Method and system for providing persistence in a secure network access
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-029/06
H04L-009/32
출원번호
US-0291935
(2014-05-30)
등록번호
US-9210163
(2015-12-08)
발명자
/ 주소
Hughes, John R.
Masters, Richard Roderick
Gilde, Robert George
출원인 / 주소
F5 Networks, Inc.
대리인 / 주소
Branch, John W.
인용정보
피인용 횟수 :
0인용 특허 :
135
초록▼
A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is a
A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.
대표청구항▼
1. A blade device, comprising: one or more interface devices for communicating information to and from the blade device; andone or more processors operable to execute executable instructions to perform actions, comprising: receiving from a client device a first message;in response, establishing a fi
1. A blade device, comprising: one or more interface devices for communicating information to and from the blade device; andone or more processors operable to execute executable instructions to perform actions, comprising: receiving from a client device a first message;in response, establishing a first secure communications session with the client device by performing a first security handshake with the client device, the first security handshake including a first client certificate received from the client device, the first security handshake employing a first secure communications protocol;associating a first communications with the client device to a target server;receiving a second message from the client device, the second message including a second client certificate associated with the client device that is equivalent to the first client certificate, the second message being a second security handshake with the client device;in response, employing the first secure communications session with the client device to perform the second security handshake with the client device that employs the first secure communications protocol; andidentifying the target server for a second communications session with the client device based on the second client certificate, wherein the second client certificate includes a public key security certificate, and wherein the second secure communications session is directed towards resuming the first secure communications session, and wherein a session identifier is provided with the second received message for use in establishing the second secure communications session. 2. The blade device of claim 1, wherein the first secure communications protocol and comprises at least one of an Internet Protocol (IP) Security (Sec) protocol, a Secure Sockets Layer (SSL) protocol, or a Transport Layer Security Protocol (TLS). 3. The blade device of claim 1, wherein the one or more processors are operable to store data indicating a mapping between at least one of the first or the second client certificates and a session identifier. 4. The blade device of claim 1, wherein communications between the target server and the blade device are configured such that there is a one to one correspondence between each client side secure communications session and target server communications session. 5. The blade device of claim 1, wherein communications between the target server and the blade device are configured such that secure communications sessions with one or more client devices is directed towards a same secure communications session between the target server and the blade device. 6. A system, comprising: a plurality of server devices; andone or more processor devices interposed between a client device and the plurality of server devices, the processor devices perform actions, including: receiving from a client device a first message;in response, establishing a first secure communications session with the client device by performing a first security handshake with the client device, the first security handshake including a first client certificate received from the client device, the first security handshake employing a first secure communications protocol;associating a first communications with the client device to a target server;receiving a second message from the client device, the second message including a second client certificate associated with the client device that is equivalent to the first client certificate, the second message being a second security handshake with the client device;in response, employing the first secure communications session with the client device to perform the second security handshake with the client device that employs the first secure communications protocol; andidentifying the target server for a second communications session with the client device based on the second client certificate, wherein the second client certificate includes a public key security certificate, and wherein the second secure communications session is directed towards resuming the first secure communications session, and wherein a session identifier is provided with the second received message for use in establishing the second secure communications session. 7. The system of claim 6, wherein the first secure communications protocol and comprises at least one of an Internet Protocol (IP) Security (Sec) protocol, a Secure Sockets Layer (SSL) protocol, or a Transport Layer Security Protocol (TLS). 8. The system of claim 6, wherein the one or more processors are operable to store data indicating a mapping between at least one of the first or the second client certificates and a session identifier. 9. The system of claim 6, wherein communications between the target server and the blade device are configured such that there is a one to one correspondence between each client side secure communications session and target server communications session. 10. The system of claim 6, wherein communications between the target server and the blade device are configured such that secure communications sessions with one or more client devices is directed towards a same secure communications session between the target server and the blade device. 11. An apparatus having stored thereon computer-executable instructions that when installed on a computing device having one or more processors, performs actions, comprising: receiving from a client device a first message;in response, establishing a first secure communications session with the client device by performing a first security handshake with the client device, the first security handshake including a first client certificate received from the client device, the first security handshake employing a first secure communications protocol;associating a first communications with the client device to a target server;receiving a second message from the client device, the second message including a second client certificate associated with the client device that is equivalent to the first client certificate, the second message being a second security handshake with the client device;in response, employing the first secure communications session with the client device to perform the second security handshake with the client device that employs the first secure communications protocol; andidentifying the target server for a second communications session with the client device based on the second client certificate, wherein the second client certificate includes a public key security certificate, and wherein the second secure communications session is directed towards resuming the first secure communications session, and wherein a session identifier is provided with the second received message for use in establishing the second secure communications session. 12. The apparatus of claim 11, wherein the first secure communications protocol and comprises at least one of an Internet Protocol (IP) Security (Sec) protocol, a Secure Sockets Layer (SSL) protocol, or a Transport Layer Security Protocol (TLS). 13. The apparatus of claim 11, wherein the one or more processors are operable to store data indicating a mapping between at least one of the first or the second client certificates and a session identifier. 14. The apparatus of claim 11, wherein communications between the target server and the blade device are configured such that there is a one to one correspondence between each client side secure communications session and target server communications session. 15. The apparatus of claim 11, wherein communications between the target server and the blade device are configured such that secure communications sessions with one or more client devices is directed towards a same secure communications session between the target server and the blade device.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (135)
Win Teresa ; Belmonte Emilio, Administrative roles that govern access to administrative functions.
Murthy V. Devarakonda ; Daniel Manuel Dias ; German Sergio Goldszmidt ; Guerney Douglass Holloway Hunt ; Arun Kwangil Iyengar ; Richard Pervin King ; Rajat Mukherjee, Affinity-based router and routing method.
Brendel, Juergen, Atomic session-start operation combining clear-text and encrypted sessions to provide id visibility to middleware such as load-balancers.
Ratnaraj Paul J. ; McCartney William Gerard ; To Son ; Crispi Steven J. ; Akhavein Jalal D., Authenticated access to internet based research and data services.
Sathaye Shirish S. (North Chelmsford MA) Hannigan Brendan (West Newton MA) Hawe William R. (Pepperell MA), Automatic assignment of addresses in a computer communications network.
Yang Henry S. (Andover MA) Sathaye Shirish S. (North Chelmsford MA) Ben-Nun Michael (Jerusalem ILX) De-Leon Moshe (Jerusalem ILX) Ben-Michael Simoni (Givaat Zeev ILX), Buffer descriptor prefetch in network and I/O design.
Reed Drummond Shattuck ; Heymann Peter Earnshaw ; Mushero Steven Mark ; Jones Kevin Benard ; Oberlander Jeffrey Todd ; Banay Dan, Computer-based communication system and method using metadata defining a control structure.
Drummond Shattuck Reed ; Peter Earnshaw Heymann ; Steven Mark Mushero ; Kevin Benard Jones ; Jeffrey Todd Oberlander ; Dan Banay, Computer-based communication system and method using metadata defining a control-structure.
Reed Drummond Shattuck ; Heymann Peter Earnshaw ; Mushero Steven Mark ; Jones Kevin Benard ; Oberlander Jeffrey Todd, Computer-based communication system and method using metadata defining a control-structure.
Fitzgerald Albion J. (Ridgewood NJ) Fitzgerald Joseph J. (New Paltz NY), Distributed computer network including hierarchical resource information structure and related method of distributing re.
Shi Shaw-Ben ; Ault Michael Bradford ; Plassmann Ernst Robert ; Rich Bruce Arland ; Rosiles Mickella Ann ; Shrader Theodore Jack London, Distributed file system web server user authentication with cookies.
Couland Ghislaine,FRX ; Hunt Guerney Douglass Holloway ; Levy-Abegnoli Eric Michel,FRX ; Jean-Marie Mauduit Daniel Georges,FRX, Distributed scalable device for selecting a server from a server cluster and a switched path to the selected server.
Mark Charles Davis ; David G. Kuehr-McLaren ; Timothy Glenn Shoriak, Extending SSL to a multi-tier environment using delegation of authentication and authority.
Pi-Yu Chung ; Om P. Damani ; Yennun Huang ; Chandra M. Kintala ; Yi-Min Wang, Hosting a network service on a cluster of servers using a single-address image.
Adelman Kenneth Allen ; Kashtan David Lyon ; Palter William L. ; Piper ; II Derrell D., Method and apparatus for an internet protocol (IP) network clustering system.
Bartoli Paul D. ; Griesmer Stephen J. ; Lidor Gideon ; Ronen Yzhak ; Tessier Jean, Method and apparatus for billing for transactions conducted over the internet.
Daniel Arthur A. (Rochester MN) Moore Robert E. (Durham NC) Anderson Catherine J. (Raleigh NC) Gelm Thomas J. (Raleigh NC) Kiter Raymond F. (Poughkeepsie NY) Meeham John P. (Raleigh NC) Stevenson Joh, Method and apparatus for communication network alert message construction.
David Karger ; Eric Lehman ; F. Thomson Leighton ; Matthew Levine ; Daniel Lewin ; Rina Panagrahy, Method and apparatus for distributing requests among a plurality of resources.
Chou Tsung-Jen ; Adunuthula Seshu ; Anand Mala ; Sharma Ankur ; Chien Elaine ; Nakhoda Shehzaad, Method and apparatus for handling client request with a distributed web application server.
Attanasio Clement R. (Peekskill NY) Smith Stephen E. (Mahopac NY), Method and apparatus for making a cluster of computers appear as a single host on a network.
Jacobs Lawrence ; Adunuthula Seshu ; Anand Mala, Method and apparatus for performing transactions in a stateless web environment which supports a declarative paradigm.
Aziz, Ashar; Baehr, Geoffrey; Caronni, Germano; Gupta, Amit; Gupta, Vipul; Scott, Glenn C., Method and apparatus for providing secure communication with a relay in a network.
Stephen J. Purpura, Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment.
Colby Steven ; Krawczyk John J. ; Nair Raj Krishnan ; Royce Katherine ; Siegel Kenneth P. ; Stevens Richard C. ; Wasson Scott, Method and system for directing a flow between a client and a server.
Leighton Frank T. (459 Chestnut Hill Ave. Newtonville MA) Micali Silvio (459 Chestnut Hill Ave. Brookline MA 02146), Method for enabling users of a cryptosystem to generate and use a private pair key for enciphering communications betwee.
Zhang,Hui; de la Iglesia,Erik; Gomez,Miguel; Liu,Liang; Lowe,Rick K.; Wallace,Mark Aaron; Wang,Wei, Method of and system for allocating resources to resource requests.
Lin David Dah-Haur ; Shaheen Amal Ahmed ; Yellepeddy Krishna Kishore, Multiple remote data access security mechanism for multitiered internet computer networks.
Cummings Kevin D. (Phoenix AZ) Johnson William A. (Paradise Valley AZ) Laird Daniel L. (Madison WI), Pattern writing method during X-ray mask fabrication.
Henry R. Tumblin ; Michael S. Rothman ; Fred J. Pinkett ; James M. Geary ; Steve R. Artick, Seamless integration of application programs with security key infrastructure.
Arora Sanjeev (Berkeley CA) Knight ; Jr. Thomas F. (Belmont MA) Leighton Frank T. (Newton Center MA) Maggs Bruce M. (Princeton NJ) Upfal Eliezer (Palo Alto CA), Switching networks with expansive and/or dispersive logical clusters for message routing.
Courts Howard R. ; Dholakia Neil K. ; Dunn Craig L. ; Huddleston Brian J. ; Huddleston Erik L. ; Macartney-Filgate Bruce C. ; McHyde Timothy J. ; Poorte Jacob, System and method for maintaining a state for a user session using a web system having a global session server.
Talluri Madhusudhan ; Pease Marshall C., System and method for remote buffer allocation in exported memory segments and message passing between network nodes.
Viswanathan Srinivasan ; Nazari Siamak ; Swaroop Anil ; Khalidi Yousef, System and method for transparent, global access to physical devices on a computer cluster.
Pitts William M. (780 Mora Dr. Los Altos CA 94024), System for accessing distributed data cache channel at each network node to pass requests and data.
Tso Michael Man-Hak ; Bakshi Bikram Singh ; Knauerhase Robert Conrad, System for collecting and displaying performance improvement information for a computer.
malik Sohail ; Muresan Michael, System, method, and computer program for communicating a key recovery block to enable third party monitoring without modification to the intended receiver.
Brown Charles Allan ; Burns John Martin ; Nagaraj Holavanahally Seshachar ; O'Neill James Joseph ; Ullah Muhammad Inayet ; Volpe Leo ; Wendt Herman Russell, Vacuum baking process.
Brendel Juergen ; Kring Charles J. ; Liu Zaide ; Marino Christopher C., World-wide-web server with delayed resource-binding for resource-based load balancing on a distributed resource multi-n.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.