Transport layer security latency mitigation

US 9,787,643 B2
Filed: 01/30/2015
Issued: 10/10/2017
Est. Priority Date: 01/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of operating a client proxy, comprising:

sending a client hello message from the client proxy to initiate an authentication protocol handshake with a server device on behalf of a client device;

receiving, at the client proxy, a server hello message and a server certificate from the server device;

in response to receiving the server hello message, forwarding, from the client proxy to the client device, the server hello message and the server certificate; and

in response to receiving the server hello message, generating, at the client proxy, a client key exchange message and a client finished message to send to the server device on behalf of the client device to perform the authentication protocol handshake; and

establishing, based on at least the client key exchange message, a secured network session between the client device and the server device to transport computer network data;

wherein the client proxy connects with the client device at a higher latency delay than with the server device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments include a method of utilizing a proxy device to mitigate latency related to a transport layer security (TLS) handshake protocol. The proxy device can be an untrusted proxy of a server or a client. The proxy device can negotiate cipher suites on behalf of its principal (e.g., the server or the server) without storing private keys of its principal. The use of the proxy device can reduce a typical two round-trips taken between the server and the client into a single round-trip.

5 Citations

View as Search Results

19 Claims

1. A computer-implemented method of operating a client proxy, comprising:
- sending a client hello message from the client proxy to initiate an authentication protocol handshake with a server device on behalf of a client device;
  
  receiving, at the client proxy, a server hello message and a server certificate from the server device;
  
  in response to receiving the server hello message, forwarding, from the client proxy to the client device, the server hello message and the server certificate; and
  
  in response to receiving the server hello message, generating, at the client proxy, a client key exchange message and a client finished message to send to the server device on behalf of the client device to perform the authentication protocol handshake; and
  
  establishing, based on at least the client key exchange message, a secured network session between the client device and the server device to transport computer network data;
  
  wherein the client proxy connects with the client device at a higher latency delay than with the server device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, further comprising:
    - generating the client hello message in response to detecting a modified bit in a transmission control protocol (TCP) negotiation;
      
      wherein the client proxy is configured to recognize the modified bit as an intend to initiate the authentication protocol handshake; and
      
      wherein sending the client hello message includes sending the generated client hello message.
  - 3. The computer-implemented method of claim 2, further comprising:
    - receiving a plurality of client random numbers from the client device before and asynchronous from sending the client hello message to the server device; and
      
      wherein the generated client hello message includes a client random number from the plurality of client random numbers.
  - 4. The computer-implemented method of claim 3, further comprising:
    - tracking the client random number included in the generated client hello message in a client session database.
  - 5. The computer-implemented method of claim 3, further comprising:
    - receiving a plurality of cipher suite parameters according to one or more cipher suites from the client device before and asynchronous from sending the client hello message to the server device; and
      
      wherein generating the client key exchange message at the client proxy is based on at least a subset of the plurality of cipher suite parameters.
  - 6. The computer-implemented method of claim 1, further comprising:
    - receiving the client hello message from the client device at the client proxy; and
      
      wherein sending the client hello message from the client proxy to the server device is in response to receiving the client hello message at the client proxy.
  - 7. The computer-implemented method of claim 6, further comprising:
    - receiving a cipher suite prediction from the client device when receiving the client hello message; and
      
      wherein generating the client key exchange message is based on the cipher suite prediction.
  - 8. The computer-implemented method of claim 7, further comprising:
    - verifying that the cipher suite prediction matches a cipher suite indicated in the server hello message; and
      
      wherein generating the client key exchange message is in response to verifying that the cipher suite prediction matches the cipher suite.
  - 9. The computer-implemented method of claim 1, wherein the server device is oblivious that the client proxy is proxying for the client device.
  - 10. The computer-implemented method of claim 1, wherein the server device is oblivious of the existence of the client device.

11. A server proxy comprising:
- a physical processor configured to execute instructions to implement a process, wherein the process includes;
  
  pre-populating a server random number and a server cipher suite parameter from a server device to the server proxy;
  
  receiving, at the server proxy, a client hello message from a client device to initiate an authentication protocol handshake with the server device;
  
  in response to receiving the client hello message, generating, at the server proxy, a server hello message and a server certificate message based on the server random number and the server cipher suite parameter to send to the client device; and
  
  in response to receiving the client hello message, forwarding the client hello message from the server proxy to the server device; and
  
  establishing, based on at least the client hello message, a secured network session between the client device and the server device to transport computer network data;
  
  wherein the client device is oblivious that the server proxy is proxying for the server device and wherein the server device is oblivious of existence of the client device.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The server proxy of claim 11, wherein said receiving the server random number includes receiving a plurality of server random numbers and a plurality of server cipher suite parameters.
  - 13. The server proxy of claim 11, wherein said receiving the server random number is prior to and asynchronous from receiving the client hello message that initiates the authentication protocol handshake.
  - 14. The server proxy of claim 11, wherein sending to or receiving from the server device involves communicating through a backhaul network.
  - 15. The server proxy of claim 11, wherein the process further includes:
    - receiving a client key exchange message, a client change spec message, and a client finished message from the client device; and
      
      forwarding the client key exchange message, the client change spec message, and the client finished message to the server device.
  - 16. The server proxy of claim 11, wherein the process further includes:
    - receiving a server change spec message and a server change spec message from the server device; and
      
      forwarding the server change spec message and the server finished message to the client device.

17. A non-transitory computer-readable storage memory storing computer-executable instructions comprising:
- instructions for tracking a prediction of a cipher suite having a set of cipher suite parameters associated with a server device;
  
  instructions for sending the set of cipher suite parameters to a client proxy serving on behalf of a client device;
  
  instructions for initiating an authentication protocol handshake with the server device via the client proxy;
  
  instructions for receiving a server hello message and a server certificate from the client proxy;
  
  instructions for generating a set of session keys based on the server hello message and the server certificate in response to receiving the server hello message; and
  
  instructions for establishing, based on at least the set of session keys, a secured network session between the client device and the server device to transport computer network data,wherein the client proxy connects with the client device at a higher latency delay than with the server device.
- View Dependent Claims (18, 19)
- - 18. The non-transitory computer-readable storage memory of claim 17, further comprising:
    - instructions for generating a client hello message; and
      
      instructions for sending the client hello message along with the set of cipher suite parameters to the client proxy.
  - 19. The non-transitory computer-readable storage memory of claim 17, further comprising:
    - instructions for generating a set of client random numbers; and
      
      instructions for sending the set of client random numbers along with the set of cipher suite parameters to the client proxy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Inventors
Bohannon, Philip Lewis
Primary Examiner(s)
SCOTT, RANDY A

Application Number

US14/610,870
Publication Number

US 20160226827A1
Time in Patent Office

984 Days
Field of Search

713153, 713155, 713164, 713166, 713168, 726 2, 726 7, 726 12
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/168   above the transport layer

Transport layer security latency mitigation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Transport layer security latency mitigation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links