Systems and methods for computer digital certificate management and analysis
US-9531705-B1 · Dec 27, 2016 · US
Secure transport channel using multiple cipher suites
US9923923B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9923923-B1 |
| Application number | US-201514720625-A |
| Country | US |
| Kind code | B1 |
| Filing date | May 22, 2015 |
| Priority date | Sep 10, 2014 |
| Publication date | Mar 20, 2018 |
| Grant date | Mar 20, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Cipher suites and/or other parameters for cryptographic protection of communications are dynamically selected to more closely match the intended uses of the sessions. A server selects and/or determines, for a cryptographically protected communications session, a plurality of supported cipher suites that may be used for communications with the server over an established protected communications session. A selected cipher suites may be a cipher suite that are selected from a plurality of acceptable cipher suites provided to the server, either implicitly or explicitly. The selection of a cipher suite may further require that the cipher suite be mutually acceptable to the server and one or more parties participating in the cryptographically protected communications session such as a client.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: receiving, from a client computer system, a message to perform a handshake process to establish a cryptographically protected communications session, the message specifying: a first list of cipher suites supported by the client computer system for receiving, via the cryptographically protected communications session, messages; and a second list of cipher suites supported by the client computer system for transmitting, via the cryptographically protected communications session, messages; obtaining: a third list of cipher suites supported for transmitting, via the cryptographically protected communications session, messages, the third list being different from the first list; and a fourth list of cipher suites supported for receiving, via the cryptographically protected communications session, messages, the fourth list being different from the second list; selecting a first cipher suite for transmitting messages to the client computer system via the cryptographically protected communication session, the first cipher suite being a member of the first list and a member of the third list wherein the first cipher suite for transmitting messages to the client computer system via the cryptographically protected communication session is different from a second cipher suite; selecting the second cipher suite for receiving messages from the client computer system via the cryptographically protected communication session, the second cipher suite being a member of the second list and a member of the fourth list; and completing the handshake process to establish the cryptographically protected communications session such that the cryptographically protected communications session utilizes the first cipher suite for transmissions to the client computer system and utilizes the second selected cipher suite for receiving transmissions from the client computer system. 2. The computer-implemented method of claim 1 , wherein the cryptographically protected communications session comprises at least 70 percent of the messages in accordance with Transport Layer Security version 1.2. 3. The computer-implemented method of claim 1 , wherein communications according to the first cipher suite are encrypted and communications according to the second cipher suite are unencrypted. 4. The computer-implemented method of claim 1 , wherein: the first list of cipher suites is ordered by a first ranking and the second list of cipher suites is ordered by a second ranking; selecting the first cipher suite is based at least in part on the first ranking; and selecting the second cipher suite is based at least in part on the second ranking. 5. The computer-implemented method of claim 1 , wherein selecting the first cipher suite and the second cipher suite is based at least in part on metadata of a connection with the client computer system. 6. A system, comprising memory storing computer-executable instructions that, as a result of being performed by one or more processors, cause the system to at least: receive, from a client computer system, a message to perform a handshake process to establish a cryptographically protected communications session, the message specifying: a first list of cipher suites supported by the client computer system for receiving, via the cryptographically protected communications session, messages; and a second list of cipher suites supported by the client computer system for transmitting, via the cryptographically protected communications session, messages; obtain: a third list of cipher suites supported for transmitting, via the cryptographically protected communications session, messages, the third list being different from the first list; and a fourth list of cipher suites supported for receiving, via the cryptographically protected communications session, messages, the fourth list being different from the second list; select a first cipher suite for transmitting messages to the client computer system via the cryptographically protected communication session, the first cipher suite being a member of the first list and a member of the third list wherein the first cipher suite for transmitting messages to the client computer system via the cryptographically protected communication session is different from a second cipher suite; select the second cipher suite for receiving messages from the client computer system via the cryptographically protected communication session, the second cipher suite being a member of the second list and a member of the fourth list; and complete the handshake process to establish the cryptographically protected communications session such that the cryptographically protected communications session utilizes the first cipher suite for transmissions to the client computer system and utilizes the second cipher suite for receiving transmissions from the client computer system. 7. The system of claim 6 , wherein the system communicates over the cryptographically protected communications session such that a set of data communicated over the cryptographically protected communications session is cryptographically protected according to a third cipher suite. 8. The system of claim 6 , wherein: the message includes a first set of data and a second set of data; the first cipher suite is associated with a first use context; the second cipher suite is associated with a second use context; and the first set of data is transmitted in the first use context and the second set of data is transmitted in the second use context. 9. The system of claim 6 , wherein the system selects the first cipher suite and the second cipher suite based at least in part on metadata of a connection with the client computer system. 10. The system of claim 9 , wherein the metadata includes a geolocation. 11. The system of claim 9 , wherein the metadata includes a connection latency value. 12. The system of claim 9 , wherein the metadata includes a connection bandwidth. 13. The system of claim 6 , wherein the at least one computing device is further configured to: receive a request; determine a first security level for a first part of the request; determine a second security level for a second part of the request; and wherein the first cipher suite is determined based at least in part on the first part of the request and the second cipher suite is determined based at least in part on the second part of the request. 14. The system of claim 6 , wherein the handshake process results in an indexed set of cipher suites and individual records of the cryptographically protected communications session are configured to indicate which of the indexed set of cipher suites is being used. 15. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least: receive, from a client computer system, a message to perform a handshake process to establish a cryptographically protected communications session, the message specifying: a first list of cipher suites supported by the client computer system for receiving, via the cryptographically protected communications session, messages; and a second list of cipher suites supported by the client computer system for transmitting, via the cryptographically protected communications session, messages; obtain: a third list of cipher suites supported for transmitting, via the cryptographically protected communications session, messages, the third list being different from
Assignees
Inventors
Classifications
using a plurality of keys or algorithms · CPC title
for providing a confidential data exchange among entities communicating through data packet networks · CPC title
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
- H04L63/166Primary
at the transport layer · CPC title
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9923923B1 cover?
- Cipher suites and/or other parameters for cryptographic protection of communications are dynamically selected to more closely match the intended uses of the sessions. A server selects and/or determines, for a cryptographically protected communications session, a plurality of supported cipher suites that may be used for communications with the server over an established protected communications …
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/166. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 20 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).