Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular node for directing data and applying cryptography
Reexamination Certificate
1999-10-01
2004-05-04
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular node for directing data and applying cryptography
C713S161000, C713S165000, C713S170000, C713S189000, C713S152000
Reexamination Certificate
active
06732269
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to secure communications between a client and a server, and, in particular, to secure communications utilizing the Secure Socket Layer (SSL).
BACKGROUND OF THE INVENTION
In communications between a client and a server, it is often beneficial to provide increased security. One mechanism for providing increased security is through the use of the Secure Socket Layer (SSL) protocol.
FIG. 1
illustrates a conventional SSL connection between a client
10
and a server
12
. As seen in
FIG. 1
, the client
10
communicates directly with the server
12
utilizing the SSL connection
16
.
The SSL Protocol may provide privacy and reliability between two communicating applications. The SSL protocol utilizes two layers, the lowest layer of which is the SSL Record Protocol, which is layered on top of a communications protocol such as TCP/IP. The SSL Record Protocol encapsulates higher level protocols such as the SSL Handshake Protocol. The SSL Handshake Protocol allows the server and client to authenticate each other and to establish an encryption method and keys.
One advantage of SSL is that it is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently. Thus, the SSL protocol provides connection security where encryption is used after an initial handshake to define a secret key, and where the communication partner's identity can be authenticated using asymmetric, or public key, cryptography such as RSA. Details on SSL communications may be found in U.S. Pat. No. 5,657,390 entitled “SECURE SOCKET LAYER APPLICATION PROGRAM APPARATUS AND METHOD,” the disclosure of which is incorporated herein by reference as if set forth fully herein.
One problem associated with the use of SSL between a client and a server is that establishing an SSL connection may impose a substantial burden on a server. For example, if a server has multiple SSL connections to clients, the creation of an additional SSL connection may adversely impact on the performance of transactions to other clients through the utilization of server processing resources to establish the additional connection.
One approach to reducing the performance degradation of a server as a result of the use of SSL connections is through the use of an SSL proxy server as illustrated in FIG.
2
. An SSL proxy server may be dedicated to establishing SSL connections and, therefore, may quickly establish an SSL connection as well as provide hardware decryption so as to relieve the burden imposed on the server by the SSL connection. As seen in
FIG. 2
, a client
10
communicates with the SSL proxy server
14
over an SSL connection
16
. The SSL proxy server
14
then communicates with the server
12
over a non-secure connection
18
. In such a case, however, the security between the client
10
and the server
12
may be lost between the SSL proxy server
14
and the server
12
. Furthermore, the client identity information contained in the SSL communications may also be lost between the SSL proxy server
14
and the server
12
.
The system of
FIG. 3
illustrates the use of an SSL proxy server
14
where SSL connections
16
,
16
′,
20
and
20
′ are established between the SSL proxy server
14
and both the clients
10
and
10
′ and the server
12
. As seen in
FIG. 3
, for each SSL connection
16
,
16
′ between the client
10
and
10
′ and the SSL proxy server
14
, there is a corresponding SSL connection
20
,
20
′ established between the SSL proxy server
14
and the server
12
which acts as a pipe through the SSL proxy server
14
to the server
12
. However, the system of
FIG. 3
, while providing security between the SSL proxy server
14
and the server
12
, may still result in performance degradation of server
12
as a result of the use of the SSL connections
20
,
20
′ for each client
10
,
10
′.
In light of the above discussion, a need exists for improvements in the use of SSL communications between clients and servers.
SUMMARY OF THE INVENTION
In view of the above discussion, it is an object of the present invention to provide for improved performance in communications between clients and servers utilizing the SSL protocol.
A further object of the present invention is to reduce the impact of the use of SSL protocols on the performance of a server while maintaining the security and client identity provided by such protocols.
Still another object of the present invention is to improve the scalability of server applications utilizing SSL communications.
These and other objects of the present invention may be provided by methods, systems, and computer program products which communicate between client applications and a transaction server by establishing a persistent secure connection between the transaction server and a Secure Socket Layer (SSL) proxy server. A first session specific SSL connection, different from the persistent secure connection, is also established between a first client application and the SSL proxy server. Communications between the first client application and the SSL proxy server transmitted over the first session specific SSL connection are then forwarded to the transaction server over the persistent secure connection. Furthermore, a second session specific SSL connection between a second client application and the SSL proxy server may also be established and the communications between the second client application and the SSL proxy server transmitted over the second session specific SSL connection may also be forwarded to the transaction server over the persistent secure connection. Preferably, the persistent secure connection is an SSL connection.
By establishing a persistent secure connection between the SSL proxy server and the transaction server, the overhead and burden of establishing a connection each time a client makes an SSL connection may be reduced. Furthermore by utilizing the persistent secure connection for multiple SSL connections, the performance of the transaction server may be maintained even in the presence of numerous SSL client connections because the transaction server is not burdened with establishing a connection for each SSL connection. Thus, the present invention may be readily scaled to accommodate increased numbers of SSL clients by adding additional SSL proxy servers without a corresponding burden on the transaction server. Furthermore, because the persistent connection is secure, the security of the communications with the client is not lost between the SSL proxy server and the transaction server.
In a further embodiment of the present invention, client identification information extracted from the communications between the client application and the SSL proxy server is provided to the transaction server in a message transmitted to the transaction server over the persistent secure connection. Such a message may be created by incorporating the client identification information as a message header of the message and transmitting the message with the message header to the transaction server over the persistent secure connection. The transaction server may receive the message transmitted over the persistent secure connection and extract from the message the client identification information. Content information may also be extracted from the communications over the SSL connection with the client. The client identification information and the extracted content information may then be provided to a transaction server application associated with the transaction server.
In an alternative embodiment which provides client identification information to the transaction server, a second connection between the SSL proxy server and the transaction server is established. The client identification information and content information are extracted from the communications over the SSL connection with the client application. The client identification information is then transmitted to the transaction server over the second connection and the
Baskey Michael Edward
Hahn Timothy James
Kandlur Dilip Dinkar
Kuehr-McLaren David Gerard
Myers Bigel Sibley & Sajovec P.A.
Peeso Thomas R.
Ray-Yarletts Jeanine S.
LandOfFree
Methods, systems and computer program products for enhanced... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods, systems and computer program products for enhanced..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods, systems and computer program products for enhanced... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3191341