Distribution of secure data with entitlement enforcement

US 10,230,695 B2
Filed: 01/11/2017
Issued: 03/12/2019
Est. Priority Date: 01/11/2017
Status: Active Grant

First Claim

Patent Images

1. A method for distributing content received over an encrypted connection to one or more clients, comprising:

receiving, by a proxy from a client, a first encrypted request for content over a first encrypted connection;

obtaining, by the proxy, an unencrypted version of the first encrypted request, the unencrypted version associated with authentication information being associated with the client;

sending, by a content streamer, over a second encrypted connection entitlement data and a second encrypted request for the content to a repository, the repository storing the content, the entitlement data being based on the authentication information, an authentication of the second encrypted request being based on the entitlement data, and the second encrypted request being based on the first encrypted request;

downloading by the content streamer the content from the repository over the second encrypted connection if the second encrypted request is authenticated;

storing by the proxy the requested content in unencrypted form in a cache; and

streaming by the proxy the requested content to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method for distributing content includes receiving a first encrypted request for content over a first encrypted connection from a client. The method also includes obtaining an unencrypted version of the first encrypted request. The unencrypted version is associated with authentication information associated with the client. The method further includes sending over a second encrypted connection entitlement data and a second encrypted request for the content to a repository. The repository stores the content, the entitlement data is based on the authentication information, and an authentication of the second encrypted request is based on the entitlement data. The method also includes downloading the content from the repository over the second encrypted connection, storing the requested content in unencrypted form in a cache, and streaming the requested content to the client.

7 Citations

View as Search Results

20 Claims

1. A method for distributing content received over an encrypted connection to one or more clients, comprising:
- receiving, by a proxy from a client, a first encrypted request for content over a first encrypted connection;
  
  obtaining, by the proxy, an unencrypted version of the first encrypted request, the unencrypted version associated with authentication information being associated with the client;
  
  sending, by a content streamer, over a second encrypted connection entitlement data and a second encrypted request for the content to a repository, the repository storing the content, the entitlement data being based on the authentication information, an authentication of the second encrypted request being based on the entitlement data, and the second encrypted request being based on the first encrypted request;
  
  downloading by the content streamer the content from the repository over the second encrypted connection if the second encrypted request is authenticated;
  
  storing by the proxy the requested content in unencrypted form in a cache; and
  
  streaming by the proxy the requested content to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first encrypted request includes second authentication information associated with the client, the method further comprising:
    - authenticating, by a reverse proxy, the first encrypted request in accordance with the second authentication information;
      
      if the first encrypted request is not successfully authenticated, discarding, by the reverse proxy, the first encrypted request; and
      
      if the first encrypted request is successfully authenticated;
      
      unencrypting, by the reverse proxy, the first encrypted request to generate the unencrypted version of the first encrypted request;
      
      establishing, by the reverse proxy, a connection with a caching proxy, the connection being different from the first encrypted connection; and
      
      sending, by the reverse proxy, the unencrypted version of the first encrypted request to the caching proxy over the connection.
  - 3. The method of claim 2, further comprising:
    - storing, by the caching proxy, the unencrypted version of the first encrypted request in the cache.
  - 4. The method of claim 3, further comprising:
    - receiving, at the caching proxy, a second unencrypted version of a third encrypted request for second content, the second unencrypted version being from the reverse proxy;
      
      determining whether the second unencrypted version is stored in the cache; and
      
      in response to a determination that the second unencrypted version is stored in the cache, retrieving, by the caching proxy, the second content from the cache and streaming the second content to a second client that sent the third encrypted request.
  - 5. The method of claim 4, further comprising:
    - determining whether the second unencrypted version is stored in an in-process queue; and
      
      in response to a determination that the second unencrypted version is stored in the in-process queue, multiplexing an existing stream of bytes of the second content to a plurality of clients that sent a request for the second content, wherein the first content is the second content.
  - 6. The method of claim 5, wherein obtaining the unencrypted version of the first encrypted request, sending the entitlement data and the second encrypted request, downloading the content, storing the requested content, and streaming the requested content includes in response to a determination that the second unencrypted version is not stored in the cache and in response to a determination that the second unencrypted version is not in the in-process queue, obtaining the unencrypted version of the first encrypted request, sending the entitlement data and the second encrypted request, downloading the content, storing the requested content, and streaming the requested content.
  - 7. The method of claim 2, wherein the first authentication information is different from the second authentication information.
  - 8. The method of claim 2, wherein the first authentication information is the same as the second authentication information.
  - 9. The method of claim 1, further comprising:
    - terminating the first encrypted connection with the client.
  - 10. The method of claim 1, further comprising:
    - retrieving, based on the authentication information, the entitlement data from an entitlement database.
  - 11. The method of claim 1, further comprising:
    - if the second encrypted request is not successfully authenticated, discarding the second encrypted request; and
      
      if the second encrypted request is successfully authenticated, establishing the second encrypted connection with the repository.

12. A system for distributing content received over an encrypted connection to one or more clients, comprising:
- a reverse proxy that authenticates one or more encrypted requests received from one or more clients over one or more encrypted connections, unencrypts one or more authenticated encrypted requests, and sends the one or more unencrypted requests over a first connection different from the one or more encrypted connections; and
  
  a caching proxy that receives an unencrypted request for content over the first connection and sends authentication information and a second request for the content over a second connection different from the one or more encrypted connections; and
  
  a content streamer that receives the authentication information and the second request over the second connection, retrieves, based on the authentication information, entitlement data from an entitlement database, and sends the entitlement data and an encrypted request for the content over an encrypted connection to a repository storing the content, wherein an authentication of the encrypted request is based on the entitlement data,and wherein the content streamer downloads the content from the repository over the encrypted connection if the encrypted request is authenticated, the caching proxy receives the requested content, caches the requested content in unencrypted form, and streams the requested content to the reverse proxy, and the reverse proxy streams the content to the client.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the second encrypted connection is a Transport Layer Security (TLS) connection.
  - 14. The system of claim 13, wherein the authentication information includes a TLS certificate.
  - 15. The system of claim 12, wherein the authentication information includes a username and password.
  - 16. The system of claim 12, wherein the caching proxy receives a plurality of authenticated requests for the content and deduplicates the plurality of authenticated requests by sending a single request for the content to the content streamer for processing.
  - 17. The system of claim 12, wherein during a period of time, the content streamer downloads the content and streams the content to caching proxy, the caching proxy receives the streamed content from the content streamer and streams the content to the reverse proxy, and the reverse proxy receives the streamed content from the caching proxy and streams the content to the client.
  - 18. The system of claim 12, wherein the caching proxy caches the unencrypted version of the first encrypted request.
  - 19. The system of claim 18, wherein the caching proxy receives a second unencrypted version of a third encrypted request for the content from the reverse proxy and determines whether the second unencrypted version is cached at the caching proxy, wherein in response to a determination that the second unencrypted version is cached at the caching proxy, the caching proxy retrieves the content and streams the content to a second client that sent the third encrypted request.

20. A non-transitory machine-readable storage medium comprising a plurality of machine-readable instructions that when executed by one or more hardware processors is configurable to cause the one or more hardware processors to perform a method comprising:
- receiving, by a proxy from a client, a first encrypted request for content over a first encrypted connection;
  
  obtaining by the proxy an unencrypted version of the first encrypted request, the unencrypted version associated with authentication information being associated with the client;
  
  sending by a content streamer over a second encrypted connection entitlement data and a second encrypted request for the content to a repository, the repository storing the content, the entitlement data being based on the authentication information, an authentication of the second encrypted request being based on the entitlement data, and the second encrypted request being based on the first encrypted request;
  
  downloading by the content streamer the content from the repository over the second encrypted connection if the second encrypted request is authenticated;
  
  storing by the proxy the requested content in unencrypted form in a cache; and
  
  streaming by the proxy the requested content to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Cline, Jeremy, Bouterse, Brian, Barlow, Randall
Primary Examiner(s)
Chai, Longbit

Application Number

US15/403,791
Publication Number

US 20180198762A1
Time in Patent Office

790 Days
Field of Search

726 12
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/166   at the transport layer

Distribution of secure data with entitlement enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distribution of secure data with entitlement enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links