SSL step-up

US 6,094,485 A
Filed: 09/18/1997
Issued: 07/25/2000
Est. Priority Date: 09/18/1997
Status: Expired due to Term

First Claim

Patent Images

1. A process for determining the strongest legally permissible level of cryptographic service in an electronic network, comprising the steps of:

performing a first handshake between a client and a server to establish a session that uses export strength encryption, wherein a connection is established using an export cipher suite;

examining with said client a server certificate obtained as part of said first handshake;

transferring application data that are protected by said export cipher suite if said server is not approved for a stronger level of cryptographic service;

initiating a second handshake allowing a stronger cipher suite if said server is approved for a stronger level of cryptographic service; and

transferring application data that are protected by said stronger cipher suite;

wherein said server certificate is required by said client to determine if said server is approved;

wherein said server certificate is not available to said client at the time that it must send said list of cipher suites during said first handshake; and

wherein said first handshake must be performed with weaker, export strength cryptography.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process is provided that allows an exportable SSL client to negotiate an encrypted session using strong encryption with a server if the server is allowed to use strong encryption. With this process, the SSL client is normally limited to export strength encryption. But, when it is communicating with an approved server, it is able to expand the available set of encryption algorithms to include stronger algorithms/key lengths. The process involves performing an SSL handshake twice. The process begins when a client, i.e. a user, wants to establish a session with a server. The client first initiates a network connection to the server. The first handshake between an export client and an approved server results in an SSL session that uses export strength encryption. This establishes a connection using an exportable cipher suite. The client examines the server'"'"'s certificate obtained as part of the first handshake. If the server is not approved, the SSL session transfers application data that are protected by the export cipher. If the server is approved, then the client initiates a second handshake, this time allowing stronger cipher suites. The result of the second handshake is an SSL session that uses strong encryption. The SSL session may then be used to transfer application data that are protected by the strong cipher suite. At this point, the process is complete.

342 Citations

28 Claims

1. A process for determining the strongest legally permissible level of cryptographic service in an electronic network, comprising the steps of:
- performing a first handshake between a client and a server to establish a session that uses export strength encryption, wherein a connection is established using an export cipher suite;
  
  examining with said client a server certificate obtained as part of said first handshake;
  
  transferring application data that are protected by said export cipher suite if said server is not approved for a stronger level of cryptographic service;
  
  initiating a second handshake allowing a stronger cipher suite if said server is approved for a stronger level of cryptographic service; and
  
  transferring application data that are protected by said stronger cipher suite;
  
  wherein said server certificate is required by said client to determine if said server is approved;
  
  wherein said server certificate is not available to said client at the time that it must send said list of cipher suites during said first handshake; and
  
  wherein said first handshake must be performed with weaker, export strength cryptography.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The process of claim 1, wherein said session is a secure socket layer (SSL) session.
  - 3. The process of claim 1, further comprising the step of:
    - sending with said client sends a list of cipher suites said client allows before said server sends said server certificate.
  - 4. The process of claim 1, wherein said client has said server certificate and can determine if said server is approved for stronger cryptography after said first handshake is complete.
  - 5. The process of claim 4, wherein said client performs said second handshake with said expanded list of cipher suites.
  - 6. The process of claim 1, further comprising the step of:
    - verifying that said server is approved for stronger cryptography based on said server certificate.
  - 7. The process of claim 6, wherein said server certificate comprises a certificate chain consisting of said server certificate, zero or more intermediate certification authority (CA) certificates, and a trusted root CA certificate.
  - 8. The process of claim 6, wherein said verification step comprises the steps of:
    - initiating a session;
      
      providing with said server a server certificate, wherein said server certificate and any intermediate certification authority (CA) certificates must contain a certificate extension, wherein a trusted root CA certificate must be on a list of CAs that is built into said client and that are known to be approved for issuing special certificates that allow for the use of stronger cryptography, wherein said list is built into said client and is configurable by a user; and
      
      approving said certificate for stronger cryptography if said certificate is on said list, wherein session may proceed using strong encryption.
  - 9. The process of claim 8, said verification step further comprising the steps of:
    - determining if said certificate has an approved extension if said certificate is not on said list;
      
      finding an issuer certificate; and
      
      comparing said issuer certificate to said list again if said certificate does not have an approved extension.
  - 10. The process of claim 9, wherein said certificate extension is an extended key usage extension.
  - 11. The process of claim 1, wherein the order in which said handshakes are performed is reversed.
  - 12. The process of claim 11, comprising the steps of:
    - negotiating a session using strong cryptography;
      
      sending data using strong cryptography if said server certificate is approved; and
      
      renegotiating down to a weaker export grade cipher suite if said server certificate is not approved.
  - 13. The process of claim 1, wherein one handshake is required for approved servers and two handshakes are required for non-approved servers.
  - 14. The process of claim 1, wherein one handshake is required for non-approved servers and two handshakes a required for approved servers.

15. An apparatus for determining the strongest legally permissible level of cryptographic service in an electronic network, comprising:
- means for performing a first handshake between a client and a server to establish a session that uses export strength encryption, wherein a connection is established using an export cipher suite;
  
  means for examining with said client a server certificate obtained as part of said first handshake;
  
  means for transferring application data that are protected by said export cipher suite if said server is not approved for a stronger level of cryptographic service;
  
  means for initiating a second handshake allowing a stronger cipher suite if said server is approved for a stronger level of cryptographic service; and
  
  means for transferring application data that are protected by said stronger cipher suite;
  
  wherein said server certificate is required by said client to determine if said server is approved;
  
  wherein said server certificate is not available to said client at the time that it must send said list of cipher suites during said first handshake; and
  
  wherein said first handshake must be performed with weaker, export strength cryptography.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The apparatus of claim 15, wherein said session is a secure socket layer (SSL) session.
  - 17. The apparatus of claim 15, further comprising:
    - means for sending with said client sends a list of cipher suites said client allows before said server sends said server certificate.
  - 18. The apparatus of claim 17, wherein said client has said server certificate and can determine if said server is approved for stronger cryptography after said first handshake is complete.
  - 19. The apparatus of claim 18, wherein said client performs said second handshake with said expanded list of cipher suites.
  - 20. The apparatus of claim 15, further comprising:
    - means for verifying that said server is approved for stronger cryptography based on said server certificate.
  - 21. The apparatus of claim 20, wherein said server certificate comprises a certificate chain consisting of said server certificate, zero or more intermediate certification authority (CA) certificates, and a trusted root CA certificate.
  - 22. The apparatus of claim 20, wherein said verification means comprises:
    - means for initiating a session;
      
      means for providing with said server a server certificate, wherein said server certificate and any intermediate certification authority (CA) certificates must contain an certificate extension, wherein a trusted root CA certificate must be on a list of CAs that is built into said client and that are known to be approved for issuing special certificates that allow for the use of stronger cryptography, wherein said list is built into said client and is configurable by a user; and
      
      means for approving said certificate for stronger cryptography if said certificate is on said list, then the certificate, wherein session may proceed using strong encryption.
  - 23. The apparatus of claim 22, said verification means further comprising:
    - means for determining if said certificate has an approved extension if said certificate is not on said list;
      
      means for finding an issuer certificate; and
      
      means for comparing said issuer certificate to said list again if said certificate does not have an approved extension.
  - 24. The apparatus of claim 23, wherein said certificate extension is an extended key usage extension.
  - 25. The apparatus of claim 15, wherein the order in which said handshakes are performed is reversed.
  - 26. The apparatus of claim 25 comprising:
    - means for negotiating a session using strong cryptography;
      
      means for sending data using strong cryptography if said server certificate is approved; and
      
      means for renegotiating down to a weaker export grade cipher suite if said server certificate is not approved.
  - 27. The apparatus of claim 15, wherein one handshake is required for approved servers and two handshakes are required for non-approved servers.
  - 28. The apparatus of claim 15, wherein one handshake is required for non-approved servers and two handshakes a required for approved servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Netscape Communications Corporation (Apollo Global Management, Inc.)
Inventors
Elgamal, Taher, Weinstein, Jeff, Weinstein, Tom
Primary Examiner(s)
Swann, Tod R.
Assistant Examiner(s)
JACK, TODD M

Application Number

US08/933,127
Time in Patent Office

1,041 Days
Field of Search

380/30, 380/45
US Class Current

380/30
CPC Class Codes

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

SSL step-up

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

342 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SSL step-up

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

342 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links