Secure session capability using public-key cryptography without access to the private key
First Claim
1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising:
- receiving a message from the client device that initiates a procedure to establish the secure session between the client device and the first server;
transmitting a digital certificate to the client device that includes a public key;
receiving, from the client device, a premaster secret that has been encrypted using the public key, wherein the first server does not include the private key that can decrypt the encrypted premaster secret;
transmitting the encrypted premaster secret to the second server for decryption;
receiving, from the second server, the premaster secret that has been decrypted;
generating a master secret using the decrypted premaster secret;
generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server;
receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server, wherein the second server is an origin server;
decrypting the encrypted request;
retrieving the requested resource from the second server;
generating a response that includes the retrieved resource;
encrypting the generated response; and
transmitting, to the client device over the secure session, the encrypted response.
2 Assignments
0 Petitions
Accused Products
Abstract
A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.
92 Citations
17 Claims
-
1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising:
-
receiving a message from the client device that initiates a procedure to establish the secure session between the client device and the first server; transmitting a digital certificate to the client device that includes a public key; receiving, from the client device, a premaster secret that has been encrypted using the public key, wherein the first server does not include the private key that can decrypt the encrypted premaster secret; transmitting the encrypted premaster secret to the second server for decryption; receiving, from the second server, the premaster secret that has been decrypted; generating a master secret using the decrypted premaster secret; generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server; receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server, wherein the second server is an origin server; decrypting the encrypted request; retrieving the requested resource from the second server; generating a response that includes the retrieved resource; encrypting the generated response; and transmitting, to the client device over the secure session, the encrypted response. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising:
-
receiving, from the client device, a Client Hello message; in response to the received Client Hello message, transmitting a Server Hello message to the client device; transmitting, to the client device, a Server Certificate message that includes one or more digital certificates; transmitting, to the client device, a Server Hello Done message; receiving, from the client device, a Client Key Exchange message that includes an encrypted premaster secret; transmitting, to the second server, the encrypted premaster secret for decryption; receiving, from the second server, a message that includes the decrypted premaster secret; receiving, from the client device, a first Change Cipher Spec message; receiving, from the client device, a first Finished message; transmitting, to the client device, a second Change Cipher Spec message; transmitting, to the client device, a second Finished message; receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server, wherein the second server is an origin server; decrypting the encrypted request; retrieving the requested resource from the second server; generating a response that includes the retrieved resource; encrypting the generated response; and transmitting, to the client device over the secure session, the encrypted response. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An apparatus, comprising:
a server including a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations; receive a message from a client device that initiates a procedure to establish a secure session between the client device and the server; transmit a digital certificate to the client device that includes a public key; receive, from the client device, a premaster secret that has been encrypted using the public key, wherein the server does not include the private key that can decrypt the encrypted premaster secret; transmit the encrypted premaster secret to a different server for decryption, wherein the different server is an origin server; receive the decrypted premaster secret; generate a master secret using the received decrypted premaster secret; generate, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the server; receive, from the client device over the secure session, an encrypted request for a resource of a domain of the origin server; decrypt the encrypted request; retrieve the requested resource from the origin server; generate a response that includes the retrieved resource; encrypt the generated response; and transmit, to the client device over the secure session, the encrypted response. - View Dependent Claims (13, 14, 15, 16, 17)
Specification