Secure sockets layer proxy architecture

US 7,827,404 B1
Filed: 11/06/2006
Issued: 11/02/2010
Est. Priority Date: 07/06/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for secure communications between a client and one of a plurality of servers performed on an intermediate device coupled to the client and the plurality of servers, comprising:

receiving encrypted application data from the client via a secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer above a packet level of a network stack of the client; and

decrypting the encrypted application data and forwarding the decrypted application data to the server without processing the application data with an application layer of the network stack of the intermediate device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for secure communications between a client and one of a plurality of servers performed on an intermediate device coupled to the client and the plurality of servers.

54 Citations

View as Search Results

20 Claims

1. A method for secure communications between a client and one of a plurality of servers performed on an intermediate device coupled to the client and the plurality of servers, comprising:
- receiving encrypted application data from the client via a secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer above a packet level of a network stack of the client; and
  
  decrypting the encrypted application data and forwarding the decrypted application data to the server without processing the application data with an application layer of the network stack of the intermediate device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1,wherein forwarding the decrypted application data comprises forwarding the decrypted application data from the intermediate device to the server using a communication session negotiated by the client and the server when the intermediate device operates in a direct mode, andwherein forwarding the decrypted application data comprises forwarding the decrypted application data from the intermediate device to the server using a communication session negotiated by the server and the intermediate device when the intermediate device operates in a proxy mode.
  - 3. The method of claim 2 further comprising negotiating the secure communications session as a Secure Sockets Layer (SSL) session.
  - 4. The method of claim 1,wherein receiving encrypted application data comprise receiving the application data as multi-segment records,and wherein decrypting and forwarding comprises:
    - forwarding at least a portion of the decrypted application data for each of the records prior to receiving complete records;
      
      discarding the portion of each of the records after forwarding the portion to be discarded; and
      
      authenticating the decrypted application data of each record using a remaining non-discarded portion of the record upon receiving a final segment of the multi-segment record.
  - 5. The method of claim 1 wherein forwarding decrypted application data comprises forwarding unauthenticated application data.
  - 6. The method of claim 5 wherein forwarding unauthenticated application data includes subsequently authenticating the data.
  - 7. The method of claim 1 further comprising selecting one of the plurality of servers to which to forward the decrypted authentication data based on a load balancing algorithm that calculates current processing loads associated with each of the servers.
  - 8. The method of claim 1 further comprising tracking data passing between the client and the one of the plurality of servers.
  - 9. The method of claim 8 wherein tracking comprises establishing a session tracking database that records, for each session, a session ID, a Transmission Control Protocol (TCP) sequence number and a Secure Sockets Layer (SSL) session number.
  - 10. The method of claim 9 further comprising tracking, for each session, an initialization vector.

11. An apparatus comprising:
- a communications engine to decrypt encrypted application data from a client at a packet level within a network stack of the apparatus, wherein the encrypted application data was encrypted by the client at a layer above a packet level within a network stack of the client,wherein the communications engine forwards the decrypted application data to a server without processing the application data with an application layer of the network stack of the apparatus.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The apparatus of claim 11,wherein the apparatus supports a direct mode and a proxy mode,wherein, when operating in the direct mode, the communications engine decrypts the data packets and forwards decrypted data packets from the apparatus to the server using a communication session negotiated by the client and the server, andwherein, when operating in the proxy mode, the communications engine forwards decrypted data packets from the apparatus to the server using a communication session negotiated by the server and the apparatus.
  - 13. The apparatus of claim 11 further comprising a negotiation manager that enables the apparatus as a Transmission Control Protocol (TCP) and Secure Sockets Layer (SSL) proxy for the server.
  - 14. The apparatus of claim 11 further including a session tracking database having at least one record per communication session between the client and the server.
  - 15. The apparatus of claim 14 wherein the at least one record includes a TCP sequence number and an SSL sequence number.
  - 16. The apparatus of claim 14 further including a recovery manager using the database to recover from communication errors.
  - 17. The apparatus of claim 11 wherein the communications engine decrypts packets from SSL data that spans over multiple TCP segments.
  - 18. The apparatus of claim 17 wherein the application data is not buffered during decryption.
  - 19. The apparatus of claim 11,wherein the communication engine performs an authentication process that authenticates the decrypted data after a final segment of a multi-segment encrypted data record is received, andwherein the authentication process discards at least a portion of the data record after forwarding the portion to be discarded and authenticates decrypted data using the remaining portion of the data record after the final segment is received.

20. An intermediate network device to be positioned within a network between a client and a server, the intermediate network device comprising:
- a communications engine that is configurable to operate in a direct mode or a proxy mode;
  
  wherein, when operating in the direct mode, the communications engine (i) intercepts encrypted data packets sent by the client on a communication session between the client and the server, (ii) decrypts the data packets, and (iii) forwards decrypted data packets from the intermediate network device to the server using the communication session between the client and the server, andwherein, when operating in the proxy mode, the communications engine (i) receives encrypted data packets sent by the client on a communication session between the client and the intermediate network device, (ii) decrypts the data packets, and (iii) forwards decrypted data packets from the intermediate network device to the server using the communication session between the intermediate network device and the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Gannesan, Elango, Freed, Michael
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US11/556,951
Time in Patent Office

1,457 Days
Field of Search

713/168
US Class Current

713/168
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/166   at the transport layer

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

Secure sockets layer proxy architecture

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure sockets layer proxy architecture

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links