Split termination for secure communication protocols

US 20070038853A1
Filed: 07/18/2006
Published: 02/15/2007
Est. Priority Date: 08/10/2005
Status: Active Grant

First Claim

Patent Images

1. A method of initiating a secure connection, the method comprising:

intercepting a secure connection request from a client using an intercepting entity;

initiating a secure connection with the client, wherein the secure connection is associated with at least one attribute enabling the secure communication of data via the secure connection; and

forwarding the attribute to a network device, thereby enabling the network device to maintain the secure connection with the client.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Transaction accelerators can be configured to terminate secure connections. A server-side accelerator intercepts a secure connection request from a client and directed to a server. The server-side accelerator responds to secure connection request in place of the server, thereby establishing a secure connection between the client and the server-side accelerator. Alternatively, the server-side accelerator monitors the establishment of a secure connection between the client and the server. After the secure connection has been established, the server-side accelerator forwards security information to a client-side accelerator, enabling the client-side accelerator to assume control of the secure connection. As a result of this arrangement, the client-side accelerator is able to encrypt and decrypt data on the secure connection and accelerate it in cooperation with the server-side accelerator. In a further embodiment, the accelerated traffic between accelerators is carried across the network via another secure connection.

178 Citations

56 Claims

1. A method of initiating a secure connection, the method comprising:
- intercepting a secure connection request from a client using an intercepting entity;
  
  initiating a secure connection with the client, wherein the secure connection is associated with at least one attribute enabling the secure communication of data via the secure connection; and
  
  forwarding the attribute to a network device, thereby enabling the network device to maintain the secure connection with the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the secure connection request initiates a connection between the client and a server.
  - 3. The method of claim 1, wherein the secure connection request initiates security for a previously-established connection between the client and a server.
  - 4. The method of claim 1, wherein intercepting the secure connection request from the client comprises:
    - receiving a secure connection request previously intercepted by a second intercepting entity in-path with the client and redirected to the intercepting entity.
  - 5. The method of claim 4, wherein receiving the secure connection request comprises:
    - receiving the secure connection request via a caching protocol.
  - 6. The method of claim 1, wherein intercepting the secure connection request from the client comprises:
    - intercepting the secure connection request from the client via an in-path network connection with the client.
  - 7. The method of claim 1, wherein initiating a secure connection with the client comprises:
    - observing with the intercepting entity the initiation of a secure connection between the client and a server;
      
      determining the attribute of the secure connection from the initiation of the secure connection; and
      
      receiving an indication that the initiation of the secure connection between the client and the server is complete.
  - 8. The method of claim 7, wherein observing the initiation of the secure connection is facilitated by receiving, by the intercepting entity, security information associated with the server.
  - 9. The method of claim 1, wherein initiating the secure connection comprises:
    - initiating a first secure connection between the intercepting entity and a server; and
      
      initiating a second secure connection between the intercepting entity and the client.
  - 10. The method of claim 9, wherein the initation of the first secure connection is completed before initiating the second secure connection.
  - 11. The method of claim 9, wherein the second secure connection is initiated before the initiation of the first secure connection is completed.
  - 12. The method of claim 1, wherein the attribute includes a cipher to be used to encrypt data for the secure connection.
  - 13. The method of claim 1, wherein the network device receiving the forwarded attribute is closer on a network to the client than the intercepting entity.
  - 14. The method of claim 13, wherein proximity of the network device and the intercepting entity to the client on the network is determined by network characteristics.
  - 15. The method of claim 14, wherein the network characteristics include network latencies of the network from the network device and the intercepting entity to the client.
  - 16. The method of claim 14, wherein the network characteristics include network bandwidths of the network from the network device and the intercepting entity to the client.
  - 17. The method of claim 14, wherein the network device receiving the forwarded attribute is separated from the client by a first network including a local area networks and wherein the intercepting entity is separated from the client by a second network including a wide area network.
  - 18. The method of claim 14, wherein the network device receiving the forwarded attribute is integrated with a computer system including the client.
  - 19. The method of claim 1, further comprising:
    - intercepting data from a server directed to the client;
      
      communicating at least a portion of the data to the network device in association with an indicator, such that the network device will further communicate the portion of the data with the client via the secure connection.
  - 20. The method of claim 1, further comprising:
    - receiving first data from the network device, wherein the first data corresponds with second data previously received by the network device from the client via the secure connection; and
      
      communicating third data to the server, wherein the third data corresponds with the first data.
  - 21. The method of claim 1, wherein forwarding the attribute to the network device includes:
    - initiating an additional secure connection with the network device; and
      
      communicating the attribute via the additional secure connection.

22. A method of communicating securely with a client, the method comprising:
- intercepting a secure connection request from a client to a server at a first network device;
  
  initiating a first secure connection between the first network device and the client in response to the secure connection request; and
  
  in response to the inititation of the first secure connection being successfully completed;
  
  communicating an indicator from the first network device to the second network device that the first secure connection has been established between the client and the first network device; and
  
  assuming control of the first secure connection with the client at the second network device, such that communications between the client and the server pass through the first secure connection between the client and the second network device.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 23. The method of claim 22, wherein intercepting the secure connection request from the client comprises:
    - receiving a secure connection request previously intercepted by a second intercepting entity in-path with the client and redirected to the intercepting entity.
  - 24. The method of claim 22, wherein intercepting the secure connection request from the client comprises:
    - intercepting the secure connection request from the client via an in-path network connection with the client.
  - 25. The method of claim 22, further comprising:
    - receiving first data from the server directed to the client at the first network device;
      
      communicating second data corresponding to the first data from the first network device to the second network device; and
      
      communicating third data corresponding to the second data from the second network device to the client via the first secure connection.
  - 26. The method of claim 25, wherein the second data comprises an optimized version of the first data and the third data comprises a de-optimized version of the second data equivalent to the first data.
  - 27. The method of claim 22, further comprising:
    - receiving first data from the client directed to the server at the second network device via the first secure connection;
      
      communicating second data corresponding to the first data from the second network device to the first network device; and
      
      communicating third data corresponding to the second data from the first network device to the server.
  - 28. The method of claim 27, wherein the second data comprises an optimized version of the first data and the third data comprises a de-optimized version of the second data equivalent to the first data.
  - 29. The method of claim 22, wherein initiating the first secure connection with the client in response to the secure connection request comprises determining if the server is capable of establishing a secure connection with the client in response to the secure connection request.
  - 30. The method of claim 29, wherein determining if the server is capable of establishing a secure connection with the client in response to the secure connection request comprises establishing a second secure connection between the first network device and the server.
  - 31. The method of claim 22, wherein the second network device initiates communications with the client via the first secure connection using a symmetric encryption key in response to the indication.
  - 32. The method of claim 31, wherein the indication includes the symmetric encryption key.
  - 33. The method of claim 31, further comprising:
    - selecting a symmetric encryption key by the second network device;
      
      communicating the selected symmetric encryption key to the first network device; and
      
      communicating the selected symmetric encryption key from the first network device to the client during or after the initiation of the first secure connection.
  - 34. The method of claim 22, wherein the first and second network devices communicate via a second secure connection.
  - 35. The method of claim 34, wherein the first and second network devices initiate the second secure connection using public-key cryptography and certificates signed by a mutually-trusted certifying authority.
  - 36. The method of claim 34, wherein the first and second network devices initiate the second secure connection using self-signed certificates and procedures for deliberate acceptance of such certificates.
  - 37. The method of claim 34, wherein the second secure connection uses a security different from a security of the first secure connection.
  - 38. The method of claim 34, wherein the second secure connection uses a security similar to a security of the first secure connection.
  - 39. The method of claim 34, wherein the second secure connection communicates data associated with the first secure connection and an additional secure connection between the first and second network devices communicates data associated with an additional client.
  - 40. The method of claim 39, wherein the length of use of a single inner channel connection is determined by the number of outer channel connections that have used it.
  - 41. The method of claim 39, wherein the length of use of a single inner channel connection is determined by time elapsed since the first use of that connection.
  - 42. The method of claim 39, wherein a pool of inner-channel connections is available for reuse.
  - 43. The method of claim 22, where the server-side outer channel connection is reused for multiple client-side outer channel connections.
  - 44. The method of claim 43, wherein the length of use of a single server-side outer channel connection is determined by the number of client-side outer channel connections that have used it.
  - 45. The method of claim 43, wherein the length of use of a single server-side outer channel connection is determined by time elapsed since the first use of that connection.
  - 46. The method of claim 43, wherein a pool of inner-channel connections is available for reuse.
  - 47. The method of claim 29, wherein determining if the server is capable of establishing a secure connection with the client in response to the secure connection request comprises:
    - accessing a secure connection cache for information characterizing previous secure connection requests denied by the server;
      
      comparing characteristics of the secure connection request with the information;
      
      forwarding the secure connection request to the server in response to a determination that the characteristics of the secure connection request are similar to the information, thereby enabling the server to establish a secure connection with the client.
  - 48. The method of claim 47, further comprising:
    - invalidating at least a portion of the secure connection cache in response to a change in private key information stored at the first network device.
  - 49. The method of claim 47, further comprising:
    - sharing at least a portion of the secure connection cache with an additional network device connected with the server.
  - 50. The method of claim 22, wherein assuming control of the secure connection with the client at the second network device includes:
    - detecting a secure connection renegotiation request by the client at the second network device;
      
      communicating an indicator of the secure connection renegotiation request from the second network device to the first network device;
      
      in response to the indicator of the secure connection renegotiation request, assuming control of the first secure connection with the client at the first network device;
      
      determining at the first network device whether the first secure connection can be renegotiated by the first network device;
      
      renegotiating the first secure connection with the client in response to the determination that the first network device can renegotiate the first secure connection; and
      
      forwarding the secure connection renegotiation request to the server in response to a determination that the first network device cannot renegotiate the first secure connection, thereby enabling the server to renegotiate a secure connection with the client.

51. A method of communicating securely with a client, the method comprising:
- observing an initation of a secure connection between a client and a server;
  
  receiving an indication that the initiation of the secure connection between the client and the server is complete;
  
  assuming control of the secure connection with the client on behalf of the server;
  
  receiving data directed to the client from the server via the network device; and
  
  communicating the data to the client via the secure connection.
- View Dependent Claims (52, 53, 54, 55, 56)
- - 52. The method of claim 51, wherein the indication that the initiation of the secure connection is complete includes at least one attribute enabling the secure communication of data via the secure connection.
  - 53. The method of claim 51, wherein the indication that the initiation of the secure connection marks the end of interactions that require a private key and the start of interactions that require only a symmetric key.
  - 54. The method of claim 52, wherein the attribute includes a symmetric key.
  - 55. The method of claim 51, wherein the server is a VPN device.
  - 56. The method of claim 51, wherein assuming control of the secure connection comprises:
    - determining an attribute of the secure connection from observing the initiation of the secure connection;
      
      forwarding the attribute to a network device, thereby enabling the network device to maintain the secure connection with the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Day, Mark, Larsen, Case, Merugu, Shashidhar

Granted Patent

US 8,613,071 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3263   involving certificates, e.g...

Split termination for secure communication protocols

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

178 Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

Split termination for secure communication protocols

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

178 Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links