Controlling firewall ports in virtualized environments through public key cryptography
US-10454899-B1 · Oct 22, 2019 · US
Systems and methods for reducing the number of open ports on a host computer
US11870809B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11870809-B2 |
| Application number | US-202016802326-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 26, 2020 |
| Priority date | Oct 14, 2016 |
| Publication date | Jan 9, 2024 |
| Grant date | Jan 9, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the service(s) available at a given port number on a client by client basis, enabling access to service(s) for trusted clients unavailable to untrusted clients. Preferably, client trust is based on client authentication via a certificate and a valid, signed transport layer security (TLS) handshake (or similar mechanism in other protocol contexts). In some embodiments, an authorization step can be added following authentication. The systems and methods disclosed herein find wide uses in bundling services on ports, as well as protecting access to services from untrusted and/or malicious clients, among others.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method of reducing a size of host computer's open port fingerprint, comprising: closing all ports on a host computer except for one or more open ports, each of the one or more open ports associated with a respective application layer service; and, responsive to a request from a client on a particular open port of the one or more open ports, the host computer providing, via the particular open port of the one or more open ports, either (i) a first application layer service that the client associates with a port on the host computer other than the particular open port, upon successful authentication and authorization of the client, or (ii) a second application layer service that the client associates with the particular open port, when any of said authentication and authorization of the client fails; wherein said authentication comprises: the host computer requesting a certificate from the client at the beginning of a transport layer connection between the client and the host computer, the transport layer connection being directed to the particular open port of the one or more open ports; and, receiving the certificate and validating the certificate to authenticate the client; wherein said authorization comprises: authorizing the client for the first application layer service, based at least in part on an identifier for the client as indicated in the certificate. 2. The method of claim 1 , where the beginning of the transport layer connection comprises a transport layer security (TLS) protocol handshake. 3. The method of claim 1 , wherein the port on the host computer other than the particular open port, with which the first application layer service is associated by the client, comprises one of the closed ports on the host computer. 4. A host computer having a reduced size open port fingerprint, comprising: circuitry forming one or more processors and memory storing computer program instructions for execution on the one or more processors, the computer program instructions comprising instructions that when executed cause the host computer to: close all ports on the host computer except for one or more open ports, each of the one or more open ports associated with a respective application layer service; and, responsive to a request from a client on a particular open port of the one or more open ports, provide to the client, via the particular open port of the one or more open ports, either (i) a first application layer service that the client associates with a port on the host computer other than the particular open port, upon successful authentication and authorization of the client, or (ii) a second application layer service that the client associates with the particular open port, when any of said authentication and authorization of the client fails; wherein said authentication comprises: the host computer requesting a certificate from the client at the beginning of a transport layer connection between the client and the host computer, the transport layer connection being directed to the particular open port of the one or more open ports; and, receiving the certificate and validating the certificate to authenticate the client; wherein said authorization comprises: the host computer authorizing the client for the first application layer service, based at least in part on an identifier for the client as indicated in the certificate. 5. The host computer of claim 4 , where the beginning of the transport layer connection comprises a transport layer security (TLS) protocol handshake. 6. The host computer of claim 4 , wherein the port on the host computer other than the particular open port, with which the first application layer service is associated by the client, comprises one of the closed ports on the host computer. 7. A non-transitory computer readable medium storing computer program instructions that when executed on one or more processors of a host computer cause the host computer to: close all ports on the host computer except for one or more open ports, each associated with a respective application layer service; and, responsive to a request from a client on a particular open port of the one or more open ports, provide to the client, via the particular open port of the one or more open ports, either (i) a first application layer service that the client associates with a port on the host computer other than the particular open port, upon successful authentication and authorization of the client, or (ii) a second application layer service that the client associates with the particular open port, when any of said authentication and authorization of the client fails; wherein said authentication comprises: the host computer requesting a certificate from the client at the beginning of a transport layer connection between the client and the host computer, the transport layer connection being directed to the particular open port of the one or more open ports; and, receiving the certificate and validating the certificate to authenticate the client; wherein said authorization comprises: the host computer authorizing the client for the first application layer service, based at least in part on an identifier for the client as indicated in the certificate. 8. The non-transitory computer readable medium of claim 7 , where the beginning of the transport layer connection comprises a transport layer security (TLS) protocol handshake. 9. The non-transitory computer readable medium of claim 7 , wherein the port on the host computer other than the particular open port, with which the first application layer service is associated by the client, comprises one of the closed ports on the host computer.
Assignees
Inventors
Classifications
- H04L63/166Primary
at the transport layer · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
Virtual private networks · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11870809B2 cover?
- Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the …
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/166. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 09 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).