What technology area does this patent fall under?

Primary CPC classification H04L9/0844. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jul 05 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Secure session capability using public-key cryptography without access to the private key

US9385864B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9385864-B2
Application number	US-201514630585-A
Country	US
Kind code	B2
Filing date	Feb 24, 2015
Priority date	Apr 8, 2014
Publication date	Jul 5, 2016
Grant date	Jul 5, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

First claim

Opening claim text (preview).

What is claimed is: 1. A method in a first server for establishing a secure session with a client device, the method comprising: receiving a Client Hello message from the client device and transmitting the Client Hello message to a second server; receiving, from the second server, a Server Hello message in response to the Client Hello message and transmitting the Server Hello message to the client device; receiving, from the second server, a Certificate message that includes a digital certificate and transmitting the Certificate message to the client device; receiving, from the second server, a Server Key Exchange message that includes a set of cryptographic parameters that is signed using a private key stored on the second server and not available on the first server and transmitting the Server Key Exchange message to the client device, wherein the set of cryptographic parameters are to be used by the client device when generating a premaster secret and include a Diffie-Hellman public value selected by the second server; receiving, from the second server, a Server Hello Done message and transmitting the Server Hello Done message to the client device; receiving, from the client device, a Client Key Exchange message that includes a Diffie-Hellman public value selected by the client device and transmitting the Client Key Exchange message to the second server; receiving, from the second server, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is generated using the Diffie-Hellman public value selected by the client device and the Diffie-Hellman public value selected by the second server; receiving, from the client device, a first Change Cipher Spec message that indicates that future messages sent from the client device will be encrypted; receiving, from the client device, a first Finished message that is encrypted according to the session keys; transmitting, to the client device, a second Change Cipher Spec message that indicates that future messages sent to the client device will be encrypted; and transmitting, to the client device, a second Finished message that is encrypted according to the session keys. 2. The method of claim 1 , wherein the first server and the second server are owned or operated by different entities. 3. The method of claim 1 , wherein at least the Server Key Exchange message and the set of one or more session keys are received from the second server over a secure session between the first server and the second server. 4. The method of claim 1 , further comprising: after transmitting the second Finished message to the client device, receiving from the client device a request for a resource over the secure session, wherein the request is encrypted; decrypting, using the set of session keys, the request for the resource; transmitting the request for the resource to a third server; receiving the resource from the third server in response to the request; generating an encrypted response that includes the received resource, wherein the encrypted response is encrypted with the set of session keys; and transmitting the encrypted response to the client device. 5. The method of claim 4 , wherein the second server and the third server are the same server. 6. The method of claim 1 , further comprising: receiving, from the second server, the master secret; verifying information in the first Finished message including, calculating a first value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, and first Change Cipher Spec message, and comparing the calculated first value with a second value included in the first Finished message, wherein a same first value and second value indicates a successful key exchange; calculating a third value using a function that takes as input at least the master secret and a hash of the Client Hello message, Server Hello message, Certificate message, Server Key Exchange message, Server Hello Done message, Client Key Exchange message, first Change Cipher Spec message, first Finished message, and second Change Cipher Spec message; and including the third value in the second Finished message. 7. The method of claim 1 , further comprising: transmitting, to the second server, the first Change Cipher Spec message and the first Finished message; and receiving, from the second server, the second Change Cipher Spec message and the second Finished message. 8. A non-transitory computer-readable medium storing instructions, which when executed by a set of one or more processors of a first server, cause the set of processors to perform operations comprising: receiving a Client Hello message from a client device and transmitting the Client Hello message to a second server; receiving, from the second server, a Server Hello message in response to the Client Hello message and transmitting the Server Hello message to the client device; receiving, from the second server, a Certificate message that includes a digital certificate and transmitting the Certificate message to the client device; receiving, from the second server, a Server Key Exchange message that includes a set of cryptographic parameters that is signed using a private key stored on the second server and not available on the first server and transmitting the Server Key Exchange message to the client device, wherein the set of cryptographic parameters are to be used by the client device when generating a premaster secret and include a Diffie-Hellman public value selected by the second server; receiving, from the second server, a Server Hello Done message and transmitting the Server Hello Done message to the client device; receiving, from the client device, a Client Key Exchange message that includes a Diffie-Hellman public value selected by the client device and transmitting the Client Key Exchange message to the second server; receiving, from the second server, a set of one or more session keys to be used in a secure session for encrypting and decrypting communication between the client device and the first server that were generated at least using a master secret that is generated using a premaster secret that is generated using the Diffie-Hellman public value selected by the client device and the Diffie-Hellman public value selected by the second server; receiving, from the client device, a first Change Cipher Spec message that indicates that future messages sent from the client device will be encrypted; receiving, from the client device, a first Finished message that is encrypted according to the session keys; transmitting, to the client device, a second Change Cipher Spec message that indicates that future messages sent to the client device will be encrypted; and transmitting, to the client device, a second Finished message that is encrypted according to the session keys. 9. The non-transitory computer-readable medium of claim 8 , wherein the first server and the second server are owned or operated by different entities. 10. The non-transitory computer-readable medium of claim 8 , wherein at least the Server Key Exchange message and the set of one or more session keys are received from the second server over a secure session between the first server and the second server. 11. The non-transitory computer-readable medium of claim 8 , further storing instructions that, when executed by the s

Assignees

Cloudflare Inc

Inventors

Classifications

H04L9/321
involving a third party or a trusted authority · CPC title
H04L63/061
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
H04L9/0844Primary
with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys · CPC title
H04L9/3268
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
H04L63/166
at the transport layer · CPC title

Patent family

Related publications grouped by family.

View patent family 52473146

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9385864B2 cover?: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates t…
Who is the assignee on this patent?: Cloudflare Inc
What technology area does this patent fall under?: Primary CPC classification H04L9/0844. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jul 05 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).