Bufferless secure sockets layer architecture

US 7,228,412 B2
Filed: 07/06/2001
Issued: 06/05/2007
Est. Priority Date: 07/06/2001
Status: Active Grant

First Claim

Patent Images

1. A method for enabling secure communication between a client on an open network and a server apparatus on a secure network, the method performed on an intermediary apparatus coupled to the secure network and the open network, comprising:

negotiating, with the intermediary apparatus, a secure communications session with the client via the open network, wherein the secure communications session provides for communication of application data from the client to the intermediary apparatus via a plurality of security records, and wherein one or more of the security records includes encrypted application data spanning multiple data packets;

negotiating, with the intermediary apparatus, an open communications session with the server via the secure network;

receiving, with the intermediary apparatus, one or more of the data packets for a first one of the security records using the secure communications session;

prior to receiving a final packet of the first one of the security records, processing the one or more data packets of the first one of the security records with the intermediary apparatus by decrypting the encrypted application data in the received data packets, forwarding decrypted, unauthenticated application data from the intermediary apparatus to the server via the secure network prior to authenticating the first one of the security records with the intermediary apparatus, and discarding at least a portion of the decrypted, unauthenticated application data for the first one of the security records; and

upon receipt of the final packet of the first one of the security records, processing a remaining, non-discarded portion of the decrypted, unauthenticated application data for the first one of the security records to authenticate the first one of the security records with the intermediary apparatus.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for enabling secure communication between a client on an open network and a server apparatus on a secure network. The method is generally performed on a intermediary apparatus coupled to the secure network and the open network. The method includes the steps of negotiating a secure communications session with the client apparatus via the open network; negotiating an open communications session with the server via the secure network; receiving encrypted packet application data having a length greater than a packet length via multiple data packets; decrypting the encrypted packet application data in each data packet; forwarding decrypted, unauthenticated application data to the server via the secure network; and authenticating the decrypted packet data on receipt of a final packet of the segment.

93 Citations

View as Search Results

16 Claims

1. A method for enabling secure communication between a client on an open network and a server apparatus on a secure network, the method performed on an intermediary apparatus coupled to the secure network and the open network, comprising:
- negotiating, with the intermediary apparatus, a secure communications session with the client via the open network, wherein the secure communications session provides for communication of application data from the client to the intermediary apparatus via a plurality of security records, and wherein one or more of the security records includes encrypted application data spanning multiple data packets;
  
  negotiating, with the intermediary apparatus, an open communications session with the server via the secure network;
  
  receiving, with the intermediary apparatus, one or more of the data packets for a first one of the security records using the secure communications session;
  
  prior to receiving a final packet of the first one of the security records, processing the one or more data packets of the first one of the security records with the intermediary apparatus by decrypting the encrypted application data in the received data packets, forwarding decrypted, unauthenticated application data from the intermediary apparatus to the server via the secure network prior to authenticating the first one of the security records with the intermediary apparatus, and discarding at least a portion of the decrypted, unauthenticated application data for the first one of the security records; and
  
  upon receipt of the final packet of the first one of the security records, processing a remaining, non-discarded portion of the decrypted, unauthenticated application data for the first one of the security records to authenticate the first one of the security records with the intermediary apparatus.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein forwarding includes:
    - forwarding data which spans over multiple TCP segments.
  - 3. The method of claim 1wherein the remaining, non-discarded portion of the application data for the first one of the security records is buffered by the intermediary apparatus as a minimal length sufficient to complete a block cipher used to encrypt the data.
  - 4. The method of claim 1 wherein authenticating includes authenticating the decrypted data for the first one of the security records upon receiving a final TCP segment of a multi-segment encrypted data stream and after forwarding the decrypted, unauthenticated application data received prior to the final TCP segment.
  - 5. The method of claim 1 further including, after forwarding the decrypted, unauthenticated application data to the server, notifying the client if a failure in authenticating the first one of the security records occurs.

6. A method for processing encrypted data transferred between a first system and a second system, comprising:
- providing an accelerator device including a decryption engine in communication with the first system via an open network and the second system via a secure network;
  
  receiving encrypted application data from the first system via the open network in the form of security records communicated through a secure communications session, wherein one or more of the security records span multiple packets, and wherein a last packet of the multiple packets in each of the security records includes information for authenticating the application data contained within that security record;
  
  as the multiple packets are received for any of the plurality of security records, processing the multiple packets for that security record by;
  
  (i) decrypting, with the accelerator device, the application data contained within the multiple packets;
  
  (ii) forwarding the decrypted application data from the accelerator device to the second system via the secure network as the multiple pockets of the security record are decrypted by the accelerator device;
  
  (iii) buffering, with the accelerator device, a first portion of the decrypted application data for the security record and discarding a second portion prior to authentication of the application data of the security record; and
  
  (iv) after discarding the second portion of the decrypted application data for the security record and upon receiving the information for authenticating the application data in the last of the multiple packets for the security record, authenticating the buffered, first portion of the application data of the security record.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6 wherein receiving comprises receiving SSL encrypted data.
  - 8. The method of claim 6 wherein decrypting comprises decrypting application data encrypted using SSL and a DES algorithm.
  - 9. The method of claim 6 wherein buffering comprises buffering the application data for a minimal length less than a security record but sufficient to complete a block cipher used to encrypt the data.
  - 10. The method of claim 9 wherein said block cipher is a form of DES.
  - 11. The method of claim 6 wherein authenticating includes alerting the first system if authenticating fails after forwarding the decrypted, unauthenticated application data that is received prior to the last one of the multiple packets.
  - 12. The method of claim 6 wherein authenticating includes generating a reset to the second system if said authenticating fails.

13. A method of providing secure communications using limited buffer memory in an intermediary device, the secure communications providing a plurality of secure socket layer (SSL) records over an SSL session, the method comprising:
- receiving, with the intermediary device, encrypted data for a portion of an SSL record, wherein the SSL record has a length greater than a TCP segment carrying said data;
  
  buffering the encrypted data of the received portion of the SSL record in a memory buffer in the intermediary device, the buffer having a length equivalent to a block cipher size necessary to perform the cipher;
  
  decrypting, with the intermediary device, the buffered portion of the encrypted data to provide decrypted application data;
  
  forwarding the decrypted application data from the intermediary device to a destination device prior to authenticating the SSL record with the intermediary device; and
  
  authenticating the data with the intermediary device on receipt of a final segment of the encrypted data by the intermediary device after forwarding the unauthenticated application data of the SSL security record.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13 wherein the block cipher is 3DES.
  - 15. The method of claim 13 wherein the block cipher is DES.
  - 16. The method of claim 13 further including generating an alert if authenticating results in a failure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Gannesan, Elango, Freed, Michael, Moorthy, Arun
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US09/900,493
Publication Number

US 20030014625A1
Time in Patent Office

2,160 Days
Field of Search

713/153, 713/150, 713/151, 709/228, 726/14
US Class Current

713/153
CPC Class Codes

H04L 63/0485   Networking architectures fo...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

Bufferless secure sockets layer architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Bufferless secure sockets layer architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links