IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0176574
(2011-07-05)
|
등록번호 |
US-8407771
(2013-03-26)
|
발명자
/ 주소 |
- Hughes, John R.
- Masters, Richard Roderick
- Gilde, Robert George
|
출원인 / 주소 |
|
대리인 / 주소 |
Frommer Lawrence & Haug LLP
|
인용정보 |
피인용 횟수 :
2 인용 특허 :
131 |
초록
▼
A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is a
A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.
대표청구항
▼
1. An apparatus, comprising: one or more memory devices for storing executable instructions; andone or more processors operable to execute the executable instructions to perform actions, comprising: receiving client messages from a plurality of clients and distributing the client messages among a pl
1. An apparatus, comprising: one or more memory devices for storing executable instructions; andone or more processors operable to execute the executable instructions to perform actions, comprising: receiving client messages from a plurality of clients and distributing the client messages among a plurality of servers;performing a first security handshake with one of the plurality of client, the first security handshake including a first identifying data comprising a first client certificate, wherein the first security handshake is a Secure Socket Layer (SSL) handshake;associating the one of the plurality of clients with a target server;performing a second security handshake with an other one of the plurality of clients, wherein the second security handshake includes a second identifying data comprising a second client certificate, wherein the second security handshake is a SSL handshake, and the first security handshake establishes a first secure communication session, and the second security handshake establishes a second secure communications session; andidentifying the target server based on the second client certificate, wherein the second client certificate includes a public key security certificate. 2. The apparatus of claim 1, wherein the one of the plurality of clients and the other one of the plurality of clients are different clients in the plurality of clients, and the first client certificate is transferred between the clients using a removable smart card, the first client certificate being usable as the second client certificate. 3. The apparatus of claim 1, wherein the one or more processors are operable to execute actions, further comprising storing data indicating a mapping between at least one of the first or the second client certificates and a session Identifier (ID). 4. The apparatus of claim 1, wherein the apparatus further comprises: an SSL proxy executing within at least one of the processors, the SSL proxy being configured to receive the client messages, and to perform the first and the second security handshakes; anda persistence engine executing within at least one of the processors and being configured to receive decrypted client messages from the SSL proxy, maintain persistent connections with the target server, and to send messages to the target server. 5. The apparatus of claim 1, wherein the apparatus further comprises: an incoming SSL proxy executing within at least one of the processors and configured to receive the client messages, and to perform the first and the second security handshakes, and to send the client messages to a persistence engine, wherein the persistence engine executes within at least one of the processors and being configured to receive decrypted client messages from the SSL proxy, maintain persistent connections with the target server; andan outgoing SSL proxy executing within at least one of the processors and being configured to receive the client messages from the persistence engine, establish SSL sessions with the target server, encrypt the client messages, and to send the encrypted client messages to the target server. 6. The apparatus of claim 1, wherein the apparatus further comprises: an SSL proxy executing within at least one of the processors, the SSL proxy being configured to perform the first and the second security handshakes; anda persistence engine executing within at least one of the processors and configured to associate the one of the plurality of clients with the target server, and to identify the target server based on the second client certificate. 7. The apparatus of claim 1, wherein the second secure communication session is directed towards resuming the first secure communication session, and wherein a session Identifier (ID) is provided in the second identifying data for use in establishing the second secure communication session. 8. The apparatus of claim 1, wherein the one or more processors operable to execute actions, further comprising: performing a third security handshake with the one of the plurality of clients, the third security handshake including at least one of a third client certificate or a session identifier; andidentifying the target server using the third client certificate when the third security handshake does not include a session identifier, else identifying the target server using the session identifier when the third security handshake does not include the third client certificate. 9. A method of maintaining a communication with a client device on a network having a plurality of targets, comprising: receiving client messages from a plurality of clients and distributing the client messages among a plurality of servers;performing a first security handshake with one of the plurality of client, the first security handshake including a first identifying data that includes one of a first client certificate or a session Identifier (ID), wherein the first security handshake is a Secure Socket Layer (SSL) handshake;associating the one of the plurality of clients with a target server;performing a second security handshake with an other one of the plurality of clients, wherein the second security handshake includes a second identifying data, wherein the second security handshake is a SSL handshake, and the first security handshake establishes a first secure communication session, and the second security handshake establishes a second secure communications session; andidentifying the target server based on the second identifying data, wherein the second identifying data includes one of a second client certificate or the session ID. 10. The method of claim 9, wherein the one of the plurality of clients and the other one of the plurality of clients are different clients in the plurality of clients, and the first client certificate is transferred between the clients using a removable smart card, the first client certificate being usable as the second client certificate. 11. The method of claim 9, the method further comprising storing data indicating a mapping between at least one of the first or the second client certificates and the session ID. 12. The method of claim 9, wherein the second secure communication session is directed towards resuming the first secure communication session, and wherein a session Identifier (ID) is provided in the second identifying data for use in establishing the second secure communication session. 13. The method of claim 9, wherein the method further comprises: performing a third security handshake with the one of the plurality of clients, the third security handshake including at least one of a third client certificate or the session ID; andidentifying the target server using the third client certificate when the third security handshake does not include the session ID, else identifying the target server using the session ID when the third security handshake does not include the third client certificate. 14. The method of claim 9, wherein the method is operable within one or more processors, the one or more processors having an SSL proxy and a persistence engine for performing the steps of method 9. 15. The method of claim 14, wherein one of the SSL proxy or the persistence engine is configured to receive the client messages and to provide the client messages to the other of persistence engine or the SSL proxy. 16. A non-transitory computer-readable storage device having stored thereon computer-executable instructions that when installed on a computing device having one or more processors, performs actions, comprising: receiving client messages from a plurality of clients and distributing the client messages among a plurality of servers;performing a first security handshake with one of the plurality of client, the first security handshake including a first identifying data comprising a first client certificate, wherein the first security handshake is a Secure Socket Layer (SSL) handshake;associating the one of the plurality of clients with a target server;performing a second security handshake with an other one of the plurality of clients, wherein the second security handshake includes a second identifying data comprising a second client certificate, wherein the second security handshake is a SSL handshake, and the first security handshake establishes a first secure communication session, and the second security handshake establishes a second secure communications session; andidentifying the target server based on the second client certificate, wherein the second client certificate includes a public key security certificate. 17. The non-transitory computer-readable storage device of claim 16, wherein the one of the plurality of clients and the other one of the plurality of clients are different clients in the plurality of clients, and the first client certificate is transferred between the clients using a smart card, the first client certificate being usable at least in part as the second client certificate. 18. The non-transitory computer-readable storage device of claim 16, wherein the actions further comprises storing data indicating a mapping between at least one of the first or the second client certificates and a session Identifier (ID). 19. The non-transitory computer-readable storage device of claim 16, wherein the actions are performed by at least one of an SSL proxy or a persistence engine, wherein: the SSL proxy is configured to receive the client messages, and to perform the first and the second security handshakes; andthe persistence engine is configured to receive decrypted client messages from the SSL proxy, maintain persistent connections with the target server, and to send messages to the target server. 20. The non-transitory computer-readable storage device of claim 16, wherein the actions are performed by at least one of an SSL proxy or a persistence engine, wherein: the SSL proxy is configured to perform the first and the second security handshakes; andthe persistence engine is configured to associate the one of the plurality of clients with the target server, and to identify the target server based on the second client certificate.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.