METHOD AND APPARATUS FOR SPLIT-TERMINATING A SECURE NETWORK CONNECTION, WITH CLIENT AUTHENTICATION
First Claim
1. A method of establishing a secure split-terminated communication connection between a client and a server, the method comprising:
- receiving access to a private cryptographic key of the server at a first network intermediary within a path of communications between the client and the server;
receiving from the client and the server handshaking messages for establishing the communication connection;
extracting one or more fields from the handshaking messages;
forwarding each of the handshaking messages toward the other of the client and the server from which it was received; and
computing a session key using the one or more protected fields, wherein the session key is separately computed by the client and the server.
20 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus are provided for split-terminating a secure client-server communication connection, with client authentication. During handshaking between the client and the server, cooperating network intermediaries relay the handshaking messages, without altering the messages. At least one of the intermediaries possesses a private key of the server, and extracts a set of data fields from the handshaking messages, including a Client-Key-Exchange message that can be decrypted with the private key. The intermediary uses the extracted data to compute the client-server session key separate from the client'"'"'s and the server'"'"'s similar computation, and may transmit the key to the other intermediary via a secure communication channel. The client and the server thus establish the end-to-end client-server connection, and may authenticate each other, after which the network intermediaries may intercept and optimize the client-server communications transparently to the client and the server.
155 Citations
20 Claims
-
1. A method of establishing a secure split-terminated communication connection between a client and a server, the method comprising:
-
receiving access to a private cryptographic key of the server at a first network intermediary within a path of communications between the client and the server; receiving from the client and the server handshaking messages for establishing the communication connection; extracting one or more fields from the handshaking messages; forwarding each of the handshaking messages toward the other of the client and the server from which it was received; and computing a session key using the one or more protected fields, wherein the session key is separately computed by the client and the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable medium storing instructions that, when executed by cooperating network intermediary computers operating in a path of communications between a client and a server, cause the network intermediary computers to perform a method of establishing a secure split-terminated communication connection between the client and the server, the method comprising:
-
receiving access to a private cryptographic key of the server at the first network intermediary; receiving from the client and the server handshaking messages for establishing the communication connection; extracting one or more fields from the handshaking messages; forwarding each of the handshaking messages toward the other of the client and the server from which it was received; and computing a session key using the one or more protected fields, wherein the session key is separately computed by the client and the server.
-
-
17. Apparatus configured to facilitate establishment of a secure split-terminated communication connection between a client and a server, the apparatus comprising:
one or more network devices operating in a path of communications between the client and the server, wherein at least of the network devices comprises; a private cryptographic key of the server; first logic configured to extract one or more predetermined fields from handshaking messages exchanged by the client and the server to establish the communication connection; and second logic configured to compute a session key for the communication connection separate from the client and the server; and
a secure channel coupling the one or more network devices.- View Dependent Claims (18, 19, 20)
Specification