| 发明名称 | Secure session capability using public-key cryptography without access to the private key | ||
| 摘要 | A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server. | ||
| 申请公布号 | US9553856(B2) | 申请公布日期 | 2017.01.24 |
| 申请号 | US201414315241 | 申请日期 | 2014.06.25 |
| 申请人 | CLOUDFLARE, INC. | 发明人 | Pahl Sébastien Andreas Henry;Tourne Matthieu Philippe François;Sikora Piotr;Bejjani Ray Raymond;Knecht Dane Orion;Prince Matthew Browning;Graham-Cumming John;Holloway Lee Hahn;Strasheim Albertus |
| 分类号 | H04L29/06;H04L9/08;G06F21/33 | 主分类号 | H04L29/06 |
| 代理机构 | Nicholson De Vos Webster & Elliott LLP | 代理人 | Nicholson De Vos Webster & Elliott LLP |
| 主权项 | 1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising the first server performing the following: receiving a message from the client device that initiates a procedure to establish a secure session between the client device and the first server; transmitting a digital certificate to the client device that includes a public key; generating a set of cryptographic parameters; transmitting, to the second server, a message that includes the set of cryptographic parameters, wherein the second server has a private key that corresponds to the public key; receiving from the second server, a message that includes the set of cryptographic parameters that have been signed using the private key; transmitting, to the client device, the set of cryptographic parameters that have been signed using the private key; receiving, from the client device, a value generated by the client device based in part on the set of cryptographic parameters; generating, using the received value and at least some of the set of cryptographic parameters, a premaster secret; generating a master secret using the premaster secret; and generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server. | ||
| 地址 | San Francisco CA US | ||