Secure network processing

US 20040250059A1
Filed: 04/15/2003
Published: 12/09/2004
Est. Priority Date: 04/15/2003
Status: Active Grant

First Claim

Patent Images

1. A network communication unit, comprising:

a cryptographic record parsing engine for parsing cryptographic records and having an input and an output, and a processor including cryptographic handshake logic for performing cryptographic handshaking and having an input operatively connected to the output of the cryptographic record parsing offload engine so as to receive the cryptographic records that have been parsed by the cryptographic record parsing engine.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one general aspect, a network communication unit is disclosed that includes a cryptographic record parsing offload engine that has an input and an output. The unit also includes a processor that includes cryptographic handshake logic and has an input operatively connected to the output of the cryptographic record parsing offload engine.

218 Citations

34 Claims

1. A network communication unit, comprising:
- a cryptographic record parsing engine for parsing cryptographic records and having an input and an output, and a processor including cryptographic handshake logic for performing cryptographic handshaking and having an input operatively connected to the output of the cryptographic record parsing offload engine so as to receive the cryptographic records that have been parsed by the cryptographic record parsing engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 16)
- - 2. The network communication unit of claim 1 wherein the cryptographic record parsing engine is an SSL/TLS record parsing engine.
  - 3. The network communication unit of claim 1 wherein said cryptographic records contain secure messages and wherein the network communication unit further includes message-length-detection logic operative to cause and amount of message data from a secure message corresponding to a message length obtained from a cryptographic record to be stored even if the message is encoded in a plurality of different cryptographic records.
  - 4. The network communication unit of claim 3 wherein the message-length detection logic is operative to cause the amount of message data to be stored independent of any interactions with the processor.
  - 5. The network communication unit of claim 1 further including a handshake cryptographic acceleration engine operatively connected to a port of the processor.
  - 6. The network communication unit of claim 5 wherein operative connections between the processor and the cryptographic record parsing engine are of a different type than are operative connections between the processor and the cryptographic acceleration engine.
  - 7. The network communication unit of claim 5 further including a bulk cryptographic acceleration engine operatively connected to a port of the processor, wherein the handshake cryptographic acceleration engine includes handshake acceleration logic, and wherein the bulk cryptographic acceleration engine includes encryption and decryption acceleration logic.
  - 8. The network communication unit of claim 1 wherein the cryptographic record parsing engine includes validation logic operative to validate format information in cryptographic records received from the a network.
  - 9. The network communication unit of claim 8 wherein the validation logic includes type validation logic for validating message types.
  - 10. The network communication unit of claim 8 wherein the validation logic includes protocol version validation logic for validating version fields.
  - 11. The network communication unit of claim 8 wherein the validation logic is operative to invalidate cryptographic records independent of any interactions with the processor.
  - 16. The apparatus of claim 1 further including decision logic operative to determine whether messages should be routed through the cryptographic record parsing engine or whether they should bypass the cryptographic record parsing engine or whether they should bypass the cryptographic record parsing engine.

12. (Canceled)

13. (Canceled)

14. (Canceled)

15. (Canceled)

17. (Canceled)

18. A network communication unit, comprising:
- storage for plurality of steams, queue creation logic operative to create a queue of streams stored in the storage, and stream processing logic responsive to the queue creation logic and to the storage and being operative to successively retrieve and process the streams;
  
  wherein the stream processing logic includes encryption logic and wherein the encryption logic is responsive to the queue creation logic to successively encrypt the streams.
- View Dependent Claims (23, 24)
- - 23. The apparatus of claim 18 wherein the encryption logic is SSL/TLS encryption logic.
  - 24. The apparatus of claim 18 wherein the storage includes function-specific hardware operative to respond to access requests that include a stream identifier and a stream sequence identifier.

19. (Canceled)

20. (Canceled)

21. (Canceled)

22. (Canceled)

25. (Canceled)

26. In a device for processing network traffic, a method comprising the steps of:
- parsing cryptographic records with a cryptographic record parsing engine;
  
  passing the parsed cryptographic records to a processor that includes cryptographic handshaking logic; and
  
  performing cryptographic handshaking with the cryptographic handshaking logic.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The method of claim 26 wherein the cryptographic records are SSL records.
  - 28. The method of claim 26 wherein the step of parsing comprises parsing out cryptographic messages from the cryptographic records.
  - 29. The method of claim 28 wherein at least one of the cryptographic messages spans more than one cryptographic record.
  - 30. The method of claim 26 wherein the cryptographic records include message types and wherein the method further comprises the step of validating the message type.
  - 31. The method of claim 26 wherein the cryptographic records include protocol version fields and wherein the method further comprises the step of validating the protocol version field.

32. A hardware module for processing secure socket layer (SSL) records, comprising:
- an interface with a cryptographic engine that performs encryption and decryption;
  
  an interface with handshaking logic that performs SSL handshake processing; and
  
  logic for performing SSL acceleration.
- View Dependent Claims (33, 34)
- - 33. The hardware module of claim 32 wherein the logic for performing SSL acceleration includes a message pre-parser.
  - 34. The hardware module of claim 32 wherein the logic for performing SSL accelerator includes a state machine for crating streams used in SSL processing and creating a context block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Phillips, Paul, Metzger, Stephen, Vaidheswarra, Rajesh, Ramelson, Brian

Granted Patent

US 7,373,500 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 69/22   Parsing or analysis of headers

Secure network processing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

218 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Secure network processing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

218 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others