Secure session capability using public-key cryptography without access to the private key
First Claim
1. A non-transitory machine-readable storage medium of a first server that provides instructions that, when executed by a processor of the first server, cause the processor to perform operations for establishing a secure session with a client device, the operations comprising:
- receiving, from the client device, a Client Hello message that includes a first random value;
in response to the received Client Hello message, transmitting a Server Hello message to the client device that includes a second random value;
transmitting, to the client device, a Server Certificate message that includes one or more digital certificates;
transmitting, to the client device, a Server Hello Done message;
receiving, from the client device, a Client Key Exchange message that includes an encrypted premaster secret, wherein the first server does not have access to a private key that can decrypt the encrypted premaster secret;
transmitting, to a second server that has access to the private key that is capable of decrypting the encrypted premaster secret, the encrypted premaster secret, the first random value, the second random value, and an indication of a negotiated cipher suite between the client device and the first server;
receiving, from the second server, a set of or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is decrypted from the encrypted premaster secret, the first random value, the second random value, and the negotiated cipher suite between the client device and the first server;
receiving, from the client device, a first Change Cipher Spec message;
receiving, from the client device, a first Finished message;
transmitting to the client device, a second Change Cipher Spec message; and
transmitting, to the client device, a second Finished message.
1 Assignment
0 Petitions
Accused Products
Abstract
A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.
-
Citations
15 Claims
-
1. A non-transitory machine-readable storage medium of a first server that provides instructions that, when executed by a processor of the first server, cause the processor to perform operations for establishing a secure session with a client device, the operations comprising:
-
receiving, from the client device, a Client Hello message that includes a first random value; in response to the received Client Hello message, transmitting a Server Hello message to the client device that includes a second random value; transmitting, to the client device, a Server Certificate message that includes one or more digital certificates; transmitting, to the client device, a Server Hello Done message; receiving, from the client device, a Client Key Exchange message that includes an encrypted premaster secret, wherein the first server does not have access to a private key that can decrypt the encrypted premaster secret; transmitting, to a second server that has access to the private key that is capable of decrypting the encrypted premaster secret, the encrypted premaster secret, the first random value, the second random value, and an indication of a negotiated cipher suite between the client device and the first server; receiving, from the second server, a set of or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is decrypted from the encrypted premaster secret, the first random value, the second random value, and the negotiated cipher suite between the client device and the first server; receiving, from the client device, a first Change Cipher Spec message; receiving, from the client device, a first Finished message; transmitting to the client device, a second Change Cipher Spec message; and transmitting, to the client device, a second Finished message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory machine-readable storage medium of a first server that provides instructions that, when executed by a processor of the first server, cause the processor to perform operations for establishing a secure session with a client device, the operations comprising:
-
receiving a message from the client device that initiates a handshake procedure to establish a secure session between the client device and the first server; negotiating a set of cryptographic parameters between the client device and the first server for the secure session, wherein negotiating the set of cryptographic parameters includes the first server receiving an encrypted premaster secret from the client device, wherein the first server does not have access to a key to decrypt the encrypted premaster secret; transmitting at least some of the negotiated set of cryptographic parameters to a second server to create a set of one or more session keys to be used in the secure session, wherein the transmitted at least some of the negotiated set of cryptographic parameters includes the encrypted premaster secret; receiving, from the second server, the set of session keys; and completing the handshake procedure with the client device including installing the set of session keys to be used during the secure session with the client device. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification