Method and apparatus for providing data from a service to a client based on encryption capabilities of the client

US 7,219,223 B1
Filed: 02/08/2002
Issued: 05/15/2007
Est. Priority Date: 02/08/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing data from a service to a client over a telecommunication network based on encryption capabilities of the client, the method comprising the computer-implemented steps of:

at an intermediate server, creating and storing a mapping that associates encryption types to a plurality of available online services, wherein each of the plurality of online services is provided by one or more of a plurality of servers;

wherein the intermediate server is coupled to the client and to the plurality of servers;

at the intermediate server, receiving from the client a request for data and a list of encryption types representing encryption capabilities that are available at the client;

determining an encryption type match by matching the list of encryption types received from the client to the mapping of encryption types to the plurality of online services;

selecting, from the plurality of online services, an online service that can provide the data to the client based on the encryption type match, wherein selecting the online service comprises selecting a particular server from the plurality of servers that provides the online service; and

causing communication of the data from the selected online service to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are disclosed for providing data from a service to a client based on the encryption capabilities of the client. Cipher suite lists are exchanged between a client and an endpoint. On the endpoint, the cipher suite list incorporates a mapping of cipher suite names to services. The endpoint uses the client'"'"'s list of cipher suites in conjunction with the mapping of cipher suite names to services to determine a cipher suite match. A service is selected based on the cipher suite match. A server farm is selected based on the service. The client is informed of this cipher suite match and the endpoint retains knowledge of the cipher suite match throughout the session. Therefore, the encrypted connection between the client and the endpoint can be disconnected and later reestablished to provide data from the particular server.

87 Citations

View as Search Results

38 Claims

1. A method of providing data from a service to a client over a telecommunication network based on encryption capabilities of the client, the method comprising the computer-implemented steps of:
- at an intermediate server, creating and storing a mapping that associates encryption types to a plurality of available online services, wherein each of the plurality of online services is provided by one or more of a plurality of servers;
  
  wherein the intermediate server is coupled to the client and to the plurality of servers;
  
  at the intermediate server, receiving from the client a request for data and a list of encryption types representing encryption capabilities that are available at the client;
  
  determining an encryption type match by matching the list of encryption types received from the client to the mapping of encryption types to the plurality of online services;
  
  selecting, from the plurality of online services, an online service that can provide the data to the client based on the encryption type match, wherein selecting the online service comprises selecting a particular server from the plurality of servers that provides the online service; and
  
  causing communication of the data from the selected online service to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12)
- - 2. A method as recited in claim 1, further comprising the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step.
  - 3. A method as recited in claim 1, further comprising the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step, wherein the secure connection is established using a security protocol selected from among the set consisting of SSL, PPTP, SSH, and IPSec.
  - 4. A method as recited in claim 1, further comprising the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step, wherein the step of establishing the secure connection further comprises the step of establishing the secure connection with the client using a cipher suite match.
  - 5. The method as recited in claim 1, further comprising the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step, and further comprising the step of disconnecting the secure connection and reestablishing the secure connection using a cipher suite match.
  - 6. The method as recited in claim 1, wherein the mapping of encryption types to services is an ordered mapping of cipher suites to services.
  - 7. The method as recited in claim 1, further comprising the steps of receiving a weight value for one or more of the encryption types, and ordering the mapping of encryption types to services based on the received weight values.
  - 8. A method as recited in claim 1, wherein the encryption type is a cipher suite match.
  - 9. A method as recited in claim 1, wherein the step of selecting an online service that can provide the data to the client based the encryption type match further comprises the step ofselecting a server farm based on the online service, wherein the server farm includes the plurality of servers.
  - 10. A method as recited in claim 1, wherein the step of causing communication further comprises the step of establishing a connection with a non-encrypted protocol for use in communicating a request to the selected service to cause communication of the data from the selected service to the client.
  - 12. A method as recited in claim 1, wherein the mapping of encryption types to services is stored in an SSL termination module.

11. A method of providing data from a service to a client based on encryption capabilities of the client, the method comprising the computer-implemented steps of:
- at an intermediate server, receiving an ordered mapping of cipher suite names to a plurality of services, wherein each of the plurality of services is provided by one or more of a plurality of servers in a server farm;
  
  wherein the intermediate server is coupled to the client and to the plurality of servers in the server farm;
  
  at the intermediate server, receiving from the client a request for data and an ordered list of cipher suites;
  
  determining a cipher suite match by selecting a first common cipher suite in the ordered list of cipher suites and the ordered mapping of cipher suite names to services;
  
  transmitting the cipher suite match to the client;
  
  selecting, from the plurality of services, the service that is associated with the cipher suite match in the ordered mapping;
  
  selecting the server farm based on the service;
  
  selecting a particular server from the plurality of servers in the server farm to provide the data to the client, wherein the particular server provides the service; and
  
  transmitting the data to the client.

13. A method of providing data associated with a service to a client over a telecommunication network based on SSL encryption capabilities of the client, the method comprising the computer-implemented steps of:
- creating and storing, at an SSL termination device, a mapping that associates cipher suites that are supported by the SSL termination device with a plurality of online services that are accessible through the SSL termination device, wherein each of the plurality of services is provided by one or more of a plurality of servers;
  
  wherein the SSL termination device is coupled to the client and to the plurality of servers;
  
  receiving from the client as part of an SSL handshake phase message, a request for data and a list of cipher suites that are available at the client;
  
  matching the cipher suite list received from the client to the mapping to result in identifying at least one cipher suite in common between the cipher suite list and the mapping;
  
  based at least on the mapping, selecting an online service from the plurality of online services that corresponds to the cipher suite in common, wherein selecting the online service comprises selecting a particular server from the plurality of servers that provides the online service; and
  
  causing communication of the data from the selected online service to the client over an SSL connection using encryption parameters as defined in the cipher suite in common.

14. A computer-readable medium carrying one or more sequences of instructions for providing data from a service to a client based on encryption capabilities of the client, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- at an intermediate server, creating and storing a mapping that associates encryption types to a plurality of available online services, wherein each of the plurality of online services is provided by one or more of a plurality of servers;
  
  wherein the intermediate server is coupled to the client and to the plurality of servers;
  
  at the intermediate server, receiving from the client a request for data and a list of encryption types representing encryption capabilities that are available at the client;
  
  determining an encryption type match by matching the list of encryption types received from the client to the mapping of encryption types to the plurality of online services;
  
  selecting, from the plurality of online services, an online service that can provide the data to the client based on the encryption type match, wherein selecting the online service comprises selecting a particular server from the plurality of servers that provides the online service; and
  
  causing communication of the data from the selected online service to the client.

15. An apparatus for providing data from a service to a client based on encryption capabilities of the client, comprising:
- means for executing an intermediate server that is operable to connect to the client and to a plurality of servers;
  
  means for creating and storing, at the intermediate server, a mapping that associates encryption types to a plurality of available online services, wherein each of the plurality of online services is provided by one or more of the plurality of servers;
  
  means for receiving from the client a request for data and a list of encryption types representing encryption capabilities that are available at the client;
  
  means for determining an encryption type match by matching the list of encryption types received from the client to the mapping of encryption types to the plurality of online services;
  
  means for selecting, from the plurality of online services, an online service that can provide the data to the client based on the encryption type match, wherein the means for selecting the online service comprise means for selecting a particular server from the plurality of servers that provides the online service; and
  
  means for causing communication of the data from the selected service to the client.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 27. An apparatus as recited in claim 15, further comprising means for establishing a secure connection with the client, wherein the means for establishing the secure connection include the means for receiving the request from the client.
  - 28. An apparatus as recited in claim 15, further comprising means for establishing a secure connection with the client, wherein the means for establishing the secure connection include the means for receiving the request from the client, wherein the secure connection is established using a security protocol selected from among the set consisting of SSL, PPTP, SSH, and IPSec.
  - 29. An apparatus as recited in claim 15, further comprising means for establishing a secure connection with the client, wherein the means for establishing the secure connection include the means for receiving the request from the client, wherein the means for establishing the secure connection further comprise means for establishing the secure connection with the client using a cipher suite match.
  - 30. An apparatus as recited in claim 15, further comprising:
    - means for establishing a secure connection with the client, wherein the means for establishing the secure connection include the means for receiving the request from the client; and
      
      means for disconnecting the secure connection and reestablishing the secure connection using a cipher suite match.
  - 31. An apparatus as recited in claim 15, wherein the mapping of encryption types to services is an ordered mapping of cipher suites to services.
  - 32. An apparatus as recited in claim 15, further comprising means for receiving a weight value for one or more of the encryption types and means for ordering the mapping of encryption types to services based on the received weight values.
  - 33. An apparatus as recited in claim 15, wherein the encryption type is a cipher suite match.
  - 34. An apparatus as recited in claim 15, wherein the means for selecting an online service that can provide the data to the client based the encryption type match further comprise means for selecting a server farm based on the online service, wherein the server farm includes the plurality of servers.
  - 35. An apparatus as recited in claim 15, wherein the means for causing communication further comprise means for establishing a connection with a non-encrypted protocol for use in communicating a request to the selected service to cause communication of the data from the selected service to the client.
  - 36. An apparatus as recited in claim 15, further comprising an SSL termination module that is operable to store the mapping of encryption types to services.

16. An apparatus for providing data from a service to a client based on encryption capabilities of the client, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  an intermediate server which, when executed by the processor, is operable to connect to the client and to a plurality of servers; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  creating and storing, at the intermediate server, a mapping that associates encryption types to a plurality of available online services, wherein each of the plurality of online services is provided by one or more of the plurality of servers;
  
  receiving from the client a request for data and an ordered list of encryption types;
  
  determining an encryption type match by matching the list of encryption types received from the client to the mapping of encryption types to the plurality of online services;
  
  determining a particular server from the plurality of servers to retrieve the data based on the encryption type match, wherein the particular server provides the service which is selected from the plurality of online services; and
  
  causing communication of the data from the particular server to the client.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. An apparatus as recited in claim 16, wherein the one or more stored sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step.
  - 18. An apparatus as recited in claim 16, wherein the one or more stored sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step, wherein the secure connection is established using a security protocol selected from among the set consisting of SSL, PPTP, SSH, and IPSec.
  - 19. An apparatus as recited in claim 16, wherein the one or more stored sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step, wherein the step of establishing the secure connection further comprises the step of establishing the secure connection with the client using a cipher suite match.
  - 20. An apparatus as recited in claim 16, wherein the one or more stored sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the step of establishing a secure connection with the client, and wherein the receiving step is carried out as part of the establishing step, and further comprising the step of disconnecting the secure connection and reestablishing the secure connection using a cipher suite match.
  - 21. An apparatus as recited in claim 16, wherein the mapping of encryption types to services is an ordered mapping of cipher suites to services.
  - 22. An apparatus as recited in claim 16, wherein the one or more stored sequences of instructions further comprise instructions which, when executed by the processor, cause the processor to carry out the steps of receiving a weight value for one or more of the encryption types, and ordering the mapping of encryption types to services based on the received weight values.
  - 23. An apparatus as recited in claim 16, wherein the encryption type is a cipher suite match.
  - 24. An apparatus as recited in claim 16, wherein the instructions that cause the processor to carry out the step of selecting an online service that can provide the data to the client based the encryption type match further comprise instructions which, when executed by the processor, cause the processor to carry out the step of selecting a server farm based on the online service, wherein the server farm includes the plurality of servers.
  - 25. An apparatus as recited in claim 16, wherein the instructions that cause the processor to carry out the step of causing communication further comprise instructions which, when executed by the processor, cause the processor to carry out the step of establishing a connection with a non-encrypted protocol for use in communicating a request to the selected service to cause communication of the data from the selected service to the client.
  - 26. An apparatus as recited in claim 16, further comprising an SSL termination module that is operable to store the mapping of encryption types to services.

37. An apparatus for providing data from a service to a client based on encryption capabilities of the client, comprising:
- means for executing an intermediate server that is operable to connect to the client and to a plurality of servers in a server farm;
  
  means for receiving an ordered mapping of cipher suite names to a plurality of services, wherein each of the plurality of services is provided by one or more of the plurality of servers in the server farm;
  
  means for receiving from the client a request for data and an ordered list of cipher suites;
  
  means for determining a cipher suite match by selecting a first common cipher suite in the ordered list of cipher suites and the ordered mapping of cipher suite names to services;
  
  means for transmitting the cipher suite match to the client;
  
  means for selecting, from the plurality of services, the service that is associated with the cipher suite match in the ordered mapping;
  
  means for selecting the server farm based on the service;
  
  means for selecting a particular server from the plurality of servers in the server farm to provide the data to the client, wherein the particular server provides the service; and
  
  means for transmitting the data to the client.

38. An apparatus for providing data from a service to a client over a telecommunication network based on Secure Socket Layer (SSL) encryption capabilities of the client, comprising:
- an SSL termination device that is operable to connect to the client and to a plurality of servers;
  
  means for creating and storing, at the SSL termination device, a mapping that associates cipher suites that are supported by the SSL termination device with a plurality of online services that are accessible through the SSL termination device, wherein each of the plurality of services is provided by one or more of the plurality of servers;
  
  means for receiving from the client as part of an SSL handshake phase message, a request for data and a list of cipher suites that are available at the client;
  
  means for matching the cipher suite list received from the client to the mapping to result in identifying at least one cipher suite in common between the cipher suite list and the mapping;
  
  means for selecting, based at least on the mapping, an online service from the plurality of online services that corresponds to the cipher suite in common, wherein the means for selecting the online service comprise means for selecting a particular server from the plurality of servers that provides the online service; and
  
  means for causing communication of the data from the selected online service to the client over an SSL connection using encryption parameters as defined in the cipher suite in common.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bacchus, Shaheed, Dike, Bradley Dale, Wong, Bruce, Kersey, Edward Curt
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Ho; Thomas

Application Number

US10/071,455
Time in Patent Office

1,922 Days
Field of Search

726/1, 726/22, 726/26, 713/150, 713/182, 380/255, 380/277, 705/80, 705/64
US Class Current

713/150
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3249   using RSA or related signat...

H04L 9/3271   using challenge-response

Method and apparatus for providing data from a service to a client based on encryption capabilities of the client

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

87 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing data from a service to a client based on encryption capabilities of the client

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links