METHOD AND APPARATUS FOR SPLIT-TERMINATING A SECURE NETWORK CONNECTION, WITH CLIENT AUTHENTICATION

US 20100299525A1
Filed: 06/29/2010
Published: 11/25/2010
Est. Priority Date: 08/10/2005
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a secure split-terminated communication connection between a client and a server, the method comprising:

receiving access to a private cryptographic key of the server at a first network intermediary within a path of communications between the client and the server;

receiving from the client and the server handshaking messages for establishing the communication connection;

extracting one or more fields from the handshaking messages;

forwarding each of the handshaking messages toward the other of the client and the server from which it was received; and

computing a session key using the one or more protected fields, wherein the session key is separately computed by the client and the server.

View all claims

20 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are provided for split-terminating a secure client-server communication connection, with client authentication. During handshaking between the client and the server, cooperating network intermediaries relay the handshaking messages, without altering the messages. At least one of the intermediaries possesses a private key of the server, and extracts a set of data fields from the handshaking messages, including a Client-Key-Exchange message that can be decrypted with the private key. The intermediary uses the extracted data to compute the client-server session key separate from the client'"'"'s and the server'"'"'s similar computation, and may transmit the key to the other intermediary via a secure communication channel. The client and the server thus establish the end-to-end client-server connection, and may authenticate each other, after which the network intermediaries may intercept and optimize the client-server communications transparently to the client and the server.

155 Citations

View as Search Results

20 Claims

1. A method of establishing a secure split-terminated communication connection between a client and a server, the method comprising:
- receiving access to a private cryptographic key of the server at a first network intermediary within a path of communications between the client and the server;
  
  receiving from the client and the server handshaking messages for establishing the communication connection;
  
  extracting one or more fields from the handshaking messages;
  
  forwarding each of the handshaking messages toward the other of the client and the server from which it was received; and
  
  computing a session key using the one or more protected fields, wherein the session key is separately computed by the client and the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the private cryptographic key corresponds to a digital certificate of the server transmitted to the client within the handshaking messages.
  - 3. The method of claim 1, wherein said receiving access to the private cryptographic key comprises receiving a copy of the private cryptographic key.
  - 4. The method of claim 1, wherein said receiving access to the private cryptographic key comprises receiving access to a repository comprising the private cryptographic key.
  - 5. The method of claim 1, further comprising:
    - storing a plurality of data fields of the handshaking messages, including the one or more protected fields.
  - 6. The method of claim 1, further comprising:
    - verifying a digital certificate of the client.
  - 7. The method of claim 1, further comprising:
    - verifying a digital certificate of the server.
  - 8. The method of claim 1, wherein a first handshaking message received from the client comprises a Client-Key-Exchange message, the method further comprising:
    - decrypting the Client-Key-Exchange message with the private cryptographic key.
  - 9. The method of claim 1, further comprising:
    - transmitting the session key to a second network intermediary within the path of communications.
  - 10. The method of claim 9, further comprising, after said transmitting:
    - at the second network intermediary;
      
      receiving from the client a data request encrypted with the session key;
      
      decrypting the encrypted request;
      
      optimizing the request; and
      
      forwarding the optimized request to the first network intermediary; and
      
      at the first network intermediary;
      
      un-optimizing the optimized request to retrieve the request;
      
      re-encrypting the request with the session key; and
      
      forwarding the re-encrypted request to the server.
  - 11. The method of claim 10, wherein said optimizing comprises:
    - encrypting the data request with a cryptographic key shared by only the first network intermediary and the second network intermediary.
  - 12. The method of claim 10, further comprising:
    - at the first network intermediary;
      
      receiving from the server a response to the data request, wherein the response is encrypted with the session key;
      
      decrypting the encrypted response;
      
      optimizing the response; and
      
      transmitting the optimized response to the second network intermediary; and
      
      at the second network intermediary;
      
      un-optimizing the optimized response;
      
      re-encrypting the response with the session key; and
      
      transmitting the re-encrypted response to the client.
  - 13. The method of claim 1, further comprising authenticating the client by:
    - receiving from the client;
      
      a client digital certificate; and
      
      a Certificate-Verify message;
      
      verifying the client digital certificate; and
      
      validating the Certificate-Verify message.
  - 14. The method of claim 1, wherein a second network intermediary is co-located with the client, the method further comprising:
    - after said computing, transmitting a nonce from the first network intermediary to the second network intermediary;
      
      at the second network intermediary, encrypting the nonce with a private cryptographic key of the client;
      
      transmitting the encrypted nonce from the second network intermediary to the first network intermediary; and
      
      at the first network intermediary, attempting to decrypt the encrypted nonce with a public key extracted from a digital certificate sent by the client in the handshaking messages.
  - 15. The method of claim 14, further comprising:
    - transmitting the session key from the first network intermediary to the second network intermediary only if the encrypted nonce is successfully decrypted with the public key.

16. A computer-readable medium storing instructions that, when executed by cooperating network intermediary computers operating in a path of communications between a client and a server, cause the network intermediary computers to perform a method of establishing a secure split-terminated communication connection between the client and the server, the method comprising:
- receiving access to a private cryptographic key of the server at the first network intermediary;
  
  receiving from the client and the server handshaking messages for establishing the communication connection;
  
  extracting one or more fields from the handshaking messages;
  
  forwarding each of the handshaking messages toward the other of the client and the server from which it was received; and
  
  computing a session key using the one or more protected fields, wherein the session key is separately computed by the client and the server.

17. Apparatus configured to facilitate establishment of a secure split-terminated communication connection between a client and a server, the apparatus comprising:
- one or more network devices operating in a path of communications between the client and the server, wherein at least of the network devices comprises;
  
  a private cryptographic key of the server;
  
  first logic configured to extract one or more predetermined fields from handshaking messages exchanged by the client and the server to establish the communication connection; and
  
  second logic configured to compute a session key for the communication connection separate from the client and the server; and
  
  a secure channel coupling the one or more network devices.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, further comprising:
    - optimization logic configured to optimize a communication transmitted by one of the client and the server toward the other of the client and the server.
  - 19. The apparatus of claim 17, further comprising:
    - decryption logic configured to decrypt a first predetermined field of the handshaking messages with the private cryptographic key.
  - 20. The apparatus of claim 17, wherein a first network device transmits the session key to a second network device via the secure channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Shah, Paras, Nam, Yongsub, Larsen, Case Thomas, Merugu, Shashidhar

Granted Patent

US 8,438,628 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

METHOD AND APPARATUS FOR SPLIT-TERMINATING A SECURE NETWORK CONNECTION, WITH CLIENT AUTHENTICATION

First Claim

20 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR SPLIT-TERMINATING A SECURE NETWORK CONNECTION, WITH CLIENT AUTHENTICATION

First Claim

20 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links