SSL step-up
First Claim
1. A process for determining the strongest legally permissible level of cryptographic service in an electronic network, comprising the steps of:
- performing a first handshake between a client and a server to establish a session that uses export strength encryption, wherein a connection is established using an export cipher suite;
examining with said client a server certificate obtained as part of said first handshake;
transferring application data that are protected by said export cipher suite if said server is not approved for a stronger level of cryptographic service;
initiating a second handshake allowing a stronger cipher suite if said server is approved for a stronger level of cryptographic service; and
transferring application data that are protected by said stronger cipher suite;
wherein said server certificate is required by said client to determine if said server is approved;
wherein said server certificate is not available to said client at the time that it must send said list of cipher suites during said first handshake; and
wherein said first handshake must be performed with weaker, export strength cryptography.
7 Assignments
0 Petitions
Accused Products
Abstract
A process is provided that allows an exportable SSL client to negotiate an encrypted session using strong encryption with a server if the server is allowed to use strong encryption. With this process, the SSL client is normally limited to export strength encryption. But, when it is communicating with an approved server, it is able to expand the available set of encryption algorithms to include stronger algorithms/key lengths. The process involves performing an SSL handshake twice. The process begins when a client, i.e. a user, wants to establish a session with a server. The client first initiates a network connection to the server. The first handshake between an export client and an approved server results in an SSL session that uses export strength encryption. This establishes a connection using an exportable cipher suite. The client examines the server'"'"'s certificate obtained as part of the first handshake. If the server is not approved, the SSL session transfers application data that are protected by the export cipher. If the server is approved, then the client initiates a second handshake, this time allowing stronger cipher suites. The result of the second handshake is an SSL session that uses strong encryption. The SSL session may then be used to transfer application data that are protected by the strong cipher suite. At this point, the process is complete.
342 Citations
28 Claims
-
1. A process for determining the strongest legally permissible level of cryptographic service in an electronic network, comprising the steps of:
-
performing a first handshake between a client and a server to establish a session that uses export strength encryption, wherein a connection is established using an export cipher suite; examining with said client a server certificate obtained as part of said first handshake; transferring application data that are protected by said export cipher suite if said server is not approved for a stronger level of cryptographic service; initiating a second handshake allowing a stronger cipher suite if said server is approved for a stronger level of cryptographic service; and transferring application data that are protected by said stronger cipher suite; wherein said server certificate is required by said client to determine if said server is approved; wherein said server certificate is not available to said client at the time that it must send said list of cipher suites during said first handshake; and wherein said first handshake must be performed with weaker, export strength cryptography. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An apparatus for determining the strongest legally permissible level of cryptographic service in an electronic network, comprising:
-
means for performing a first handshake between a client and a server to establish a session that uses export strength encryption, wherein a connection is established using an export cipher suite; means for examining with said client a server certificate obtained as part of said first handshake; means for transferring application data that are protected by said export cipher suite if said server is not approved for a stronger level of cryptographic service; means for initiating a second handshake allowing a stronger cipher suite if said server is approved for a stronger level of cryptographic service; and means for transferring application data that are protected by said stronger cipher suite; wherein said server certificate is required by said client to determine if said server is approved; wherein said server certificate is not available to said client at the time that it must send said list of cipher suites during said first handshake; and wherein said first handshake must be performed with weaker, export strength cryptography. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification