Secure sockets layer proxy architecture

US 7,149,892 B2
Filed: 07/06/2001
Issued: 12/12/2006
Est. Priority Date: 07/06/2001
Status: Active Grant

First Claim

Patent Images

1. A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers, comprising:

(a) establishing an open communications session between the intermediary device and the client via an open network;

(b) negotiating a secure communications session with the client;

(c) establishing an open communications session with said one of said plurality of servers via a secure network;

(d) receiving encrypted application data from the client via the secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer above a packet level of a network stack of the client;

(e) decrypting the encrypted application data;

(f) forwarding the decrypted application data to the server via the secure network;

(g) receiving application data from the server via the secure network;

(h) encrypting the application data; and

(i) sending encrypted application data to the client,wherein the steps (e) and (f) are performed at the packet level of a network stack of the intermediate device without processing the application data with an application layer of the network stack of the intermediate device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers. In one aspect, the method comprises: establishing an open communications session between the intermediary device and the client via an open network; negotiating a secure communications session with the client; establishing an open communications session with said one of said plurality of servers via a secure network; receiving encrypted data from the client via the secure communications session; decrypting encrypted application data; forwarding decrypted application data to the server via the secure network; receiving application data from the server via the secure network; encrypting the application data; and sending encrypted application data to the client. In a further aspect, an apparatus including a network interface communicating with the public network and the secure network at least one processor, programmable dynamic memory addressable by the processor, and a communications channel coupling the processor, memory and the network communications interface is provided. The apparatus further includes a proxy TCP communications engine, a proxy SSL communications engine, a server TCP communications engine; and a packet data encryption and decryption engine.

Citations

30 Claims

1. A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers, comprising:
- (a) establishing an open communications session between the intermediary device and the client via an open network;
  
  (b) negotiating a secure communications session with the client;
  
  (c) establishing an open communications session with said one of said plurality of servers via a secure network;
  
  (d) receiving encrypted application data from the client via the secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer above a packet level of a network stack of the client;
  
  (e) decrypting the encrypted application data;
  
  (f) forwarding the decrypted application data to the server via the secure network;
  
  (g) receiving application data from the server via the secure network;
  
  (h) encrypting the application data; and
  
  (i) sending encrypted application data to the client,wherein the steps (e) and (f) are performed at the packet level of a network stack of the intermediate device without processing the application data with an application layer of the network stack of the intermediate device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein said step (a) comprises the sub steps of:
    - receiving a request for a communications session from the client;
      
      responding to the request for a communications session in place of the server; and
      
      establishing a secure communications session between the client and the intermediary device.
  - 3. The method of claim 2 wherein said step of (a) comprises receiving a TCP SYN packet from a client and responding to the SYN packet with appropriate responses as a proxy for the server.
  - 4. The method of claim 1 wherein said step of negotiating a secure communications session comprises negotiating an SSL session with the client in place of the server.
  - 5. The method of claim 1 further including:
    - receiving the application data as multi-segment records;
      
      forwarding at least a portion of the decrypted application for each of the records prior to receiving complete records;
      
      discarding the portion of each of the records after forwarding the portion to be discarded; and
      
      authenticating the decrypted application data of each data record using the remaining non-discarded portion of the data record upon receiving a final segment of the multi-segment record.
  - 6. The method of claim 1 wherein the step of forwarding decrypted application data to said one of said plurality of servers comprises forwarding authenticated application data.
  - 7. The method of claim 6 wherein said step of forwarding unauthenticated application data includes the further, subsequent step of authenticating the data.
  - 8. The method of claim 1 wherein, prior to said step of establishing a communications session with one of said plurality of servers, the method includes the step of:
    - selecting one of said plurality of servers to forward said decrypted authentication data to based on a load balancing algorithm tat calculates current processing loads associated with each of the sewers.
  - 9. The method of claim 8 further including the step of:
    - tracking data passing between the client and said one of said plurality of servers.
  - 10. The method of claim 9 wherein said step of tracking comprises:
    - establishing a session tracking database recording, for each session, a session ID, a TCP sequence number and an SSL session number.
  - 11. The method of claim 10 further including tracking, for each session, an initialization vector.

12. An apparatus coupled to a public network and a secure network, communicating with at least one client via the public network and communicating with one of a plurality of servers via the secure network, comprising:
- a network interface communicating with the public network and the secure network;
  
  at least one processor;
  
  programmable dynamic memory addressable by the processor;
  
  a communications channel coupling the processor, memory and network communications interface;
  
  a proxy TCP communications engine;
  
  a proxy SSL communications engine;
  
  a server TCP communications engine; and
  
  a packet data encryption and decryption engine,wherein the proxy SSL communications engine and the server TCP communications engine decrypt encrypted application data from the client at packet level within a network stack of the apparatus, and wherein the proxy SSL communications engine and the server TCP communications engine forward the decrypted application data to the one of the plurality of servers without processing the application data with an application layer of the network stack of the apparatus,wherein the encrypted application data was encrypted by the client at a layer above a packet level within a network stack of the client.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The apparatus of claim 12 further comprising a negotiation manager that enables the apparatus as a TCP and SSL proxy for the server.
  - 14. The apparatus of claim 12 further including a load balancing engine to direct application data between the at least one client and said one of said plurality of servers by copying the data from an SSL communications session established by the SSL communications engine to a server TCP session established by the server TCP communications engine.
  - 15. The apparatus of claim 12 wherein the encryption and decryption engine decrypts encrypted packet data to produce application data.
  - 16. The apparatus of claim 12 further including a session tracking database having at least one record per communication session between the client and server.
  - 17. The apparatus of claim 16 wherein said at least one record includes a TCP sequence number and an SSL sequence number.
  - 18. The apparatus of claim 16 further including a recovery manager using said database to recover from communication errors.
  - 19. The apparatus of claim 12 wherein the packet data encryption and decryption engine decrypts packets from SSL data which spans over multiple TCP segments and forwards packet data to a server which is not authenticated.
  - 20. The apparatus of claim 19,wherein said packet data encryption and decryption engine includes an authentication process which authenticates the decrypted data after a final segment of a multi-segment encrypted data record is received, andwherein the authentication process discards at least a portion of the data record after forwarding the portion to be discarded and authenticates decrypted data using the remaining portion of the data record after the final segment is received.
  - 21. The apparatus of claim 12 wherein said data is not buffered during decryption.
  - 22. The apparatus of claim 12 wherein said data is buffered for a length sufficient to complete a block cipher used to encrypt the data.

23. A method of providing secure communications between a plurality of customer devices and an enterprise, comprising:
- providing a device enabled for secure communication with the customer devices and having an IP address of the enterprise;
  
  receiving with an intermediate device communications directed to the enterprise in secure protocol, wherein the secure protocol provides encrypted application data that was encrypted by one of the customer devices at a session layer above a packet level within a network stack of the customer device;
  
  decrypting data packets of the secure protocol to provide decrypted packet data at the packet-level of a network stack of the intermediate device;
  
  bypassing the application layer of the network stack of the intermediate device and forwarding the decrypted packet data from the intermediate device to at least one server of the enterprise without processing the decrypted packet data with the application layer;
  
  receiving application data from a secure server of the enterprise;
  
  encrypting the application data received from the enterprise; and
  
  forwarding encrypted application data to the customer device.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method of claim 23 wherein the secure communication hi SSL protocol encrypted application data.
  - 25. The method of claim 23 wherein said step of receiving comprises the sub steps of initiating a communication session with the enterprise and negotiating a secure communication session with the device.
  - 26. The method of claim 23 further including the step of negotiating an open communications session with said at least one server of the enterprise and wherein said step of forwarding includes forwarding decrypted data via the open communications session.
  - 27. The method of claim 23 wherein said step of receiving communications includes receiving a plurality of secure communications sessions from a plurality of customers.
  - 28. The method of claim 27 further including a step of selecting one of a plurality of enterprise servers to which to direct data in said step of forwarding said decrypted packet data.
  - 29. The method of claim 28 further including the step of tracking each communications session between each of said plurality of customers and an associated one of said plurality of enterprise servers.

30. A method for secure communications between a client device and one of a plurality of servers performed on an intermediary device coupled to the client device and said plurality of servers, comprising:
- (a) establishing an open communications session between the intermediary device and the client device via an open network;
  
  (b) negotiating a secure communications session between the intermediary device and the client device;
  
  (c) establishing an open communications session between the intermediary device and said one of said plurality of servers via a secure network;
  
  (d) receiving encrypted application data from the client device via the secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer or above within a network stack of the client;
  
  (e) decrypting the encrypted application data;
  
  (f) bypassing an application layer of a network stack of the intermediate device and forwarding the decrypted application data from the intermediate device to the server via the secure network without processing the decrypted application data with the application layer;
  
  (g) receiving application data from the server via the secure network;
  
  (h) encrypting the application data;
  
  (i) sending encrypted application data to the client device;
  
  (j) detecting a communications anomaly in a communications session between the client device and the intermediary device; and
  
  (k) passing TCP data between the client device and the server through the intermediary device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Gannesan, Elango, Freed, Michael
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US09/900,496
Publication Number

US 20030014628A1
Time in Patent Office

1,985 Days
Field of Search

713/153, 713/150, 713/151, 713/155, 713/160, 709/228, 714/4
US Class Current

713/151
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/166   at the transport layer

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

Secure sockets layer proxy architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure sockets layer proxy architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links