Bufferless secure sockets layer architecture
First Claim
1. A method for enabling secure communication between a client on an open network and a server apparatus on a secure network, the method performed on an intermediary apparatus coupled to the secure network and the open network, comprising:
- negotiating, with the intermediary apparatus, a secure communications session with the client via the open network, wherein the secure communications session provides for communication of application data from the client to the intermediary apparatus via a plurality of security records, and wherein one or more of the security records includes encrypted application data spanning multiple data packets;
negotiating, with the intermediary apparatus, an open communications session with the server via the secure network;
receiving, with the intermediary apparatus, one or more of the data packets for a first one of the security records using the secure communications session;
prior to receiving a final packet of the first one of the security records, processing the one or more data packets of the first one of the security records with the intermediary apparatus by decrypting the encrypted application data in the received data packets, forwarding decrypted, unauthenticated application data from the intermediary apparatus to the server via the secure network prior to authenticating the first one of the security records with the intermediary apparatus, and discarding at least a portion of the decrypted, unauthenticated application data for the first one of the security records; and
upon receipt of the final packet of the first one of the security records, processing a remaining, non-discarded portion of the decrypted, unauthenticated application data for the first one of the security records to authenticate the first one of the security records with the intermediary apparatus.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for enabling secure communication between a client on an open network and a server apparatus on a secure network. The method is generally performed on a intermediary apparatus coupled to the secure network and the open network. The method includes the steps of negotiating a secure communications session with the client apparatus via the open network; negotiating an open communications session with the server via the secure network; receiving encrypted packet application data having a length greater than a packet length via multiple data packets; decrypting the encrypted packet application data in each data packet; forwarding decrypted, unauthenticated application data to the server via the secure network; and authenticating the decrypted packet data on receipt of a final packet of the segment.
93 Citations
16 Claims
-
1. A method for enabling secure communication between a client on an open network and a server apparatus on a secure network, the method performed on an intermediary apparatus coupled to the secure network and the open network, comprising:
-
negotiating, with the intermediary apparatus, a secure communications session with the client via the open network, wherein the secure communications session provides for communication of application data from the client to the intermediary apparatus via a plurality of security records, and wherein one or more of the security records includes encrypted application data spanning multiple data packets; negotiating, with the intermediary apparatus, an open communications session with the server via the secure network; receiving, with the intermediary apparatus, one or more of the data packets for a first one of the security records using the secure communications session; prior to receiving a final packet of the first one of the security records, processing the one or more data packets of the first one of the security records with the intermediary apparatus by decrypting the encrypted application data in the received data packets, forwarding decrypted, unauthenticated application data from the intermediary apparatus to the server via the secure network prior to authenticating the first one of the security records with the intermediary apparatus, and discarding at least a portion of the decrypted, unauthenticated application data for the first one of the security records; and upon receipt of the final packet of the first one of the security records, processing a remaining, non-discarded portion of the decrypted, unauthenticated application data for the first one of the security records to authenticate the first one of the security records with the intermediary apparatus. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for processing encrypted data transferred between a first system and a second system, comprising:
-
providing an accelerator device including a decryption engine in communication with the first system via an open network and the second system via a secure network; receiving encrypted application data from the first system via the open network in the form of security records communicated through a secure communications session, wherein one or more of the security records span multiple packets, and wherein a last packet of the multiple packets in each of the security records includes information for authenticating the application data contained within that security record; as the multiple packets are received for any of the plurality of security records, processing the multiple packets for that security record by; (i) decrypting, with the accelerator device, the application data contained within the multiple packets; (ii) forwarding the decrypted application data from the accelerator device to the second system via the secure network as the multiple pockets of the security record are decrypted by the accelerator device; (iii) buffering, with the accelerator device, a first portion of the decrypted application data for the security record and discarding a second portion prior to authentication of the application data of the security record; and (iv) after discarding the second portion of the decrypted application data for the security record and upon receiving the information for authenticating the application data in the last of the multiple packets for the security record, authenticating the buffered, first portion of the application data of the security record. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A method of providing secure communications using limited buffer memory in an intermediary device, the secure communications providing a plurality of secure socket layer (SSL) records over an SSL session, the method comprising:
-
receiving, with the intermediary device, encrypted data for a portion of an SSL record, wherein the SSL record has a length greater than a TCP segment carrying said data; buffering the encrypted data of the received portion of the SSL record in a memory buffer in the intermediary device, the buffer having a length equivalent to a block cipher size necessary to perform the cipher; decrypting, with the intermediary device, the buffered portion of the encrypted data to provide decrypted application data; forwarding the decrypted application data from the intermediary device to a destination device prior to authenticating the SSL record with the intermediary device; and authenticating the data with the intermediary device on receipt of a final segment of the encrypted data by the intermediary device after forwarding the unauthenticated application data of the SSL security record. - View Dependent Claims (14, 15, 16)
-
Specification