[특허]Split termination for secure communication protocols

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-021/00
출원번호	US-0489414 (2006-07-18)
등록번호	US-8613071 (2013-12-17)
발명자 / 주소	Day, Mark Stuart Larsen, Case Merugu, Shashidhar
출원인 / 주소	Riverbed Technology, Inc.
대리인 / 주소	Park, Vaugnan, Fleming & Dowler LLP
인용정보	피인용 횟수 : 29 인용 특허 : 21

초록 ▼

Transaction accelerators can be configured to terminate secure connections. A server-side accelerator intercepts a secure connection request that is from a client and that is directed to a server. The server-side accelerator responds to the secure connection request in place of the server, thereby e

Transaction accelerators can be configured to terminate secure connections. A server-side accelerator intercepts a secure connection request that is from a client and that is directed to a server. The server-side accelerator responds to the secure connection request in place of the server, thereby establishing a secure connection between the client and the server-side accelerator. Alternatively, the server-side accelerator monitors the establishment of a secure connection between the client and the server. After the secure connection has been established, the server-side accelerator forwards security information to a client-side accelerator, enabling the client-side accelerator to assume control of the secure connection. As a result of this arrangement, the client-side accelerator is able to encrypt and decrypt data on the secure connection and accelerate it in cooperation with the server-side accelerator. In a further embodiment, the accelerated traffic between accelerators is carried across the network via another secure connection.

대표청구항 ▼

1. A method of initiating a secure connection, the method comprising: intercepting a secure connection request from a client requesting a connection to a server, the intercepting using an intercepting entity distinct from the server;initiating a secure connection with the client at the intercepting

1. A method of initiating a secure connection, the method comprising: intercepting a secure connection request from a client requesting a connection to a server, the intercepting using an intercepting entity distinct from the server;initiating a secure connection with the client at the intercepting entity, wherein the secure connection is associated with at least one attribute enabling a secure communication of data via the secure connection while having access to data sent via the secure connection, wherein initiating a secure connection with the client comprises: a) observing with the intercepting entity the initiation of a secure connection between the client and the server;b) determining the attribute of the secure connection from the initiation of the secure connection; andc) receiving an indication that the initiation of the secure connection between the client and the server is complete; andforwarding the attribute from the intercepting entity to a network device distinct from the intercepting entity and in a path of the secure connection between the client and the intercepting entity such that the network device can use at least the attribute to maintain the secure connection with the client, the secure connection having been initiated with the intercepting entity, while having access to data sent via the secure connection. 2. The method of claim 1, wherein the secure connection request initiates a connection between the client and the server. 3. The method of claim 1, wherein the secure connection request initiates security for a previously-established connection between the client and the server. 4. The method of claim 1, wherein intercepting the secure connection request from the client comprises: receiving a secure connection request previously intercepted by a second intercepting entity in-path with the client and redirected to the intercepting entity. 5. The method of claim 4, wherein receiving the secure connection request comprises: receiving the secure connection request via a caching protocol. 6. The method of claim 1, wherein intercepting the secure connection request from the client comprises: intercepting the secure connection request from the client via an in-path network connection with the client. 7. The method of claim 1, wherein observing the initiation of the secure connection is facilitated by receiving, by the intercepting entity, security information associated with the server. 8. The method of claim 1, wherein initiating the secure connection comprises: initiating a first secure connection between the intercepting entity and the server; andinitiating a second secure connection between the intercepting entity and the client. 9. The method of claim 8, wherein the initiation of the first secure connection is completed before initiating the second secure connection. 10. The method of claim 8, wherein the second secure connection is initiated before the initiation of the first secure connection is completed. 11. The method of claim 1, wherein the attribute includes a cipher to be used to encrypt data for the secure connection. 12. The method of claim 1, wherein the network device receiving the forwarded attribute is closer on a network to the client than the intercepting entity. 13. The method of claim 12, wherein proximity of the network device and the intercepting entity to the client on the network is determined by network characteristics. 14. The method of claim 13, wherein the network characteristics include network latencies of the network from the network device and the intercepting entity to the client. 15. The method of claim 13, wherein the network characteristics include network bandwidths of the network from the network device and the intercepting entity to the client. 16. The method of claim 13, wherein the network device receiving the forwarded attribute is separated from the client by a first network including a local area network and wherein the intercepting entity is separated from the client by a second network including a wide area network. 17. The method of claim 13, wherein the network device receiving the forwarded attribute is integrated with a computer system including the client. 18. The method of claim 1, further comprising: intercepting data from the server directed to the client;communicating at least a portion of the data to the network device in association with an indicator, such that the network device will further communicate the portion of the data with the client via the secure connection. 19. The method of claim 1, further comprising: receiving first data from the network device, wherein the first data corresponds with second data previously received by the network device from the client via the secure connection; andcommunicating third data to the server, wherein the third data corresponds with the first data. 20. The method of claim 1, wherein forwarding the attribute to the network device includes: initiating an additional secure connection with the network device; andcommunicating the attribute via the additional secure connection. 21. A method of communicating securely with a client, the method comprising: intercepting a secure connection request from a client to a server at a first network device;initiating a first secure connection between the first network device and the client in response to the secure connection request; andin response to the initiation of the first secure connection being successfully completed: communicating an indicator from the first network device to a second network device that is in a network path between the client and the first network device, wherein the indicator is both an indicator that the first secure connection has been established between the client and the first network device and the indicator is also useable by the second network device to access and process secure communications that occur between the client and the first network device; andassuming control of the first secure connection with the client at the second network device, such that communications between the client and the server pass through the first secure connection between the client and the second network device;wherein the indication that the initiation of the secure connection marks the end of interactions that require a private key and the start of interactions that require only a symmetric key. 22. The method of claim 21, wherein intercepting the secure connection request from the client comprises: receiving a secure connection request previously intercepted by an intercepting entity in-path with the client and redirected to the first network device. 23. The method of claim 21, wherein intercepting the secure connection request from the client comprises: intercepting the secure connection request from the client via an in-path network connection with the client. 24. The method of claim 21, further comprising: receiving first data from the server directed to the client at the first network device;communicating second data corresponding to the first data from the first network device to the second network device; andcommunicating third data corresponding to the second data from the second network device to the client via the first secure connection. 25. The method of claim 24, wherein the second data comprises an optimized version of the first data and the third data comprises a de-optimized version of the second data equivalent to the first data. 26. The method of claim 21, further comprising: receiving first data from the client directed to the server at the second network device via the first secure connection;communicating second data corresponding to the first data from the second network device to the first network device; andcommunicating third data corresponding to the second data from the first network device to the server. 27. The method of claim 26, wherein the second data comprises an optimized version of the first data and the third data comprises a de-optimized version of the second data equivalent to the first data. 28. The method of claim 21, wherein initiating the first secure connection with the client in response to the secure connection request comprises determining if the server is capable of establishing a secure connection with the client in response to the secure connection request. 29. The method of claim 28, wherein determining if the server is capable of establishing a secure connection with the client in response to the secure connection request comprises establishing a second secure connection between the first network device and the server. 30. The method of claim 21, wherein the second network device initiates communications with the client via the first secure connection using a symmetric encryption key in response to the indication. 31. The method of claim 30, wherein the indication includes the symmetric encryption key. 32. The method of claim 30, further comprising: selecting a symmetric encryption key by the second network device;communicating the selected symmetric encryption key to the first network device; andcommunicating the selected symmetric encryption key from the first network device to the client during or after the initiation of the first secure connection. 33. The method of claim 21, wherein the first and second network devices communicate via a second secure connection. 34. The method of claim 33, wherein the first and second network devices initiate the second secure connection using public-key cryptography and certificates signed by a mutually-trusted certifying authority. 35. The method of claim 33, wherein the first and second network devices initiate the second secure connection using self-signed certificates and procedures for deliberate acceptance of such certificates. 36. The method of claim 33, wherein the second secure connection uses a security different from a security of the first secure connection. 37. The method of claim 33, wherein the second secure connection uses a security similar to a security of the first secure connection. 38. The method of claim 33, wherein the second secure connection communicates data associated with the first secure connection and an additional secure connection between the first and second network devices communicates data associated with an additional client. 39. The method of claim 38, wherein the length of use of a single inner channel connection is determined by a number of outer channel connections that have used the single inner channel connection. 40. The method of claim 38, wherein the length of use of a single inner channel connection is determined by time elapsed since the first use of the single inner channel connection. 41. The method of claim 38, wherein a pool of inner-channel connections is available for reuse. 42. The method of claim 21, where a server-side outer channel connection is reused for multiple client-side outer channel connections. 43. The method of claim 42, wherein the length of use of a single server-side outer channel connection is determined by the number of client-side outer channel connections that have used it. 44. The method of claim 42, wherein the length of use of a single server-side outer channel connection is determined by time elapsed since the first use of the single server-side outer channel connection. 45. The method of claim 42, wherein a pool of inner-channel connections is available for reuse. 46. The method of claim 28, wherein determining if the server is capable of establishing a secure connection with the client in response to the secure connection request comprises: accessing a secure connection cache for information characterizing previous secure connection requests denied by the server;comparing characteristics of the secure connection request with the information;forwarding the secure connection request to the server in response to a determination that the characteristics of the secure connection request are similar to the information, thereby enabling the server to establish a secure connection with the client. 47. The method of claim 46, further comprising: invalidating at least a portion of the secure connection cache in response to a change in private key information stored at the first network device. 48. The method of claim 46, further comprising: sharing at least a portion of the secure connection cache with an additional network device connected with the server. 49. The method of claim 21, wherein assuming control of the secure connection with the client at the second network device includes: detecting a secure connection renegotiation request by the client at the second network device;communicating an indicator of the secure connection renegotiation request from the second network device to the first network device;in response to the indicator of the secure connection renegotiation request, assuming control of the first secure connection with the client at the first network device;determining at the first network device whether the first secure connection is renegotiable by the first network device;in response to determining that the first secure connection is renegotiable by the first network device:renegotiating the first secure connection with the client; andforwarding the secure connection renegotiation request to the server in response to a determination that the first network device cannot renegotiate the first secure connection, thereby enabling the server to renegotiate a secure connection with the client. 50. A method of communicating securely with a client, the method comprising: observing an initiation of a secure connection between a client and a server at a first network device, wherein the first network device receives security information from the server;receiving an indication that the initiation of the secure connection between the client and the server is complete;communicating an indicator from the first network device to a second network device that both indicates that the secure connection has been established between the client and the first network device and that is also useable by the second network device to process secure communications that occur between the client and the first network device;assuming control at the second network device of the secure connection with the client on behalf of the server, the secure connection having been established between the client and the first network device;receiving data directed to the client from the server via the second network device; and communicating the data to the client via the secure connection;wherein the indication that the initiation of the secure connection marks the end of interactions that require a private key and the start of interactions that require only a symmetric key. 51. The method of claim 50, wherein the indication that the initiation of the secure connection is complete includes at least one attribute enabling the secure communication of data via the secure connection. 52. The method of claim 51, wherein the attribute includes a symmetric key. 53. The method of claim 50, wherein the server is a VPN device. 54. The method of claim 50, wherein assuming control of the secure connection comprises: determining an attribute of the secure connection from observing the initiation of the secure connection. 55. A method of initiating a secure connection between a client and a server, wherein traffic over the secure connection is to pass from the client through a first proxy and a second proxy to the server, the method comprising: intercepting, at the first proxy, a connection request that is from the client, the connection request directed to the server;intercepting, at the second proxy, a secure connection request that is from the client, the secure connection request directed to the server requesting establishment of the secure connection with the server, wherein establishment of the secure connection with the server requires a first datum that is provided by the server;obtaining the first datum at the second proxy;establishing authenticated communication between the first proxy and the second proxy; andafter establishing authenticated communication between the first proxy and the second proxy, providing data from the second proxy to the first proxy, wherein such data is data specific to the secure connection and is data required to establish the first proxy as a termination of the secure connection with the client and wherein such data is provided to the first proxy using the authenticated communication between the first proxy and the second proxy;wherein the first datum is a private key of the server, wherein a session key is required for the authenticated communication between the first proxy and the second proxy, and wherein the data required to establish the first proxy as the termination of the secure connection with the client is the session key. 56. The method of claim 55, further comprising: establishing a first unsecured connection between the client and the first proxy prior to providing the data from the second proxy to the first proxy;establishing a second unsecured connection between the first proxy and the second proxy prior to intercepting the secure connection request; andestablishing authenticated communication between the client and the second proxy using the first datum; andobtaining the first datum from the server for use by the second proxy. 57. The method of claim 55, wherein the first datum includes at least one of private key information for the server, certificate information for the server, exchanged self-signed certificates, and exchanged externally-signed certificates. 58. The method of claim 55, wherein the first proxy and the second proxy are identically configured.

LOADING...

이 특허에 인용된 특허 (21) 인용/피인용 타임라인 분석

Shaw, Andrew; McEwen, Michael Thomas; Burgess, Karl Richard, Authentication of tunneled connections.
상세보기
Ahuja Sudhir Raman ; Karaul Mehmet ; Korilis Ioannis A., Client-side techniques for web server allocation.
상세보기
Batra Virinder Mohan, Connection pool management for backend servers using common interface.
상세보기
Ramachandran,Viyyokaran Raman; Sitaram,Dinkar; Doshi,Kshitij Arun, Cross domain authentication and security services using proxies for HTTP access.
상세보기
Bellwood, Thomas Alexander; Lita, Christian; Rutkowski, Matthew Francis, Dynamic connection to multiple origin servers in a transcoding proxy.
상세보기
Mogul, Jeffrey Clifford, Explicit server control of transcoding representation conversion at a proxy or client location.
상세보기
Zimmerman, Gary D.; Skaggs, Terrence L.; Wiley, Anthony J.; McBride, Brian W.; Banks, David, Initiation of communication between network service system and customer-premises equipment.
상세보기
Farn, Kwo-Jean; Chao, Cheng-Tsung; Hsu, Chi-Kuo; Song, Chen-Hwa, Key management method.
상세보기
Crichton Joseph M. ; Garvin Peter F. ; Staten Jeffrey W. ; Wright Waiki L., Method and apparatus for lightweight secure communication tunneling over the internet.
상세보기
Aziz, Ashar; Baehr, Geoffrey; Caronni, Germano; Gupta, Amit; Gupta, Vipul; Scott, Glenn C., Method and apparatus for providing secure communication with a relay in a network.
상세보기
Jardin, Cary A., Method and system for managing secure client-server transactions.
상세보기
Boyle John ; Holden James M. ; Levin Stephen E. ; Maiwald Eric S. ; Nickel James O. ; Snow David Wayne ; Wrench ; Jr. Edwin H., Method for establishing trust in a computer network via association.
상세보기
Weinstein Jeff ; Weinstein Tom ; Elgamal Taher, SSL step-up.
상세보기
Adusumilli, Koteshwerrao S.; Abjanic, John B., Selecting a security format conversion for wired and wireless devices.
상세보기
Jacobson,Van; Poduri,Kedar, System and method for establishing a secure connection.
상세보기
Garg,Ajay; Warrier,Ulhas, System and method for remotely accessing a home server while preserving end-to-end security.
상세보기
Bull, John A.; Otway, David J., System and method for secure distribution of digital information to a chain of computer system nodes in a network.
상세보기
Little, Herbert A.; Janhunen, Stefan E.; Hobbs, Dale J., System and method for supporting multiple certificate status providers on a mobile communication device.
상세보기
Norman,Stuart; Halasz,David E., System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol.
상세보기
Ebrahimi, Hashem Mohammad; Amin, Baber; Ackerman, Mark D., Techniques for securely accelerating external domains locally.
상세보기
Karandikar, Shrikrishna; Kelly, Thomas J., Using digital certificates to request client consent prior to decrypting SSL communications.
상세보기

이 특허를 인용한 특허 (29) 인용/피인용 타임라인 분석

Rothstein, Jesse Abraham; Mukerji, Arindum; Schmitt, David D.; Hughes, John R., Accessing SSL connection data by a third-party.
상세보기
Xiao, Lu; Rose, Gregory Gordon; Julian, David Jonathan, Apparatus and method for virtual pairing using an existing wireless connection key.
상세보기
Hughes, David Anthony; Balasubramanian, Balaji; Kwok, Danny, Communications scheduler.
상세보기
Hughes, David Anthony; Balasubramanian, Balaji; Kwok, Danny, Communications scheduler.
상세보기
Hughes, David Anthony, Compressing packet data.
상세보기
Hughes, David Anthony, Data encryption in a network memory architecture for providing data based on local accessibility.
상세보기
Hughes, David Anthony, Data encryption in a network memory architecture for providing data based on local accessibility.
상세보기
Hughes, David Anthony; Burns, John; Yin, Zhigang, Data matching using flow based packet data storage.
상세보기
Hughes, David Anthony; Burns, John; Yin, Zhigang, Data matching using flow based packet data storage.
상세보기
Hughes, David Anthony, Deferred data storage.
상세보기
Hughes, David Anthony; Ennis, Damon John; Tedijanto, Theodore Ernest; Ho, Hon Tat, Determining a transit appliance for data traffic to a software service.
상세보기
Hughes, David Anthony; Ennis, Damon John, Dynamic monitoring and authorization of an optimization device.
상세보기
Hughes, David Anthony; Bheemarajaiah, Santosh; Ennis, Damon John; Merwin, Dave Holt; Muralt, Rolf; Ozduygu, Onur; Roselle, Kevin James; Singh, Pawan Kumar, Dynamic monitoring and visualization for network health characteristics.
상세보기
Hughes, David Anthony, Forward packet recovery with constrained overhead.
상세보기
Hughes, David Anthony; Yin, Zhigang; Burns, John, Identification of non-sequential data stored in memory.
상세보기
Rodgers, Robert Stephen; Eatherton, William Norman; Beesley, Michael John; Dyckerhoff, Stefan Alexander; Lacroute, Philippe Gilbert; Swierk, Edward Ronald; Geraghty, Neil Vincent; Holleman, Keith Eric; Giuli, Thomas John; Rajagopal, Srivatsan; Fraley, Paul Edward; Tapaskar, Vijay Krishnaji; Selifonov, Daniel Sergeevich; Low, Keith Anthony, Method and system for verifying the integrity of computing devices.
상세보기
Hughes, David Anthony, Multi-level learning for classifying traffic flows.
상세보기
Hughes, David Anthony; Burns, John, Optimizing available computing resources within a virtual environment.
상세보기
Hughes, David Anthony; Burns, John, Pre-fetching data into a memory.
상세보기
Hughes, David Anthony; Burns, John, Pre-fetching stored data from a memory.
상세보기
Hughes, David Anthony, Processing data packets in performance enhancing proxy (PEP) environment.
상세보기
Bollay, Benn Sapin; Hawthorne, Jonathan Mini, Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion.
상세보기
Bollay, Benn Sapin; Hansen, David Alan; Schmitt, David Dean; Hawthorne, Jonathan Mini, Proxy SSL handoff via mid-stream renegotiation.
상세보기
Hughes, David Anthony, Quality of service using multiple flows.
상세보기
Costlow, Jeff J., System and method for proxying HTTP single sign on across network domains.
상세보기
Hughes, David Anthony, Systems and methods for compressing packet data by predicting subsequent data.
상세보기
Hughes, David Anthony, Transferring compressed packet data over a network.
상세보기
Hughes, David Anthony; Bheemarajaiah, Santosh; Ennis, Damon John; Merwin, David Holt; Muralt, Rolf; Singh, Pawan Kumar; Tedijanto, Theodore E.; Lingarajan, Lokesh; Travalia, Edward P.; Sadasivam, Krishna Kumar; Yen, Shyh Pei; Thakur, Abhelaksh; Torda, Catrina A., Virtual network overlay.
상세보기
Hughes, David Anthony; Hubbard, Carl; Ho, Hon Tat; Ennis, Damon John, Workload optimization in a wide area network utilizing virtual switches.
상세보기

활용도 분석정보

상세보기

다운로드

내보내기

활용도 Top5 특허

해당 특허가 속한 카테고리에서 활용도가 높은 상위 5개 콘텐츠를 보여줍니다.
더보기 버튼을 클릭하시면 더 많은 관련자료를 살펴볼 수 있습니다.

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

[미국특허] Split termination for secure communication protocols 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (21) 인용/피인용 타임라인 분석

이 특허를 인용한 특허 (29) 인용/피인용 타임라인 분석

활용도 분석정보

활용도 Top5 특허

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

[미국특허] Split termination for secure communication protocols 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (21) 인용/피인용 타임라인 분석

이 특허를 인용한 특허 (29) 인용/피인용 타임라인 분석

활용도 분석정보

활용도 Top5 특허 더보기

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

활용도 Top5 특허