Offload processing for security session establishment and control

US 20030105952A1
Filed: 12/05/2001
Published: 06/05/2003
Est. Priority Date: 12/05/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of improving security processing in a computing network, comprising steps of:

providing a security offload component which performs security handshake processing; and

providing a control function in an operating system kernel for initiating operation of the security handshake processing by the security offload component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques.

Citations

35 Claims

1. A method of improving security processing in a computing network, comprising steps of:
- providing a security offload component which performs security handshake processing; and
  
  providing a control function in an operating system kernel for initiating operation of the security handshake processing by the security offload component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method according to claim 1, further comprising the step of executing the provided control function, thereby initiating operation of the security handshake processing.
  - 3. The method according to claim 1, wherein the operating system kernel maintains control over operation of the security handshake processing.
  - 4. The method according to claim 1, wherein the operating system kernel does not participate in operation of the security handshake processing.
  - 5. The method according to claim 1, wherein the control function further specifies information to be used by the security offload component during the security handshake processing.
  - 6. The method according to claim 5, wherein the specified information comprises one or more of:
    - a connection identifier;
      
      a security role;
      
      one or more security versions supported; and
      
      cipher suites options.
  - 7. The method according to claim 1, wherein:
    - the operating system kernel does not participate in operation of the security handshake processing;
      
      the control function further specifies information to be used by the security offload component during the security handshake processing; and
      
      the specified information comprises one or more of a connection identifier;
      
      a security role;
      
      one or more security versions supported;
      
      cipher suites options; and
      
      security certificate key ring information.
  - 8. The method according to claim 7, wherein the specified information further comprises segment size and sequence number information to be used when transmitting messages of the security handshake processing.
  - 9. The method according to claim 7, further comprising the step of sending a completion response from the security offload component to the operating system kernel upon completion of the security handshake processing, wherein the completion response conveys information for use by the operating system kernel in carrying out secure communications on a secure session which results from the security handshake processing.
  - 10. The method according to claim 9, wherein the conveyed information comprises one or more of:
    - an identifier of the secure session;
      
      one or more session keys;
      
      a current sequence number for messages of the secure session;
      
      a cipher suite to be used for the secure session;
      
      a protocol version to be used for the secure session; and
      
      a digital certificate or other security credentials.
  - 11. The method according to claim 1, wherein the operating system kernel maintains control over operation of the security handshake processing, and wherein the operating system kernel provides one or more message segments to the security offload component for use by the security offload component in completing steps of the security handshake processing.
  - 12. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a client device to perform random number generation when creating an initial handshake message to transmit to a server device.
  - 13. The method according to claim 12, wherein the initial handshake message is a Client Hello message.
  - 14. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a server device to perform random number generation when creating an initial handshake response message to transmit to a client device.
  - 15. The method according to claim 14, wherein the initial handshake response message is a Server Hello message.
  - 16. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a server device to decode a client security certificate which has been transmitted from a client device.
  - 17. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a client device to decode a server security certificate which has been transmitted from a server device.
  - 18. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a client device to generate and encrypt a pre-master security secret to be transmitted to a server device.
  - 19. The method according to claim 18, wherein the encryption of the pre-master security secret uses a public key of the server device.
  - 20. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a server device to decrypt a pre-master security secret transmitted from a client device.
  - 21. The method according to claim 20, wherein the decryption of the pre-master security secret uses a private key of the server device.
  - 22. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a client device to compute one or more master security secrets and one or more session cryptography keys to be transmitted to a server device.
  - 23. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a server device to compute one or more master security secrets and one or more session cryptography keys to be transmitted to a client device.
  - 24. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a client device to digitally sign a message to be transmitted to a server device.
  - 25. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a server device to validate a digital signature of a message received from a client device.
  - 26. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a client device to compute a message authentication code (“
    - MAC”
      
      ) of the security handshake, wherein the computed MAC is to be transmitted to a server device.
  - 27. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a server device to compute a message authentication code (“
    - MAC”
      
      ) of the security handshake, wherein the computed MAC is to be transmitted to a client device.
  - 28. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a client device to validate a message authentication code (“
    - MAC”
      
      ) of the security handshake, wherein the MAC was transmitted from a server device.
  - 29. The method according to claim 11, wherein a selected one of the one or more message segments directs the security offload component in a server device to validate a message authentication code (“
    - MAC”
      
      ) of the security handshake, wherein the MAC was transmitted from a client device.
  - 30. The method according to claim 11, further comprising the step of sending a completion response from the security offload component to the operating system kernel upon completion of the security handshake processing, wherein the completion response conveys information for use by the operating system kernel in carrying out secure communications on a secure session which results from the security handshake processing.
  - 31. The method according to claim 30, wherein the conveyed information comprises one or more of:
    - an identifier of the secure session;
      
      one or more session keys;
      
      a current sequence number for messages of the secure session;
      
      a cipher suite to be used for the secure session;
      
      a protocol version to be used for the secure session; and
      
      a digital certificate or other security credentials.
  - 32. The method according to claim 31, wherein the conveyed information further comprises a current transmission control sequence number for transmitting messages of the secure session.

33. A method of improving security processing in a computing network, comprising steps of:
- providing a security offload component which performs security session establishment and control processing; and
  
  providing a control function in an operating system kernel for initiating operation of the security establishment and control processing by the security offload component.

34. A system for improving security processing in a computing network, comprising:
- means for performing security session establishment and control processing in a security offload component; and
  
  means for executing a control function in an operating system kernel, thereby initiating operation of the means for performing security establishment and control processing by the security offload component.

35. A computer program product for improving security processing in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for performing security session establishment and control processing in a security offload component; and
  
  computer-readable program code means for executing a control function in an operating system kernel, thereby initiating operation of the computer-readable program code means for performing security establishment and control processing by the security offload component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Brabson, Roy F., Overby, Linwood Hugh Jr.

Application Number

US10/007,581
Publication Number

US 20030105952A1
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

Offload processing for security session establishment and control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Offload processing for security session establishment and control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links