SYSTEM AND METHOD FOR DISTRIBUTED SSL PROCESSING BETWEEN CO-OPERATING NODES

US 20080307219A1
Filed: 06/05/2007
Published: 12/11/2008
Est. Priority Date: 06/05/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting a secure communication protocol transaction request from a client to a server at a client-side proxy logically deployed between the client and the server and communicatively coupled to the client;

initiating, from the client-side proxy, a secure connection with the server, wherein the secure connection is associated with at least one attribute enabling secure communication of data with the server; and

forwarding the attribute from the client-side proxy to a server-side proxy logically deployed between the client and the server and communicatively coupled to the server, enabling the server-side proxy to engage in secure communications with the server.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure communication protocol (e.g., SSL) transaction request from a client to a server is intercepted at a client-side proxy communicatively coupled to the client and logically deployed between the client and the server. The client-side proxy initiates a secure connection with the server and passes an attribute (e.g., a cryptographic key) associated with that secure connection to a server-side proxy communicatively coupled to the server and logically deployed between the client and the server. This enables the server-side proxy to engage in secure communications with the server in a transparent fashion.

129 Citations

25 Claims

1. A method, comprising:
- intercepting a secure communication protocol transaction request from a client to a server at a client-side proxy logically deployed between the client and the server and communicatively coupled to the client;
  
  initiating, from the client-side proxy, a secure connection with the server, wherein the secure connection is associated with at least one attribute enabling secure communication of data with the server; and
  
  forwarding the attribute from the client-side proxy to a server-side proxy logically deployed between the client and the server and communicatively coupled to the server, enabling the server-side proxy to engage in secure communications with the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the secure communication protocol transaction request comprises a secure socket layer (SSL) transaction request.
  - 3. The method of claim 1, wherein the attribute is forwarded from the client-side proxy to the server-side proxy over a secure communication channel between the client-side proxy to the server-side proxy.
  - 4. The method of claim 1, wherein the attribute is forwarded from the client-side proxy to the server-side proxy over a previously-established secure communication channel between the client-side proxy and the server-side proxy.
  - 5. The method of claim 1, wherein prior to forwarding the attribute, initiating an additional secure connection between the client-side proxy and the server-side proxy.
  - 6. The method of claim 1, wherein the attribute includes one or more of:
    - a cryptographic key, cipher algorithm and initialization vector to be used to encrypt data for the secure communications between the server-side proxy and the server.
  - 7. The method of claim 1, further comprising intercepting data from the client at the client-side proxy and assembling a secure socket layer (SSL) record including at least a portion of the data.
  - 8. The method of claim 7, further comprising transferring the SSL record from the client-side proxy to the server-side proxy.
  - 9. The method of claim 8, further comprising using the attribute to encrypt the SSL record at the server-side proxy to produce an encrypted SSL record and transmitting the encrypted SSL record from the server-side proxy to the server.
  - 10. The method of claim 1, further comprising receiving, at the server-side proxy, an encrypted secure socket layer (SSL) record from the server and decrypting the encrypted SSL record using the attribute to produce an unencrypted SSL record.
  - 11. The method of claim 10, further comprising transferring the unencrypted SSL record from the server-side proxy to the client-side proxy.
  - 12. The method of claim 11, wherein transferring the unencrypted SSL record comprises transmitting the unencrypted SSL record over a secure inter-proxy communication link.
  - 13. The method of claim 12, further comprising securing the inter-proxy communication link prior to forwarding the attribute.
  - 14. The method of claim 11, further comprising scanning the unencrypted SSL records transferred between the server-side proxy and the client-side proxy with an intrusion detection and/or intrusion prevention system, or other application-level content scan for monitoring and/or security purposes.

15. A method comprising establishing a secure communication channel between a server-side proxy and a server using an attribute associated with the secure communication channel, the attribute having first been passed from the server to a client-side proxy in response to a request to establish secure communications between the client-side proxy and the server.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The method of claim 15, wherein the attribute comprises a cryptographic key and a cipher.
  - 17. The method of claim 16, wherein prior to establishing the secure communication channel, the attribute is transferred from the client-side proxy to the server-side proxy via a secure inter-proxy communication channel.
  - 18. The method of claim 17, further comprising receiving encrypted data from the server directed to a client at the server-side proxy and decrypting the data at the server-side proxy using the attribute to produce unencrypted data.
  - 19. The method of claim 18, further comprising transferring the unencrypted data from the server-side proxy to the client-side proxy via the secure inter-proxy communication channel.
  - 20. The method of claim 19, wherein transferring the unencrypted data from the server-side proxy to the client-side proxy via the secure inter-proxy communication channel comprises optimizing the unencrypted data for said transfer via the secure inter-proxy communication channel.
  - 21. The method of claim 20, wherein optimizing the unencrypted data comprises subjecting the unencrypted data to byte caching at the server-side proxy.
  - 22. The method of claim 17, further comprising receiving data from the client-side proxy directed to the server at the server-side proxy, encrypting the data at the server-side proxy using the attribute to produce encrypted data, and transmitting the encrypted data to the server via the secure communication channel.
  - 23. The method of claim 22, further comprising securing the inter-proxy communication channel prior to transferring the data from the client-side proxy to the server-side proxy.
  - 24. The method of claim 23, wherein the data comprises a secure socket layer (SSL) record.

25. A method, comprising:
- intercepting a secure communication protocol transaction request from a client to a server at a client-side proxy logically deployed between the client and the server and communicatively coupled to the client;
  
  initiating, from the client-side proxy, a secure connection with the server, wherein the secure connection is associated with at least one attribute enabling secure communication of data with the server; and
  
  forwarding the attribute from the client-side proxy to multiple server-side proxies arranged in a chain and each logically deployed between the client and the server, enabling secure communications between the server-side proxies and the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Karandikar, Shrikrishna

Granted Patent

US 8,225,085 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

SYSTEM AND METHOD FOR DISTRIBUTED SSL PROCESSING BETWEEN CO-OPERATING NODES

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DISTRIBUTED SSL PROCESSING BETWEEN CO-OPERATING NODES

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links