System and method for providing improved optimization for secure session connections

US 10,447,658 B2
Filed: 01/22/2016
Issued: 10/15/2019
Est. Priority Date: 01/22/2016
Status: Active Grant

First Claim

Patent Images

1. An appliance comprising:

one or more network interfaces configured to facilitate secure communications between a client device and a server, wherein the secure communications involve a plurality of secure session connections comprising a first secure session connection between the client device and the appliance and a second secure session connection between the appliance and another appliance; and

a secure session connection optimizer module comprising a processor configured to;

receive a secure session connection request from the client device,determine, using information from the secure session connection request, whether a lookup table includes information that client authentication is required by the server,if the information indicates that client authentication is not required by the server, provide an instruction to the other appliance, andif the information indicates that client authentication is required by the server, provide the secure connection request to the other appliance over the second secure connection via the appliance decrypting communications received from the first secure session connection using a key shared with the client device, and encrypting the decrypted communications to be sent via the second secure connection using a key shared with the other appliance.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for optimizing network traffic is described. The system includes a plurality of appliances. An appliance comprises one or more network interfaces and a secure session connection optimizer module. The one or more network interfaces are configured to facilitate secure communications between a client device and a server, wherein the secure communications involve a plurality of secure session connections comprising a first secure session connection between the client device and the appliance and a second secure session connection between the appliance and another appliance. The secure session connection optimizer module is configured to receive a secure session connection request from the client device, determine, using information from the secure session connection request, whether a lookup table includes information that client authentication is required by the server, if the information indicates that client authentication is not required by the server, provide an instruction to the other appliance, and if the information indicates that client authentication is required by the server, provide the secure connection request to the other appliance over the second secure connection.

8 Citations

View as Search Results

54 Claims

1. An appliance comprising:
- one or more network interfaces configured to facilitate secure communications between a client device and a server, wherein the secure communications involve a plurality of secure session connections comprising a first secure session connection between the client device and the appliance and a second secure session connection between the appliance and another appliance; and
  
  a secure session connection optimizer module comprising a processor configured to;
  
  receive a secure session connection request from the client device,determine, using information from the secure session connection request, whether a lookup table includes information that client authentication is required by the server,if the information indicates that client authentication is not required by the server, provide an instruction to the other appliance, andif the information indicates that client authentication is required by the server, provide the secure connection request to the other appliance over the second secure connection via the appliance decrypting communications received from the first secure session connection using a key shared with the client device, and encrypting the decrypted communications to be sent via the second secure connection using a key shared with the other appliance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The appliance of claim 1, wherein the secure session connection optimizer module is further configured to access the lookup table upon receipt of the secure session connection request.
  - 3. The appliance of claim 1, wherein the information that client authentication is not required indicates that the appliance is acting as a split proxy mode.
  - 4. The appliance of claim 1, wherein the information that client authentication is required indicates that the appliance is acting as a transparent mode.
  - 5. The appliance of claim 1, wherein the instruction indicates that the other appliance is to initiate a secure session handshake procedure between the other appliance and the server.
  - 6. The appliance of claim 1, wherein the secure session connections are established based on a secure session layer (SSL) or a transport layer security (TLS) handshake protocol.
  - 7. The appliance of claim 1, wherein the secure session connection optimizer module is further configured to determine, using information from the secure session connection request, whether the lookup table includes certificate information.
  - 8. The appliance of claim 7, wherein the secure session connection optimizer module is further configured to establish the first secure session connection with the client device using the certificate information in response to the secure connection request.
  - 9. The appliance of claim 1, wherein the determination that the lookup table does not include information on client authentication or failing to access the lookup table further comprises the secure session connection optimizer module configured to forward the secure session connection request to the other appliance.
  - 10. The appliance of claim 1, wherein the secure session connection optimizer module is further configured to add an entry in the lookup table, if the entry does not exist for the server, wherein the entry is allocated to store at least one of:
    - mode information, certificate information, information that client authentication is not required by the server, and premaster secret information.
  - 11. The appliance of claim 10, wherein the entry in the lookup table is distinguished based on IP address and port information of the server.
  - 12. The appliance of claim 10, wherein the mode information comprises one of a split proxy mode and a transparent mode.
  - 13. The appliance of claim 1, wherein the determination whether the lookup table does not include information on client authentication further comprises the secure session connection optimizer module configured to:
    - receive, from the other appliance, information that client authentication is not required by the server; and
      
      store the information in the lookup table that client authentication is not required by the server.
  - 14. The appliance of claim 1, wherein the determination whether the lookup table does not include information on client authentication further comprises the secure session connection optimizer module configured to:
    - receive, from the other appliance, certificate information;
      
      establish the first secure session connection using the certificate information in response to the secure connection request; and
      
      store the certificate information in the lookup table.
  - 15. The appliance of claim 3, wherein the secure session connection optimizer module is further configured to determine whether the lookup table includes premaster secret information, when determining that the appliance is acting as the split proxy mode.
  - 16. The appliance of claim 15, wherein the secure session connection optimizer module is further configured to send the other appliance a request to decrypt client key exchange, based on determining that the lookup table does not include premaster secret information.
  - 17. The appliance of claim 16, wherein the secure session connection optimizer module is further configured to obtain premaster secret information from the decrypted client key exchange.
  - 18. The appliance of claim 17, wherein the premaster secret information is used to derive a master secret, wherein the master secret is used to encrypt or decrypt data.

19. A method comprising:
- facilitating secure communications between a client device and a server, wherein the secure communications involve a plurality of secure session connections comprising a first secure session connection between the client device and the appliance and a second secure session connection between the appliance and another appliance;
  
  receiving a secure session connection request from the client device;
  
  determining, using information from the secure session connection request, whether a lookup table includes information that client authentication is required by the server;
  
  if the information indicates that client authentication is not required by the server, providing an instruction to the other appliance; and
  
  if the information indicates that client authentication is required by the server, providing the secure connection request to the other appliance over the second secure connection via the appliance decrypting communications received from the first secure session connection using a key shared with the client device, and encrypting the decrypted communications to be sent via the second secure connection using a key shared with the other appliance.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The method of claim 19, further comprising accessing to the lookup table upon receipt of the secure session connection request.
  - 21. The method of claim 19, wherein the information that client authentication is not required indicates that the appliance is acting as a split proxy mode.
  - 22. The method of claim 19, wherein the information that client authentication is required indicates that the appliance is acting as a transparent mode.
  - 23. The method of claim 19, wherein the instruction indicates the other appliance to initiate a secure session handshake procedure between the other appliance and the server.
  - 24. The method of claim 19, wherein the secure session connections are established based on a secure session layer (SSL) or a transport layer security (TLS) handshake protocol.
  - 25. The method of claim 19, further comprising determining, using information from the secure session connection request, whether the lookup table includes certificate information.
  - 26. The method of claim 25, further comprising establishing the first secure session connection with the client device using the certificate information in response to the secure connection request.
  - 27. The method of claim 19, further comprising forwarding the secure session connection request to the other appliance, based on determination that the lookup table does not include information on client authentication or failing to access the lookup table.
  - 28. The method of claim 19, further comprising adding an entry in the lookup table, if the entry not existing for the server, wherein the entry is allocated to store at least one of:
    - mode information, certificate information, information that client authentication is not required by the server, and premaster secret information.
  - 29. The method of claim 28, wherein the entry in the lookup table is distinguished based on IP address and port information of the server.
  - 30. The method of claim 28, wherein the mode information comprises one of a split proxy mode and a transparent mode.
  - 31. The method of claim 19, further comprising, based on determination that the lookup table does not include information on client authentication:
    - receiving, from the other appliance, information that client authentication is not required by the server; and
      
      storing the information in the lookup table that client authentication is not required by the server.
  - 32. The method of claim 19, further comprising, based on determination that the lookup table does not include information on client authentication:
    - receiving, from the other appliance, certificate information;
      
      establishing the first secure session connection using the certificate information in response to the secure connection request; and
      
      storing the certificate information in the lookup table.
  - 33. The method of claim 21, further comprising determining whether the lookup table includes premaster secret information, when determining that the appliance is acting as the split proxy mode.
  - 34. The method of claim 33, further comprising sending the other appliance a request to decrypt client key exchange, based on determining that the lookup table does not include premaster secret information.
  - 35. The method of claim 34, further comprising obtaining premaster secret information from the decrypted client key exchange.
  - 36. The method of claim 35, wherein the premaster secret information is used to derive a master secret, wherein the master secret is used to encrypt or decrypt data.

37. A non-transitory computer readable storage medium that stores a set of instructions that is executable by at least one processor of an appliance to cause the appliance to perform a method, the method comprising:
- facilitating secure communications between a client device and a server, wherein the secure communications involve a plurality of secure session connections comprising a first secure session connection between the client device and the appliance and a second secure session connection between the appliance and another appliance;
  
  receiving a secure session connection request from the client device;
  
  determining, using information from the secure session connection request, whether a lookup table includes information that client authentication is required by the server;
  
  if the information indicates that client authentication is not required by the server, providing an instruction to the other appliance; and
  
  if the information indicates that client authentication is required by the server, providing the secure connection request to the other appliance over the second secure connection via the appliance decrypting communications received from the first secure session connection using a key shared with the client device, and encrypting the decrypted communications to be sent via the second secure connection using a key shared with the other appliance.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 38. The non-transitory computer readable storage medium of claim 37, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - accessing to the lookup table upon receipt of the secure session connection request.
  - 39. The non-transitory computer readable storage medium of claim 37, wherein the information that client authentication is not required indicates that the appliance is acting as a split proxy mode.
  - 40. The non-transitory computer readable storage medium of claim 37, wherein the information that client authentication is required indicates that the appliance is acting as a transparent mode.
  - 41. The non-transitory computer readable storage medium of claim 37, wherein the instruction indicates the other appliance to initiate a secure session handshake procedure between the other appliance and the server.
  - 42. The non-transitory computer readable storage medium of claim 37, wherein the secure session connections are established based on a secure session layer (SSL) or a transport layer security (TLS) handshake protocol.
  - 43. The non-transitory computer readable storage medium of claim 37, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - determining, using information from the secure session connection request, whether the lookup table includes certificate information.
  - 44. The non-transitory computer readable storage medium of claim 43, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - establishing the first secure session connection with the client device using the certificate information in response to the secure connection request.
  - 45. The non-transitory computer readable storage medium of claim 37, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - forwarding the secure session connection request to the other appliance, based on determination that the lookup table does not include information on client authentication or failing to access the lookup table.
  - 46. The non-transitory computer readable storage medium of claim 37, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - adding an entry in the lookup table, if the entry not existing for the server, wherein the entry is allocated to store at least one of;
      
      mode information, certificate information, information that client authentication is not required by the server, and premaster secret information.
  - 47. The non-transitory computer readable storage medium of claim 46, wherein the entry in the lookup table is distinguished based on IP address and port information of the server.
  - 48. The non-transitory computer readable storage medium of claim 46, wherein the mode information comprises one of a split proxy mode and a transparent mode.
  - 49. The non-transitory computer readable storage medium of claim 37, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform, based on determination that the lookup table does not include information on client authentication:
    - receiving, from the other appliance, information that client authentication is not required by the server; and
      
      storing the information in the lookup table that client authentication is not required by the server.
  - 50. The non-transitory computer readable storage medium of claim 37, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform, based on determination that the lookup table does not include information on client authentication:
    - receiving, from the other appliance, certificate information;
      
      establishing the first secure session connection using the certificate information in response to the secure connection request; and
      
      storing the certificate information in the lookup table.
  - 51. The non-transitory computer readable storage medium of claim 39, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - determining whether the lookup table includes premaster secret information, when determining that the appliance is acting as the split proxy mode.
  - 52. The non-transitory computer readable storage medium of claim 51, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - sending the other appliance a request to decrypt client key exchange, based on determining that the lookup table does not include premaster secret information.
  - 53. The non-transitory computer readable storage medium of claim 52, wherein the set of instructions that is executable by the at least one processor of the apparatus to cause the apparatus to further perform:
    - obtaining premaster secret information from the decrypted client key exchange.
  - 54. The non-transitory computer readable storage medium of claim 53, wherein the premaster secret information is used to derive a master secret, wherein the master secret is used to encrypt or decrypt data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Shah, Paras Suresh
Primary Examiner(s)
Potratz, Daniel B

Application Number

US15/004,598
Publication Number

US 20170214660A1
Time in Patent Office

1,362 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

H04L 67/56   Provisioning of proxy servi...

System and method for providing improved optimization for secure session connections

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing improved optimization for secure session connections

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links