Secure session capability using public-key cryptography without access to the private key
First Claim
Patent Images
1. A method in a first server for establishing a secure session with a client device, the method comprising:
- receiving a first message from the client device that initiates a handshake procedure to establish a secure session between the client device and the first server and transmitting the first message to a second server;
receiving, from the second server, a second message in response to the first message and transmitting the second message to the client device;
receiving, from the second server, a third message that includes a digital certificate and transmitting the third message to the client device;
receiving, from the second server, a fourth message that includes a set of cryptographic parameters that is signed using a private key stored on the second server and not available on the first server and transmitting the fourth message to the client device, wherein the set of cryptographic parameters are to be used by the client device when generating a premaster secret and include a Diffie-Hellman public value selected by the second server;
receiving, from the second server, a fifth message that indicates that a server hello part of the handshake procedure is complete and transmitting the fifth message to the client device;
receiving, from the client device, a sixth message that includes a Diffie-Hellman public value selected by the client device and transmitting the sixth message to the second server;
receiving, from the second server, a seventh message that includes a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is generated using the Diffie-Hellman public value selected by the client device and the Diffie-Hellman public value selected by the second server;
receiving, from the client device, an eighth message that indicates that future messages sent from the client device will be encrypted;
receiving, from the client device, a ninth message that is encrypted according to the session keys;
transmitting, to the client device, a tenth message that indicates that future messages sent to the client device will be encrypted; and
transmitting, to the client device, an eleventh message that is encrypted according to the session keys.
3 Assignments
0 Petitions
Accused Products
Abstract
A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.
-
Citations
21 Claims
-
1. A method in a first server for establishing a secure session with a client device, the method comprising:
-
receiving a first message from the client device that initiates a handshake procedure to establish a secure session between the client device and the first server and transmitting the first message to a second server; receiving, from the second server, a second message in response to the first message and transmitting the second message to the client device; receiving, from the second server, a third message that includes a digital certificate and transmitting the third message to the client device; receiving, from the second server, a fourth message that includes a set of cryptographic parameters that is signed using a private key stored on the second server and not available on the first server and transmitting the fourth message to the client device, wherein the set of cryptographic parameters are to be used by the client device when generating a premaster secret and include a Diffie-Hellman public value selected by the second server; receiving, from the second server, a fifth message that indicates that a server hello part of the handshake procedure is complete and transmitting the fifth message to the client device; receiving, from the client device, a sixth message that includes a Diffie-Hellman public value selected by the client device and transmitting the sixth message to the second server; receiving, from the second server, a seventh message that includes a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is generated using the Diffie-Hellman public value selected by the client device and the Diffie-Hellman public value selected by the second server; receiving, from the client device, an eighth message that indicates that future messages sent from the client device will be encrypted; receiving, from the client device, a ninth message that is encrypted according to the session keys; transmitting, to the client device, a tenth message that indicates that future messages sent to the client device will be encrypted; and transmitting, to the client device, an eleventh message that is encrypted according to the session keys. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing instructions, which when executed by a set of one or more processors of a first server, cause the set of processors to perform operations comprising:
-
receiving a first message from the client device that initiates a handshake procedure to establish a secure session between the client device and the first server and transmitting the first message to a second server; receiving, from the second server, a second message in response to the first message and transmitting the second message to the client device; receiving, from the second server, a third message that includes a digital certificate and transmitting the third message to the client device; receiving, from the second server, a fourth message that includes a set of cryptographic parameters that is signed using a private key stored on the second server and not available on the first server and transmitting the fourth message to the client device, wherein the set of cryptographic parameters are to be used by the client device when generating a premaster secret and include a Diffie-Hellman public value selected by the second server; receiving, from the second server, a fifth message that indicates that a server hello part of the handshake procedure is complete and transmitting the fifth message to the client device; receiving, from the client device, a sixth message that includes a Diffie-Hellman public value selected by the client device and transmitting the sixth message to the second server; receiving, from the second server, a seventh message that includes a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is generated using the Diffie-Hellman public value selected by the client device and the Diffie-Hellman public value selected by the second server; receiving, from the client device, an eighth message that indicates that future messages sent from the client device will be encrypted; receiving, from the client device, a ninth message that is encrypted according to the session keys; transmitting, to the client device, a tenth message that indicates that future messages sent to the client device will be encrypted; and transmitting, to the client device, an eleventh message that is encrypted according to the session keys. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus comprising:
a first server including a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations; receive a first message from a client device that initiates a handshake procedure to establish a secure session between the client device and the first server and transmit the first message to a second server; receive, from the second server, a second message in response to the first message and transmit the second message to the client device; receive, from the second server, a third message that includes a digital certificate and transmit the third message to the client device; receive, from the second server, a fourth message that includes a set of cryptographic parameters that is signed using a private key stored on the second server and not available on the first server and transmit the fourth message to the client device, wherein the set of cryptographic parameters are to be used by the client device when generating a premaster secret and include a Diffie-Hellman public value selected by the second server; receive, from the second server, a fifth message that indicates that a server hello part of the handshake procedure is complete and transmit the fifth message to the client device; receive, from the client device, a sixth message that includes a Diffie-Hellman public value selected by the client device and transmit the sixth message to the second server; receive, from the second server, a seventh message that includes a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is generated using the Diffie-Hellman public value selected by the client device and the Diffie-Hellman public value selected by the second server; receive, from the client device, an eighth message that indicates that future messages sent from the client device will be encrypted; receive, from the client device, a ninth message that is encrypted according to the session keys; transmit, to the client device, a tenth message that indicates that future messages sent to the client device will be encrypted; and transmit, to the client device, an eleventh message that is encrypted according to the session keys. - View Dependent Claims (16, 17, 18, 19, 20, 21)
Specification