Method and system for providing persistence in a secure network access

US 9,210,163 B1
Filed: 05/30/2014
Issued: 12/08/2015
Est. Priority Date: 09/03/2002
Status: Active Grant

First Claim

Patent Images

1. A blade device, comprising:

one or more interface devices for communicating information to and from the blade device; and

one or more processors operable to execute executable instructions to perform actions, comprising;

receiving from a client device a first message;

in response, establishing a first secure communications session with the client device by performing a first security handshake with the client device, the first security handshake including a first client certificate received from the client device, the first security handshake employing a first secure communications protocol;

associating a first communications with the client device to a target server;

receiving a second message from the client device, the second message including a second client certificate associated with the client device that is equivalent to the first client certificate, the second message being a second security handshake with the client device;

in response, employing the first secure communications session with the client device to perform the second security handshake with the client device that employs the first secure communications protocol; and

identifying the target server for a second communications session with the client device based on the second client certificate, wherein the second client certificate includes a public key security certificate, and wherein the second secure communications session is directed towards resuming the first secure communications session, and wherein a session identifier is provided with the second received message for use in establishing the second secure communications session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.

Citations

15 Claims

1. A blade device, comprising:
- one or more interface devices for communicating information to and from the blade device; and
  
  one or more processors operable to execute executable instructions to perform actions, comprising;
  
  receiving from a client device a first message;
  
  in response, establishing a first secure communications session with the client device by performing a first security handshake with the client device, the first security handshake including a first client certificate received from the client device, the first security handshake employing a first secure communications protocol;
  
  associating a first communications with the client device to a target server;
  
  receiving a second message from the client device, the second message including a second client certificate associated with the client device that is equivalent to the first client certificate, the second message being a second security handshake with the client device;
  
  in response, employing the first secure communications session with the client device to perform the second security handshake with the client device that employs the first secure communications protocol; and
  
  identifying the target server for a second communications session with the client device based on the second client certificate, wherein the second client certificate includes a public key security certificate, and wherein the second secure communications session is directed towards resuming the first secure communications session, and wherein a session identifier is provided with the second received message for use in establishing the second secure communications session.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The blade device of claim 1, wherein the first secure communications protocol and comprises at least one of an Internet Protocol (IP) Security (Sec) protocol, a Secure Sockets Layer (SSL) protocol, or a Transport Layer Security Protocol (TLS).
  - 3. The blade device of claim 1, wherein the one or more processors are operable to store data indicating a mapping between at least one of the first or the second client certificates and a session identifier.
  - 4. The blade device of claim 1, wherein communications between the target server and the blade device are configured such that there is a one to one correspondence between each client side secure communications session and target server communications session.
  - 5. The blade device of claim 1, wherein communications between the target server and the blade device are configured such that secure communications sessions with one or more client devices is directed towards a same secure communications session between the target server and the blade device.

6. A system, comprising:
- a plurality of server devices; and
  
  one or more processor devices interposed between a client device and the plurality of server devices, the processor devices perform actions, including;
  
  receiving from a client device a first message;
  
  in response, establishing a first secure communications session with the client device by performing a first security handshake with the client device, the first security handshake including a first client certificate received from the client device, the first security handshake employing a first secure communications protocol;
  
  associating a first communications with the client device to a target server;
  
  receiving a second message from the client device, the second message including a second client certificate associated with the client device that is equivalent to the first client certificate, the second message being a second security handshake with the client device;
  
  in response, employing the first secure communications session with the client device to perform the second security handshake with the client device that employs the first secure communications protocol; and
  
  identifying the target server for a second communications session with the client device based on the second client certificate, wherein the second client certificate includes a public key security certificate, and wherein the second secure communications session is directed towards resuming the first secure communications session, and wherein a session identifier is provided with the second received message for use in establishing the second secure communications session.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the first secure communications protocol and comprises at least one of an Internet Protocol (IP) Security (Sec) protocol, a Secure Sockets Layer (SSL) protocol, or a Transport Layer Security Protocol (TLS).
  - 8. The system of claim 6, wherein the one or more processors are operable to store data indicating a mapping between at least one of the first or the second client certificates and a session identifier.
  - 9. The system of claim 6, wherein communications between the target server and the blade device are configured such that there is a one to one correspondence between each client side secure communications session and target server communications session.
  - 10. The system of claim 6, wherein communications between the target server and the blade device are configured such that secure communications sessions with one or more client devices is directed towards a same secure communications session between the target server and the blade device.

11. An apparatus having stored thereon computer-executable instructions that when installed on a computing device having one or more processors, performs actions, comprising:
- receiving from a client device a first message;
  
  in response, establishing a first secure communications session with the client device by performing a first security handshake with the client device, the first security handshake including a first client certificate received from the client device, the first security handshake employing a first secure communications protocol;
  
  associating a first communications with the client device to a target server;
  
  receiving a second message from the client device, the second message including a second client certificate associated with the client device that is equivalent to the first client certificate, the second message being a second security handshake with the client device;
  
  in response, employing the first secure communications session with the client device to perform the second security handshake with the client device that employs the first secure communications protocol; and
  
  identifying the target server for a second communications session with the client device based on the second client certificate, wherein the second client certificate includes a public key security certificate, and wherein the second secure communications session is directed towards resuming the first secure communications session, and wherein a session identifier is provided with the second received message for use in establishing the second secure communications session.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the first secure communications protocol and comprises at least one of an Internet Protocol (IP) Security (Sec) protocol, a Secure Sockets Layer (SSL) protocol, or a Transport Layer Security Protocol (TLS).
  - 13. The apparatus of claim 11, wherein the one or more processors are operable to store data indicating a mapping between at least one of the first or the second client certificates and a session identifier.
  - 14. The apparatus of claim 11, wherein communications between the target server and the blade device are configured such that there is a one to one correspondence between each client side secure communications session and target server communications session.
  - 15. The apparatus of claim 11, wherein communications between the target server and the blade device are configured such that secure communications sessions with one or more client devices is directed towards a same secure communications session between the target server and the blade device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Hughes, John R., Masters, Richard Roderick, Gilde, Robert George
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/291,935
Time in Patent Office

557 Days
Field of Search

713/156
US Class Current

1/1
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/3263   involving certificates, e.g...

Method and system for providing persistence in a secure network access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing persistence in a secure network access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links