[미국특허]
Local authentication in proxy SSL tunnels using a client-side proxy agent
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-009/32
H04L-029/06
H04L-029/08
G06F-021/60
출원번호
US-0051994
(2011-03-18)
등록번호
US-9172682
(2015-10-27)
발명자
/ 주소
Bollay, Benn Sapin
Hawthorne, Jonathan Mini
출원인 / 주소
F5 Networks, Inc.
대리인 / 주소
Branch, John W.
인용정보
피인용 횟수 :
0인용 특허 :
98
초록▼
A traffic management device (TMD), system, and processor-readable storage medium are directed towards reducing a number of login web pages served by a server device over an end-to-end encrypted connection. In one embodiment, a TMD intercepts and processes requests for content addressed to the server
A traffic management device (TMD), system, and processor-readable storage medium are directed towards reducing a number of login web pages served by a server device over an end-to-end encrypted connection. In one embodiment, a TMD intercepts and processes requests for content addressed to the server device. The TMD may serve a stored copy of a login page corresponding to the requested content to the client device. In response, the client device may submit login information associated with the login page to the TMD. The TMD may extract the login information from the submitted response and send a request to the server device to authenticate the client device based on the extracted login information. If the client device is authenticated, the TMD may transmit a ‘login successful’ page to the client device.
대표청구항▼
1. A traffic management device (TMD) for managing network traffic that is interposed between a client device and a server device, comprising: a transceiver to send and receive content requests and responses over a network; anda processor that performs actions, including: intercepting a content reque
1. A traffic management device (TMD) for managing network traffic that is interposed between a client device and a server device, comprising: a transceiver to send and receive content requests and responses over a network; anda processor that performs actions, including: intercepting a content request transmitted by the client device to the server device over an established end-to-end encrypted connection between the client device and the server device;performing an analysis on at least a portion of information included in a uniform resource identifier (URI) in the content request to determine when one of a plurality of previously stored login pages is required to access the server device corresponding to the requested content;in response to an affirmative analysis, and without forwarding the content request to the server device, serving to the client device a stored login page to access the server device corresponding to the content request;extracting login credentials from a response to the served login page received from the client device;requesting an authentication device to authenticate the extracted login credentials;when the authentication device indicates that the extracted login credentials are authentic, sending the intercepted content request to the server device that subsequently forwards the content to the client device; andwhen the authentication device indicates that the extracted login credentials are non-authentic, selectively serving another stored page to the client device, wherein the other stored page is modified to display, at the client device, login authentication has failed based on when the authentication device indicates the extracted login credentials are non-authentic. 2. The traffic management device of claim 1, wherein the authentication device indicates the extracted login credentials are authentic by transmitting an authentication token to the TMD, and wherein the TMD transmits the authentication token to the client device in conjunction with the other page. 3. The traffic management device of claim 1, wherein the corresponding login page is cached locally by the TMD. 4. The traffic management device of claim 1, wherein the login page is dynamically generated by the TMD based on the login credentials required by the authentication device to perform the authentication. 5. The traffic management device of claim 1, wherein the processor further performs actions including: selecting a second login page different from the login page; andproviding the second login page to the client to obtain substantially a same login information from the client device as requested by the login page. 6. The traffic management device of claim 1, wherein the TMD intercepts session handshake messages transmitted between the client device and the server device during creation of the established end-to-end encrypted session, and wherein the TMD employs the intercepted handshake messages and a private key associated with the server device to generate a session key for use by the TMD in decrypting encrypted data sent between the client device and the server device. 7. The traffic management device of claim 6, wherein analyzing the content request further comprises: decrypting intercepted data using a connection key derived from the session key; andsearching for at least one keyword indicating that the decrypted data includes a request for a login page. 8. A system for managing network traffic, comprising: a client device;a server device; anda traffic management device (TMD) interposed between the client device and the server device, the TMD configured to perform actions including: intercepting a content request transmitted by the client device to the server device over an established end-to-end encrypted connection between the client device and the server device;performing an analysis on at least a portion of information included in a uniform resource identifier (URI) in the content request to determine if one of a plurality of previously stored login pages is required to access the server device corresponding to the requested content;in response to an affirmative analysis, and without forwarding the content request to the server device, serving to the client device a stored login page to access the server device corresponding to the content request;extracting login credentials from a response to the served login page received from the client device;requesting an authentication device authenticate the extracted login credentials;selectively serving another stored page to the client device, wherein the other stored page is modified to display login has authentication failed based on when the authentication device indicates the extracted login credentials are non-authentic; andwhen the authentication device indicates the login credentials are authentic, then submitting the intercepted content request to the server device that subsequently forwards the content to the client device. 9. The system of claim 8, wherein the authentication device indicates the extracted login credentials are authentic by transmitting an authentication token to the TMD, and wherein the TMD transmits the authentication token to the server device in conjunction with the intercepted content request. 10. The system of claim 8, wherein the corresponding login page is cached locally by the TMD. 11. The system of claim 8, wherein the login page is dynamically generated by the TMD based on the login credentials required by the authentication device to perform the authentication. 12. The system of claim 8, wherein the processor further performs actions including: selecting a second login page different from the login page; andproviding the second login page to the client to obtain substantially a same login information from the client device as requested by the login page. 13. The system of claim 8, wherein the TMD intercepts session handshake messages transmitted between the client device and the server device during creation of the established end-to-end encrypted session, and wherein the TMD employs the intercepted handshake messages and a private key associated with the server device to generate a session key for use by the TMD in decrypting encrypted data sent between the client device and the server device. 14. A processor readable storage medium storing instructions that enable a processor interposed between a client device and a server device to perform actions for managing network traffic, comprising: intercepting a content request transmitted by the client device to the server device over an established end-to-end encrypted connection between the client device and the server device;performing an analysis on at least a portion of information included in a uniform resource identifier (URI) in the content request to determine if one of a plurality of previously stored login pages is required to access the server device corresponding to the requested content;in response to an affirmative analysis, and without forwarding the content request to the server device, serving to the client device a stored login page to access the server device corresponding to the content request;extracting login credentials from a response to the served login page received from the client device;requesting an authentication device authenticate the extracted login credentials;when the authentication device indicates that the extracted login credentials are authentic, sending the intercepted content request to the server device that subsequently forwards the content to the client device; andwhen the authentication device indicates that the extracted login credentials are non-authentic, selectively serving another stored page to the client device, wherein the other stored page is modified to display, at the client device, login authentication has failed based on whether the authentication device indicates the extracted login credentials are non-authentic. 15. The processor readable storage medium of claim 14, wherein the authentication device indicates the extracted login credentials are authentic by transmitting an authentication token to the TMD, and wherein the TMD transmits the authentication token to the client device in conjunction with the other page. 16. The processor readable storage medium of claim 14, wherein the corresponding login page is cached locally by the TMD. 17. The processor readable storage medium of claim 16, wherein the login page is dynamically generated by the TMD based on the login credentials required by the authentication device to perform the authentication. 18. The processor readable storage medium of claim 14, wherein the processor further performs actions including: selecting a second login page different from the login page; andproviding the second login page to the client to obtain substantially a same login information from the client device as requested by the login page. 19. The processor readable storage medium of claim 14, wherein the TMD intercepts session handshake messages transmitted between the client device and the server device during creation of the established end-to-end encrypted session, and wherein the TMD employs the intercepted handshake messages and a private key associated with the server device to generate a session key for use by the TMD in decrypting encrypted data sent between the client device and the server device. 20. The processor readable storage medium of claim 14, wherein analyzing the content request further comprises: decrypting intercepted data using a connection key derived from the session key; andsearching for at least one keyword indicating that the decrypted data includes a request for a login page.
Mark Charles Davis ; David G. Kuehr-McLaren ; Timothy Glenn Shoriak, Extending SSL to a multi-tier environment using delegation of authentication and authority.
Zimmerman, Gary D.; Skaggs, Terrence L.; Wiley, Anthony J.; McBride, Brian W.; Banks, David, Initiation of communication between network service system and customer-premises equipment.
Ilnicki, Slawomir K.; Rice, James P., Method and apparatus for allowing a secure and transparent communication between a user device and servers of a data access network system via a firewall and a gateway.
Crichton Joseph M. ; Garvin Peter F. ; Staten Jeffrey W. ; Wright Waiki L., Method and apparatus for lightweight secure communication tunneling over the internet.
Aziz, Ashar; Baehr, Geoffrey; Caronni, Germano; Gupta, Amit; Gupta, Vipul; Scott, Glenn C., Method and apparatus for providing secure communication with a relay in a network.
Bobde, Nikhil; Demirtjis, Ann; Han, Mu, Method and system for integrating security mechanisms into session initiation protocol request messages for client-proxy authentication.
Boyle John ; Holden James M. ; Levin Stephen E. ; Maiwald Eric S. ; Nickel James O. ; Snow David Wayne ; Wrench ; Jr. Edwin H., Method for establishing trust in a computer network via association.
Cooper, Nathaniel; Hodecker, Steven; Yeager, Douglas, Method of authentication processing during a single sign on transaction via a content transform proxy service.
Lownsbrough,Derek Leigh, Methods, apparatuses and systems for transparently intermediating network traffic over connection-based authentication protocols.
Baskey, Michael Edward; Hahn, Timothy James; Kandlur, Dilip Dinkar; Kuehr-McLaren, David Gerard, Methods, systems and computer program products for enhanced security identity utilizing an SSL proxy.
Lin David Dah-Haur ; Shaheen Amal Ahmed ; Yellepeddy Krishna Kishore, Multiple remote data access security mechanism for multitiered internet computer networks.
Yamaguchi,Kensaku; Nakakita,Hideaki; Hashimoto,Mikio, Radio network system using multiple authentication servers with consistently maintained information.
Little, Herbert A.; Janhunen, Stefan E.; Hobbs, Dale J., System and method for supporting multiple certificate status providers on a mobile communication device.
Norman,Stuart; Halasz,David E., System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol.
malik Sohail ; Muresan Michael, System, method, and computer program for communicating a key recovery block to enable third party monitoring without modification to the intended receiver.
Panasyuk,Anatoliy; Kramer,Andre; Pedersen,Bradley Jay; Stone,David Sean; Treder,Terry, Systems and methods for maintaining a session between a client and host service.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.