Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular node for directing data and applying cryptography
Reexamination Certificate
1999-09-01
2004-08-03
Sheikh, Ayaz (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular node for directing data and applying cryptography
C718S105000, C709S238000, C709S227000
Reexamination Certificate
active
06772333
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to multi-server web sites, and more particularly to load-balancing among servers when both encrypted and un-encrypted connections occur.
BACKGROUND OF THE INVENTION
Today's rising popularity of the Internet has encouraged many companies to do business over the Internet. Most Internet transactions are conducted through ubiquitous web-browsers and web-servers using the hyper-text-transfer protocol (HTTP), which is the technical foundation that the World Wide Web (WWW) is built on. Security and privacy concerns have led to the encryption of many transactions between the web browsers (clients) and the computers of the web-sites (servers). These encrypted transactions are often of a financial nature, such as ordering items with a credit card, checking account balances, etc.
Common encryption methods in use today are resource-intensive. Many network packets are exchanged between the two communication end-points to establish a secure session. The encryption and decryption algorithms used are processor-intensive for both client and server computers. Although the performance drop on a single client machine might not be noticeable, servers that handle many simultaneous connections can suffer a significant performance degradation, perhaps even becoming unavailable at high load levels.
Both Encrypted and Clear-Text Connections
The load on the server machine can be reduced by limiting the amount of data that is encrypted before being sent over the Internet. Less critical data such as product descriptions and advertisements can be sent as non-encrypted data, while only the more critical data such as credit-card numbers are encrypted. The non-encrypted or clear-text data can be sent using standard or clear-text TCP/IP connections while the encrypted data is sent using an encrypted session.
FIG. 1
shows a user communicating to a server using many clear-text connections and one encrypted session, which itself consists of multiple encrypted TCP connections. In this example, the overall client-encounter between the user and a server consists of the encrypted session and one or more clear-text connections. Initially, a user connects to a server with clear-text connection
1
, which is the start of the client-encounter. The user also makes a second connection, clear-text connection
2
. This often happens automatically, when the browser is downloading multiple images that are embedded in the web page. Once the user decides to buy a product, types in his credit card information, and presses a ‘submit’ button, an encrypted session (session
3
) begins with encrypted connection
1
. Other clear-text connections (clear text connection
3
) for non-critical information may be started or in progress. Finally, the user completes the purchase from encrypted session
3
via the encrypted session using encrypted connection
2
.
Different connections between the client and server machines are made for exchanging clear-text and encrypted data. The encrypted connections are typically grouped together into a single encrypted session that shares the same keys and certificates. The various connections and sessions often overlap in time, and can begin and end without regard to each other.
A typical electronic-commerce (e-commerce) web site might send all product or catalog information as clear text, while starting an encrypted session only at check-out when the user is ready to input his credit card information. Products selected during the browsing of the catalog with the clear-text connections might be saved in a server-side database and later retrieved when the user checks out.
Load-Balancing—
FIG. 2
Web sites can experience enormous growth, as some have seen the number of unique customers rise from zero to over a million in less than one year. A single server machine is not able to simultaneously handle millions of customer requests, so additional server machines are often added to the web site. The web site is then known as a web or server farm. A server farm can have hundreds of individual server machines that are connected together by a local network such as a LAN.
FIG. 2
highlights load-balancing at a server farm. Requests from clients are received by an internet connection and sent to load-balancer
10
. Load-balancer
10
then assigns the request to one of many servers
8
. The assigned server
8
then receives the request and processes it. The reply from server
8
can be sent directly back to the client through the internet connection for the server farm. The server farm can use a single virtual IP address and thus appears to the outside user to be a single server.
Some load-balancers assign requests to servers randomly or in a pre-defined sequence, while others assign new requests to the least-busy servers. More powerful load-balancers can look inside the IP packets, which make up TCP connections to find application information, such as the session ID used to identify the encrypted session. The load-balancer can also keep a table of session ID's read from the packets so that all connections carrying the same session ID are sent to the same server. The individual packets of a TCP connection are also sent to the same server, using the information provided in the packet headers, such as the client and server IP addresses and ports. See U.S. Pat. No. 5,774,660 by Brendel et al. for “A World-Wide-Web Server with Delayed Resource-Binding for Resource-Based Load Balancing on a Distributed-Resource Multi-Node Network”, which is assigned to Resonate Inc. of Mountain View, Calif.
Load-balancer
10
can be a hardware or software module. Since load-balancer
10
sits between servers
8
and the user, load-balancer
10
is one kind of middleware that intercepts IP packets. Other kinds of middleware are used for network management such as quality-of-service (QOS) or security. Middleware can only look at the IP packets being sent and does not necessarily know which connections and sessions belong to the same user.
It is desirable for all connections for a certain user to be assigned to the same server. When the same server receives all of the user's connections, then local traffic to other servers is minimized and latency is reduced. When different servers process requests by the same user, the different servers may have to communicate with each other to process the requests, such as a server processing a checkout request that may need item information from other servers used by the user. Such inter-server communication would increase local network traffic and require additional programming and configuration.
Ideally, load-balancer
10
assigns all requests from a certain user to the same server, whether the requests are encrypted or clear-text. Load-balancer
10
can assign all packets for a certain connection to the same server, but typically the server closes the connection after each HTTP request is processed. Thus a new connection is used for each web page displayed, while simultaneously one or more encrypted sessions may also be ongoing. Since load-balancer
10
is middleware, it is not able to directly associate the different encrypted sessions and clear-text connections with the same user.
Cookies—
FIGS. 3A
,
3
B
FIG. 3A
shows a cookie being passed containing a server assignment. After a connection is established between the client and the server farm, the client sends a request to the server farm using the HTTP protocol. This request contains a request header that contains a GET statement. The GET statement identifies a resource such as a web page that the client is requesting. In the example of
FIG. 3A
, request
12
asks for /page.html, which is a web page at the server farm. The request typically identifies the web page or resource with a uniform-resource-locator (URL).
The server replies by sending response header
14
, which contains information on the server and the type of data being sent. Then content
16
is sent from the server to the client. The server typically closes the connection once the content has been sent. A new network c
Dickens Coal LLC
Sheikh Ayaz
Sherkat A.
Townsend and Townsend / and Crew LLP
LandOfFree
Atomic session-start operation combining clear-text and... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Atomic session-start operation combining clear-text and..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Atomic session-start operation combining clear-text and... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3283232