Authenticated content delivery platform
US-2016337134-A1 · Nov 17, 2016 · US
Systems and methods for utilizing client side authentication to select services available at a given port number
US9838428B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9838428-B1 |
| Application number | US-201715496439-A |
| Country | US |
| Kind code | B1 |
| Filing date | Apr 25, 2017 |
| Priority date | Oct 14, 2016 |
| Publication date | Dec 5, 2017 |
| Grant date | Dec 5, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the service(s) available at a given port number on a client by client basis, enabling access to service(s) for trusted clients unavailable to untrusted clients. Preferably, client trust is based on client authentication via a certificate and a valid, signed transport layer security (TLS) handshake (or similar mechanism in other protocol contexts). In some embodiments, an authorization step can be added following authentication. The systems and methods disclosed herein find wide uses in bundling services on ports, as well as protecting access to services from untrusted and/or malicious clients, among others.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method performed by a host computer, the host computer comprising circuitry forming at least one processor and memory storing computer instructions for execution by the at least one processor to provide (i) a plurality of services to clients, the plurality of services including a first service and a second service, and to provide (ii) an operating system that manages network traffic between clients and the host computer, the network traffic comprising transport layer protocol messages, the method comprising: receiving a first set of one or more transport layer messages from a first client specifying a particular destination port number; in response to the first set of one or more transport layer messages, executing a first transport layer security (TLS) protocol handshake with the first client, wherein said first TLS handshake comprises the host computer sending a first certificate request to the first client; determining whether the first service is available to the client via the particular destination port number, said determination being based at least in part on: (a) the first client responding to the first certificate request with a first certificate with a non-zero content length, (b) completion of the first TLS handshake as a valid and signed TLS handshake, and (c) an association between the first certificate and the first service, the association being stored in the memory of the host computer; upon a determination that the first service is available to the client via the particular destination port number, responding to one or more first client requests for the first service by providing the first service, wherein providing the first service comprises sending the first client one or more application layer messages within one or more transport layer messages with a source port number that is the same as the particular destination port number; upon a determination that the first service is not available to the client via the particular destination port number, responding to one or more first client requests for the first service with any of: an error message and no response; responding to one or more first client requests for the second service with any of: an error message and no response; receiving a second set of one or more transport layer messages from a second client specifying the particular destination port number; in response to the second set of one or more transport layer messages, executing a second transport layer security (TLS) protocol handshake with the second client, wherein said second TLS handshake comprises the host computer sending a second certificate request the second client; determining whether the second service is available to the second client via the particular destination port number, said determination being based at least in part on: (d) the second client responding to the second certificate request with a second certificate with a non-zero content length, (e) completion of the second TLS handshake as a valid and signed TLS handshake, and (f) an association between the second certificate and the second service, the association being stored in the memory of the host computer; upon a determination that the second service is available to the second client via the particular destination port number, responding to one or more second client requests for the second service by providing the second service, wherein providing the second service comprises sending the second client one or more application layer messages within one or more transport layer messages with a source port number that is the same as the particular destination port number; upon a determination that the second service is not available to the second client via the particular destination port number, responding to one or more second client requests for the second service with any of: an error message and no response. 2. The method of claim 1 , wherein each of the first and second services is an enterprise service. 3. The method of claim 2 , wherein an enterprise service comprises any of: a VPN service, an IMAP service, an XMPP service, and a Chat service. 4. The method of claim 1 , wherein the particular destination port number is any of: a well-known port for a third service and a registered port for a third service. 5. The method of claim 1 , wherein the determination of whether the first service is available to the first client via the particular destination port number further comprises: a determination by the host computer to trust a signing authority for the certificate, and a determination that the first client responded to the first certificate request with a valid certificate. 6. The method of claim 1 , wherein the determination of whether the second service is available to the second client via the particular destination port number further comprises: a determination by the host computer to trust a signing authority for the certificate, and a determination that the second client responded to the second certificate request with a valid certificate. 7. An apparatus, comprising: a host computer comprising circuitry forming a processor and memory storing computer instructions for execution by the at least one processor to provide (i) a plurality of services to clients, the plurality of services including a first service and a second service, and to provide (ii) an operating system that manages network communication traffic between clients and the host computer, the network communication traffic comprising transport layer protocol messages, the computer instructions comprising instructions that when executed cause the host computer to: receive a first set of one or more transport layer messages from a first client specifying a particular destination port number; in response to the first set of one or more transport layer messages, execute a first transport layer security (TLS) protocol handshake with the first client, wherein said first TLS handshake comprises the host computer sending a first certificate request to the first client; determine whether the first service is available to the client via the particular destination port number, said determination being based at least in part on: (a) the first client responding to the first certificate request with a first certificate with a non-zero content length, (b) completion of the first TLS handshake as a valid and signed TLS handshake, and (c) an association between the first certificate and the first service, the association being stored in the memory of the host computer; upon a determination that the first service is available to the client via the particular destination port number, responding to one or more first client requests for the first service by providing the first service, wherein providing the first service comprises sending the first client one or more application layer messages within one or more transport layer messages with a source port number that is the same as the particular destination port number; upon a determination that the first service is not available to the client via the particular destination port number, responding to one or more first client requests for the first service with any of: an error message and no response; respond to one or more first client requests for the second service with any of: an error message and no response; receive a second set of one or more transport layer messages from a second client specifying the particular destination port number; in response to the second set of one or more transport layer messages, execute a second transport layer security (TLS) protocol handshake with the second client, wherein said second TLS handshake comprises the host computer sending a second certificate request the second cli
Assignees
Inventors
Classifications
- H04L63/166Primary
at the transport layer · CPC title
involving adaptations of sockets based mechanisms (secure socket layer H04L63/168) · CPC title
Interlayer communication protocols or service data unit [SDU] definitions; Interfaces between layers · CPC title
Definitions, standards or architectural aspects of layered protocol stacks · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9838428B1 cover?
- Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the …
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/166. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 05 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).