Method and system for providing persistence in a secure network access

US 8,407,771 B1
Filed: 07/05/2011
Issued: 03/26/2013
Est. Priority Date: 09/03/2002
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

one or more memory devices for storing executable instructions; and

one or more processors operable to execute the executable instructions to perform actions, comprising;

receiving client messages from a plurality of clients and distributing the client messages among a plurality of servers;

performing a first security handshake with one of the plurality of client, the first security handshake including a first identifying data comprising a first client certificate, wherein the first security handshake is a Secure Socket Layer (SSL) handshake;

associating the one of the plurality of clients with a target server;

performing a second security handshake with an other one of the plurality of clients, wherein the second security handshake includes a second identifying data comprising a second client certificate, wherein the second security handshake is a SSL handshake, and the first security handshake establishes a first secure communication session, and the second security handshake establishes a second secure communications session; and

identifying the target server based on the second client certificate, wherein the second client certificate includes a public key security certificate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.

142 Citations

20 Claims

1. An apparatus, comprising:
- one or more memory devices for storing executable instructions; and
  
  one or more processors operable to execute the executable instructions to perform actions, comprising;
  
  receiving client messages from a plurality of clients and distributing the client messages among a plurality of servers;
  
  performing a first security handshake with one of the plurality of client, the first security handshake including a first identifying data comprising a first client certificate, wherein the first security handshake is a Secure Socket Layer (SSL) handshake;
  
  associating the one of the plurality of clients with a target server;
  
  performing a second security handshake with an other one of the plurality of clients, wherein the second security handshake includes a second identifying data comprising a second client certificate, wherein the second security handshake is a SSL handshake, and the first security handshake establishes a first secure communication session, and the second security handshake establishes a second secure communications session; and
  
  identifying the target server based on the second client certificate, wherein the second client certificate includes a public key security certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the one of the plurality of clients and the other one of the plurality of clients are different clients in the plurality of clients, and the first client certificate is transferred between the clients using a removable smart card, the first client certificate being usable as the second client certificate.
  - 3. The apparatus of claim 1, wherein the one or more processors are operable to execute actions, further comprising storing data indicating a mapping between at least one of the first or the second client certificates and a session Identifier (ID).
  - 4. The apparatus of claim 1, wherein the apparatus further comprises:
    - an SSL proxy executing within at least one of the processors, the SSL proxy being configured to receive the client messages, and to perform the first and the second security handshakes; and
      
      a persistence engine executing within at least one of the processors and being configured to receive decrypted client messages from the SSL proxy, maintain persistent connections with the target server, and to send messages to the target server.
  - 5. The apparatus of claim 1, wherein the apparatus further comprises:
    - an incoming SSL proxy executing within at least one of the processors and configured to receive the client messages, and to perform the first and the second security handshakes, and to send the client messages to a persistence engine, wherein the persistence engine executes within at least one of the processors and being configured to receive decrypted client messages from the SSL proxy, maintain persistent connections with the target server; and
      
      an outgoing SSL proxy executing within at least one of the processors and being configured to receive the client messages from the persistence engine, establish SSL sessions with the target server, encrypt the client messages, and to send the encrypted client messages to the target server.
  - 6. The apparatus of claim 1, wherein the apparatus further comprises:
    - an SSL proxy executing within at least one of the processors, the SSL proxy being configured to perform the first and the second security handshakes; and
      
      a persistence engine executing within at least one of the processors and configured to associate the one of the plurality of clients with the target server, and to identify the target server based on the second client certificate.
  - 7. The apparatus of claim 1, wherein the second secure communication session is directed towards resuming the first secure communication session, and wherein a session Identifier (ID) is provided in the second identifying data for use in establishing the second secure communication session.
  - 8. The apparatus of claim 1, wherein the one or more processors operable to execute actions, further comprising:
    - performing a third security handshake with the one of the plurality of clients, the third security handshake including at least one of a third client certificate or a session identifier; and
      
      identifying the target server using the third client certificate when the third security handshake does not include a session identifier, else identifying the target server using the session identifier when the third security handshake does not include the third client certificate.

9. A method of maintaining a communication with a client device on a network having a plurality of targets, comprising:
- receiving client messages from a plurality of clients and distributing the client messages among a plurality of servers;
  
  performing a first security handshake with one of the plurality of client, the first security handshake including a first identifying data that includes one of a first client certificate or a session Identifier (ID), wherein the first security handshake is a Secure Socket Layer (SSL) handshake;
  
  associating the one of the plurality of clients with a target server;
  
  performing a second security handshake with an other one of the plurality of clients, wherein the second security handshake includes a second identifying data, wherein the second security handshake is a SSL handshake, and the first security handshake establishes a first secure communication session, and the second security handshake establishes a second secure communications session; and
  
  identifying the target server based on the second identifying data, wherein the second identifying data includes one of a second client certificate or the session ID.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the one of the plurality of clients and the other one of the plurality of clients are different clients in the plurality of clients, and the first client certificate is transferred between the clients using a removable smart card, the first client certificate being usable as the second client certificate.
  - 11. The method of claim 9, the method further comprising storing data indicating a mapping between at least one of the first or the second client certificates and the session ID.
  - 12. The method of claim 9, wherein the second secure communication session is directed towards resuming the first secure communication session, and wherein a session Identifier (ID) is provided in the second identifying data for use in establishing the second secure communication session.
  - 13. The method of claim 9, wherein the method further comprises:
    - performing a third security handshake with the one of the plurality of clients, the third security handshake including at least one of a third client certificate or the session ID; and
      
      identifying the target server using the third client certificate when the third security handshake does not include the session ID, else identifying the target server using the session ID when the third security handshake does not include the third client certificate.
  - 14. The method of claim 9, wherein the method is operable within one or more processors, the one or more processors having an SSL proxy and a persistence engine for performing the steps of method 9.
  - 15. The method of claim 14, wherein one of the SSL proxy or the persistence engine is configured to receive the client messages and to provide the client messages to the other of persistence engine or the SSL proxy.

16. A non-transitory computer-readable storage device having stored thereon computer-executable instructions that when installed on a computing device having one or more processors, performs actions, comprising:
- receiving client messages from a plurality of clients and distributing the client messages among a plurality of servers;
  
  performing a first security handshake with one of the plurality of client, the first security handshake including a first identifying data comprising a first client certificate, wherein the first security handshake is a Secure Socket Layer (SSL) handshake;
  
  associating the one of the plurality of clients with a target server;
  
  performing a second security handshake with an other one of the plurality of clients, wherein the second security handshake includes a second identifying data comprising a second client certificate, wherein the second security handshake is a SSL handshake, and the first security handshake establishes a first secure communication session, and the second security handshake establishes a second secure communications session; and
  
  identifying the target server based on the second client certificate, wherein the second client certificate includes a public key security certificate.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage device of claim 16, wherein the one of the plurality of clients and the other one of the plurality of clients are different clients in the plurality of clients, and the first client certificate is transferred between the clients using a smart card, the first client certificate being usable at least in part as the second client certificate.
  - 18. The non-transitory computer-readable storage device of claim 16, wherein the actions further comprises storing data indicating a mapping between at least one of the first or the second client certificates and a session Identifier (ID).
  - 19. The non-transitory computer-readable storage device of claim 16, wherein the actions are performed by at least one of an SSL proxy or a persistence engine, wherein:
    - the SSL proxy is configured to receive the client messages, and to perform the first and the second security handshakes; and
      
      the persistence engine is configured to receive decrypted client messages from the SSL proxy, maintain persistent connections with the target server, and to send messages to the target server.
  - 20. The non-transitory computer-readable storage device of claim 16, wherein the actions are performed by at least one of an SSL proxy or a persistence engine, wherein:
    - the SSL proxy is configured to perform the first and the second security handshakes; and
      
      the persistence engine is configured to associate the one of the plurality of clients with the target server, and to identify the target server based on the second client certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Hughes, John R., Masters, Richard Roderick, Gilde, Robert George
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US13/176,574
Time in Patent Office

630 Days
Field of Search

None
US Class Current

726/6
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/3263   involving certificates, e.g...

Method and system for providing persistence in a secure network access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

142 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing persistence in a secure network access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links