EXCHANGE OF DIGITAL CERTIFICATES IN A CLIENT-PROXY-SERVER NETWORK CONFIGURATION

US 20140095865A1
Filed: 09/28/2012
Published: 04/03/2014
Est. Priority Date: 09/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method for providing a client certificate from a proxy to a server, the proxy communicatively coupled between a client and the server, the method comprising:

configuring at the proxy a collection of one or more client certificates and one or more client private keys, each client certificate corresponding to a client private key;

defining a policy at the proxy which selects one of the client certificates based on information associated with an identity of the client;

in response to a request from the server to the proxy to authenticate the identity of the client, selecting one of the client certificates based on the defined policy; and

transmitting the selected client certificate from the proxy to the server.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various techniques are described to authenticate the identity of a proxy in a client-proxy-server configuration. The configuration may have a client-side and a server-side SSL session. In the server-side session, if the proxy has access to the private keys of the client, the proxy may select a client certificate from a collection of client certificates and send the selected certificate to the server to satisfy a client authentication request of the server. If the proxy does not have access to the private keys, the proxy may instead send an emulated client certificate to the server. Further, the client certificate received from the client may be embedded within the emulated client certificate so as to allow the server to directly authenticate the client, in addition to the proxy. An emulated client certificate chain may be formed instead of an emulated client certificate. Similar techniques may be applied to the client-side session.

Citations

20 Claims

1. A method for providing a client certificate from a proxy to a server, the proxy communicatively coupled between a client and the server, the method comprising:
- configuring at the proxy a collection of one or more client certificates and one or more client private keys, each client certificate corresponding to a client private key;
  
  defining a policy at the proxy which selects one of the client certificates based on information associated with an identity of the client;
  
  in response to a request from the server to the proxy to authenticate the identity of the client, selecting one of the client certificates based on the defined policy; and
  
  transmitting the selected client certificate from the proxy to the server.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein one of the client certificates is selected further based on one or more of a group that the client belongs to, a URL of the server, a network address of the server, and field values of a server certificate.
  - 3. The method of claim 1, wherein one of the client certificates is selected further based on a user group associated with the client.
  - 4. The method of claim 1, further comprising securely sending one or more client certificates and their associated private keys from the client to the proxy.

5. A method for providing a client certificate from a proxy to a server, the proxy communicatively coupled between a client and the server, the method comprising:
- authenticating an identity of the client at the proxy;
  
  configuring at the proxy a collection of one or more client certificates and one or more client private keys, each client certificate corresponding to a client private key;
  
  defining a policy at the proxy which selects one of the client certificates based on information associated with the identity of the client;
  
  receiving at the proxy a request from the client to connect to the server;
  
  transmitting a request from the proxy to the server to establish a connection between the proxy and the server;
  
  providing from the proxy to the client an emulated server certificate to allow man-in-the-middle interception;
  
  in response to a request from the server to authenticate the identity of the client, selecting one of the client certificates based on the defined policy; and
  
  transmitting the selected client certificate from the proxy to the server.

6. A method for providing an emulated client certificate from a proxy to a server, the proxy communicatively coupled between a client and the server, the method comprising:
- in response to a request from the server to authenticate an identity of the client, sending a request from the proxy to the client for a client certificate, which binds a public key of the client with the identity of the client;
  
  generating at the proxy a key pair having a private key and public key;
  
  generating an emulated client certificate based on the client certificate, the emulated client certificate containing the public key generated at the proxy;
  
  signing the emulated client certificate; and
  
  transmitting the signed emulated client certificate from the proxy to the server.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, further comprising transmitting the emulated client certificate from the proxy to the client, and wherein signing the emulated client certificate comprises signing the emulated client certificate with a private key of the client.
  - 8. The method of claim 6, wherein the emulated client certificate is signed by a certificate authority (CA) trusted by the server.
  - 9. The method of claim 6, wherein the emulated client certificate is signed by the proxy with a private key of a certificate authority (CA) known to the proxy.

10. A method for providing an emulated server certificate from a proxy to a client, the proxy communicatively coupled between the client and a server, the method comprising:
- in response to a request from the client to the proxy to authenticate an identity of the server, sending a request from the proxy to the server for a server certificate, which binds a public key of the server with the identity of the server;
  
  generating a key pair having a private key and public key;
  
  generating an emulated server certificate based on the server certificate, the emulated server certificate containing the public key generated at the proxy instead of the public key of the server;
  
  embedding the server certificate in a field within the emulated server certificate;
  
  signing the emulated server certificate; and
  
  transmitting the emulated server certificate from the proxy to the client.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, wherein the server certificate is embedded in an nsComment field of the emulated server certificate.
  - 12. The method of claim 11, further comprising the client verifying an identity of the proxy via the emulated server certificate and verifying the identity of the server via the embedded server certificate.

13. A method for providing an emulated client certificate from a proxy to a server, the proxy communicatively coupled between a client and the server, the method comprising:
- in response to a request from the server to the proxy to authenticate an identity of the client, sending a request from the proxy to the client for a client certificate, which binds a public key of the client with the identity of the client;
  
  generating a key pair having a private key and public key;
  
  generating an emulated client certificate based on the client certificate, the emulated client certificate containing the public key generated at the proxy instead of the public key of the client;
  
  embedding the client certificate in a field within the emulated client certificate;
  
  signing the emulated client certificate; and
  
  transmitting the emulated client certificate from the proxy to the server.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the client certificate is embedded in an nsComment field of the emulated client certificate.
  - 15. The method of claim 13, further comprising the server verifying an identity of the proxy via the emulated client certificate and verifying the identity of the client via the embedded client certificate.

16. A method for providing an emulated server certificate from a proxy to a client, the proxy communicatively coupled between the client and a server, the method comprising:
- sending from the proxy to the server an emulated server certificate for the emulated server certificate to be signed by a private key of the server;
  
  receiving from the server an emulated server certificate that has been signed with the private key of the server; and
  
  sending from the proxy to the client the emulated server certificate that has been signed with the private key of the server.

17. A method for providing an emulated server certificate chain from a proxy to a client, the proxy communicatively coupled between the client and a server, the method comprising:
- receiving at the proxy a server certificate chain from the server;
  
  generating a plurality of key pairs, each key pair having a private key and public key;
  
  generating an emulated server certificate chain based on the server certificate chain, the emulated server certificate chain containing a plurality of emulated certificates, each emulated certificate containing a public key generated at the proxy;
  
  signing each of the emulated certificates within the emulated server certificate chain; and
  
  transmitting the emulated server certificate chain from the proxy to the client.
- View Dependent Claims (18)
- - 18. The method of claim 17, further comprising:
    - for each of the emulated certificates, embedding a certificate from the server certificate chain in a field of the emulated certificate.

19. A method for providing an emulated client certificate chain from a proxy to a server, the proxy communicatively coupled between a client and the server, comprising:
- receiving at the proxy a client certificate chain from the client;
  
  generating a plurality of key pairs, each key pair having a private key and public key;
  
  generating an emulated client certificate chain based on the client certificate chain, the emulated client certificate chain containing a plurality of emulated certificates, each emulated certificate containing a public key generated at the proxy;
  
  signing each of the emulated client certificates within the emulated client certificate chain; and
  
  transmitting the emulated client certificate chain from the proxy to the server.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising:
    - for each of the emulated certificates, embedding a certificate from the client certificate chain in a field of the emulated certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Frederick, Ron, Green, Tammy, Yerra, Srinivas, Krilovs, Krists, Mohan, Dharmendra

Granted Patent

US 9,565,180 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0823   using certificates cryptogr...

H04L 9/3265   using certificate chains, t...

H04L 9/3271   using challenge-response

EXCHANGE OF DIGITAL CERTIFICATES IN A CLIENT-PROXY-SERVER NETWORK CONFIGURATION

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EXCHANGE OF DIGITAL CERTIFICATES IN A CLIENT-PROXY-SERVER NETWORK CONFIGURATION

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links