with the server and the second hash value associated with the server; and
  
  based on the matching, determine whether the server security certificate is the valid server security certificate; and
  
  the storage node operable to store at least the server security certificate and the hash code associated with the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Yang, Yang, Jiang, Xuyang, Golshan, Ali
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/344,443
Publication Number

US 20180131521A1
Time in Patent Office

1,012 Days
Field of Search

713156
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0272   Virtual private networks

H04L 63/045   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/166   at the transport layer

H04L 67/141   Setup of application sessio...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3265   using certificate chains, t...

H04L 9/50   using hash chains, e.g. blo...

Verification of server certificates using hash codes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Verification of server certificates using hash codes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links