Systems and methods for bulk encryption and decryption of transmitted data

US 8,352,728 B2
Filed: 08/21/2006
Issued: 01/08/2013
Est. Priority Date: 08/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for using a network appliance to efficiently buffer and encrypt data for transmission, the method comprising:

(a) receiving, by an appliance via a first transport layer connection, a first SSL record, the first SSL record comprising a first encrypted message, the appliance configured with a cryptographic processing card to perform bulk encryption;

(b) decrypting, by the cryptographic processing card, the first encrypted message to produce a first decrypted message at the output;

(c) storing, by the appliance for later processing by the same cryptographic processing card, the first decrypted message from the output of the cryptographic processing card to a buffer until detection of one of a plurality of predetermined transmission conditions monitored by the appliance;

(d) receiving, by the appliance via the first transport layer connection, a second SSL record, the second SSL record comprising a second encrypted message;

(e) decrypting, by the cryptographic processing card, the second encrypted message to produce a second decrypted message at the output;

(e-1) storing, by the appliance for later processing by the same cryptographic processing card, the second decrypted message with the first decrypted message to the buffer until detection of one of the plurality of predetermined transmission conditions, a packet processing engine of the appliance configured to, upon detection of each of the plurality of predetermined transmission conditions, instruct the cryptographic processing card to combine the stored first and second messages to produce a third SSL record, encrypt the third SSL record and upon encryption transmit the encrypted third SSL record;

(f) communicating, by the packet processing engine, responsive to detecting that a transmittal condition of the plurality of predetermined transmittal conditions has occurred for the first transport layer connection, the buffered first decrypted message, the buffered second decrypted message, and the instruction to the same cryptographic processing card;

(g) receiving, by the appliance from the same cryptographic processing card for transmission via a second transport layer connection, an encrypted third SSL record produced from the first decrypted message and a portion of the second decrypted message; and

(h) transmitting, by the appliance via the second transport layer connection, the third SSL record.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two ore more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.

26 Citations

View as Search Results

20 Claims

1. A method for using a network appliance to efficiently buffer and encrypt data for transmission, the method comprising:
- (a) receiving, by an appliance via a first transport layer connection, a first SSL record, the first SSL record comprising a first encrypted message, the appliance configured with a cryptographic processing card to perform bulk encryption;
  
  (b) decrypting, by the cryptographic processing card, the first encrypted message to produce a first decrypted message at the output;
  
  (c) storing, by the appliance for later processing by the same cryptographic processing card, the first decrypted message from the output of the cryptographic processing card to a buffer until detection of one of a plurality of predetermined transmission conditions monitored by the appliance;
  
  (d) receiving, by the appliance via the first transport layer connection, a second SSL record, the second SSL record comprising a second encrypted message;
  
  (e) decrypting, by the cryptographic processing card, the second encrypted message to produce a second decrypted message at the output;
  
  (e-1) storing, by the appliance for later processing by the same cryptographic processing card, the second decrypted message with the first decrypted message to the buffer until detection of one of the plurality of predetermined transmission conditions, a packet processing engine of the appliance configured to, upon detection of each of the plurality of predetermined transmission conditions, instruct the cryptographic processing card to combine the stored first and second messages to produce a third SSL record, encrypt the third SSL record and upon encryption transmit the encrypted third SSL record;
  
  (f) communicating, by the packet processing engine, responsive to detecting that a transmittal condition of the plurality of predetermined transmittal conditions has occurred for the first transport layer connection, the buffered first decrypted message, the buffered second decrypted message, and the instruction to the same cryptographic processing card;
  
  (g) receiving, by the appliance from the same cryptographic processing card for transmission via a second transport layer connection, an encrypted third SSL record produced from the first decrypted message and a portion of the second decrypted message; and
  
  (h) transmitting, by the appliance via the second transport layer connection, the third SSL record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) comprises receiving, by an appliance via a connection, a plurality of packets, the plurality of packets comprising a first SSL record, the first record comprising a first encrypted message.
  - 3. The method of claim 1, wherein step (a) comprises receiving, by an appliance via a connection, a first SSL record, the first record comprising a first encrypted message, a header, and a message authentication code.
  - 4. The method of claim 1, wherein step (f) comprises determining, by the appliance, that the length of one or more buffered messages exceeds a given threshold.
  - 5. The method of claim 1, wherein step (f) comprises determining, by the appliance, that the length of one or more buffered messages equals or exceeds a maximum quantum size of a second connection, the maximum quantum determined with respect to at least one of:
    - a TCP maximum segment size, a type of cipher, and an SSL protocol version.
  - 6. The method of claim 1, wherein step (f) comprises determining, by the appliance, that the second decrypted message indicates the end of an HTTP transaction.
  - 7. The method of claim 1, wherein step (f) comprises determining, by the appliance, that the second decrypted message comprises a TCP push indication.
  - 8. The method of claim 1, wherein step (f) comprises determining, by the appliance, that a transmission timer corresponding to one of the first or second decrypted messages has expired.
  - 9. The method of claim 1, wherein step (f) comprises determining, by the appliance, the second decrypted message comprises an indication that the transmission has concluded.
  - 10. The method of claim 1, wherein step (a) comprises receiving, by an appliance via a connection, a plurality of SSL records, the plurality of SSL records comprising a plurality of encrypted messages.

11. A computer implemented system for efficiently buffering and encrypting data for transmission, the system comprising:
- a network appliance which receives, via a first transport layer connection, a first SSL record, the first SSL record comprising a first encrypted message, the network appliance configured with a cryptographic processing card to perform bulk encryption;
  
  wherein the cryptographic processing card decrypts the first encrypted message to produce a first decrypted message at the output, and the network appliance stores the first decrypted message from the output of the cryptographic processing card to a buffer for later processing by the same cryptographic processing card, the first decrypted message stored in the buffer until detection of one of a plurality of predetermined transmission conditions monitored by the network appliance;
  
  wherein the network appliance receives, via the first transport layer connection, a second SSL record, the second SSL record comprising a second encrypted message, the cryptographic processing card decrypts the second encrypted message to produce a second decrypted message at the output, and the network appliance stores for later processing by the same cryptographic processing card the second decrypted message to the buffer with the first decrypted message, the first decrypted message and second decrypted message stored in the buffer until detection of one of the plurality of predetermined transmission conditions, a packet processing engine of the appliance configured to, upon detection of each of the plurality of predetermined transmission conditions, instruct the cryptographic processing card to combine the stored first and second message to produce a third SSL record, encrypt the third SSL record and upon encryption transmit the encrypted third SSL record; and
  
  wherein the packet processing engine communicates, responsive to detecting that a transmittal condition of the plurality of predetermined transmittal conditions has occurred for the first transport layer connection, the first decrypted message, the second decrypted message from the buffer and the instruction to the same cryptographic processing card, the network appliance receiving from the cryptographic processing card for transmission via a second transport layer connection, the encrypted third SSL record produced from the first decrypted message and a portion of the second decrypted message; and
  
  transmits, via the second transport layer connection, the third SSL record.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the appliance receives, via a connection, a plurality of packets, the plurality of packets comprising a first SSL record, the first SSL record comprising a first encrypted message.
  - 13. The system of claim 11, wherein the appliance receives, via a connection, a first SSL record, the first record comprising a first encrypted message, a header, and a message authentication code.
  - 14. The system of claim 11, wherein the appliance determines that the length of one or more buffered messages exceeds a given threshold.
  - 15. The system of claim 11, wherein the appliance determines that the length of one or more buffered messages equals or exceeds a maximum segment size of a second connection.
  - 16. The system of claim 11, wherein the appliance determines that the second decrypted message indicates the end of an HTTP transaction.
  - 17. The system of claim 11, wherein the appliance determines that the second decrypted message comprises a TCP push indication.
  - 18. The system of claim 11, wherein the appliance determines that a transmission timer corresponding to one of the first or second decrypted messages has expired.
  - 19. The system of claim 11, wherein the appliance determines the second decrypted message comprises an indication that the transmission has concluded.
  - 20. The system of claim 11, wherein the appliance receives, via a connection, a plurality of SSL records, the plurality of SSL records comprising a plurality of encrypted messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Suganthi, Josephine, Kanekar, Tushar, Udupa, Sivaprasad
Primary Examiner(s)
Laforgia, Christian
Assistant Examiner(s)
OLION, BRIAN L

Application Number

US11/466,033
Publication Number

US 20080046714A1
Time in Patent Office

2,332 Days
Field of Search

713151-181
US Class Current

713/153
CPC Class Codes

H04L 63/0428 wherein the data content is...

Systems and methods for bulk encryption and decryption of transmitted data

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for bulk encryption and decryption of transmitted data

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links