Secure session capability using public-key cryptography without access to the private key

US 8,782,774 B1
Filed: 03/07/2013
Issued: 07/15/2014
Est. Priority Date: 03/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising:

receiving a message from the client device that initiates a procedure to establish the secure session between the client device and the first server;

transmitting a digital certificate to the client device that includes a public key;

receiving, from the client device, a premaster secret that has been encrypted using the public key, wherein the first server does not include the private key that can decrypt the encrypted premaster secret;

transmitting the encrypted premaster secret to the second server for decryption;

receiving, from the second server, the premaster secret that has been decrypted;

generating a master secret using the decrypted premaster secret;

generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server;

receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server, wherein the second server is an origin server;

decrypting the encrypted request;

retrieving the requested resource from the second server;

generating a response that includes the retrieved resource;

encrypting the generated response; and

transmitting, to the client device over the secure session, the encrypted response.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

92 Citations

View as Search Results

17 Claims

1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising:
- receiving a message from the client device that initiates a procedure to establish the secure session between the client device and the first server;
  
  transmitting a digital certificate to the client device that includes a public key;
  
  receiving, from the client device, a premaster secret that has been encrypted using the public key, wherein the first server does not include the private key that can decrypt the encrypted premaster secret;
  
  transmitting the encrypted premaster secret to the second server for decryption;
  
  receiving, from the second server, the premaster secret that has been decrypted;
  
  generating a master secret using the decrypted premaster secret;
  
  generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server;
  
  receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server, wherein the second server is an origin server;
  
  decrypting the encrypted request;
  
  retrieving the requested resource from the second server;
  
  generating a response that includes the retrieved resource;
  
  encrypting the generated response; and
  
  transmitting, to the client device over the secure session, the encrypted response.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the first server and the second server are owned by different entities.
  - 3. The method of claim 1, wherein the first server receives the message from the client device that initiates the procedure to establish the secure session between the client device and the first server as a result of a Domain Name System (DNS) request for a domain, for which the client device is attempting to establish the secure session, resolving to an IP address of the first server.
  - 4. The method of claim 1, wherein the decrypted premaster secret is received over a secure session between the first server and the second server.
  - 5. The method of claim 4, further comprising:
    - as part of establishing the secure session between the first server and the second server, the first server transmitting a digital certificate of the first server to the second server.
  - 6. The method of claim 1, wherein retrieving the requested resource from the second server includes transmitting an encrypted request for the requested resource over a secure session between the first server and the second server.

7. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising:
- receiving, from the client device, a Client Hello message;
  
  in response to the received Client Hello message, transmitting a Server Hello message to the client device;
  
  transmitting, to the client device, a Server Certificate message that includes one or more digital certificates;
  
  transmitting, to the client device, a Server Hello Done message;
  
  receiving, from the client device, a Client Key Exchange message that includes an encrypted premaster secret;
  
  transmitting, to the second server, the encrypted premaster secret for decryption;
  
  receiving, from the second server, a message that includes the decrypted premaster secret;
  
  receiving, from the client device, a first Change Cipher Spec message;
  
  receiving, from the client device, a first Finished message;
  
  transmitting, to the client device, a second Change Cipher Spec message;
  
  transmitting, to the client device, a second Finished message;
  
  receiving, from the client device over the secure session, an encrypted request for a resource of a domain of the second server, wherein the second server is an origin server;
  
  decrypting the encrypted request;
  
  retrieving the requested resource from the second server;
  
  generating a response that includes the retrieved resource;
  
  encrypting the generated response; and
  
  transmitting, to the client device over the secure session, the encrypted response.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the first server and the second server are owned or operated by different entities.
  - 9. The method of claim 7, wherein the decrypted premaster secret is received over a secure session between the first server and the second server.
  - 10. The method of claim 9, further comprising:
    - as part of establishing the secure session between the first server and the second server, the first server transmitting, to the second server, a client Certificate message that includes a digital certificate of the first server.
  - 11. The method of claim 7, wherein retrieving the requested resource from the second server includes transmitting an encrypted request for the requested resource over a secure session between the first server and the second server.

12. An apparatus, comprising:
- a server including a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations;
  
  receive a message from a client device that initiates a procedure to establish a secure session between the client device and the server;
  
  transmit a digital certificate to the client device that includes a public key;
  
  receive, from the client device, a premaster secret that has been encrypted using the public key, wherein the server does not include the private key that can decrypt the encrypted premaster secret;
  
  transmit the encrypted premaster secret to a different server for decryption, wherein the different server is an origin server;
  
  receive the decrypted premaster secret;
  
  generate a master secret using the received decrypted premaster secret;
  
  generate, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the server;
  
  receive, from the client device over the secure session, an encrypted request for a resource of a domain of the origin server;
  
  decrypt the encrypted request;
  
  retrieve the requested resource from the origin server;
  
  generate a response that includes the retrieved resource;
  
  encrypt the generated response; and
  
  transmit, to the client device over the secure session, the encrypted response.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus of claim 12, wherein the server and the different server are owned by different entities.
  - 14. The apparatus of claim 12, wherein the server receives the message from the client device that initiates the procedure to establish the secure session between the client device and the server as a result of a Domain Name System (DNS) request for a domain, in which the client device is attempting to establish the secure session, resolving to an IP address of the first server.
  - 15. The apparatus of claim 12, wherein the decrypted premaster secret is received over a secure session between the server and the different server.
  - 16. The apparatus of claim 15, wherein the set of non-transitory computer-readable storage mediums further stores instructions, that when executed by the set of processors, cause the set of processors to perform the following operations:
    - as part of the establishment of the secure session between the server and the different server, the server transmits a digital certificate of itself to the different server for the different server to authenticate an identity of the server.
  - 17. The apparatus of claim 12, wherein the operation to retrieve the requested resource from the origin server includes a transmission of an encrypted request for the requested resource over a secure session between the server and the origin server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Pahl, Sbastien Andreas Henry, Tourne, Matthieu Philippe Franois, Bejjani, Ray Raymond, Knecht, Dane Orion, Prince, Matthew Browning, Graham-Cumming, John, Holloway, Lee Hahn, Sikora, Piotr, Strasheim, Albertus
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Joseph

Application Number

US13/788,784
Time in Patent Office

495 Days
Field of Search

726/2, 726/4, 726/6, 726/10, 726/15, 713/156, 713/165, 709/237
US Class Current

726/15
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 2463/061   applying further key deriva...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0869   involving random numbers or...

H04L 9/3263   involving certificates, e.g...

Secure session capability using public-key cryptography without access to the private key

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Secure session capability using public-key cryptography without access to the private key

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others