USRE47924EActiveUtility

Caching network generated security certificates

54
Assignee: A10 NETWORKS INCPriority: Feb 8, 2017Filed: Mar 1, 2019Granted: Mar 31, 2020
Est. expiryFeb 8, 2037(~10.6 yrs left)· nominal 20-yr term from priority
H04L 63/0281H04L 63/0823
54
PatentIndex Score
0
Cited by
175
References
21
Claims

Abstract

Provided are methods and systems for caching network generated security certificates. An example system may include a security gateway node and a storage module. The security gateway node may be operable to receive, from a client, a session request to establish a secure connection with a server. Based on the session request, the security gateway node may establish a first secure session between the client and the security gateway node and a second secure session between the security gateway node and the server. The security gateway node may receive a server certificate from the server. The security gateway node may match the server certificate against a gateway certificate table. Based on the matching, the security gateway node may receive a gateway certificate associated with the gateway certificate entry that matches the server certificate. The gateway certificate may be used for performing the first secure session.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system for caching network generated security certificates, the system comprising programmable instructions stored in a computer-readable media, wherein upon reading the programmable instructions by a processor, the processor executes the following steps:
 a security gateway node operable to: 
 receive, from a client, receiving, by a security gateway node, a session request to establish a secure connection with a server; 
 based on the session request, establish establishing, by the security gateway node, a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server; 
 upon establishing the second secure session, receive receiving, by the security gateway node, a server certificate from the server; 
 matchmatching, by the security gateway node, the server certificate against a gateway certificate table based on one or more predetermined criteria to find a gateway certificate entry matching the server certificate, the gateway certificate table operable to cache a plurality of gateway certificates associated with one or more previous secure sessions between the client and the server; 
 based on the matching, receive receiving, by the security gateway node, a gateway certificate, the gateway certificate being associated with the gateway certificate entry matching the server certificate and being used for performing the first secure session; and 
 upon receiving the gateway certificate, forge forging the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate; and 
 a storage module operable to store at least the gateway certificate table. 
 
     
     
       2. The system of  claim 1 , wherein the security gateway node is further operable to:
 based on the matching, determine that no gateway certificate entry matching the server certificate exists;   upon the determination, generate a further gateway certificate based on the server certificate; and   store the further gateway certificate to the gateway certificate table.   
     
     
       3. The system of  claim 1 , wherein the security gateway node is further operable to processor, upon the receiving of the gateway certificate, validate further validates, by the security gateway node, the gateway certificate, wherein the validating is based at least on time information associated with the gateway certificate. 
     
     
       4. The system of  claim 3 , wherein the security gateway node is further operable to processor further executes the following steps:
 based on the validating, determine determining, by the security gateway node, that the gateway certificate is invalid; 
 based on the determining, generate generating, by the security gateway node, a further gateway certificate, the further gateway certificate being associated with the server certificate; and 
 storestoring, by the security gateway node, the further gateway certificate to the gateway certificate table. 
 
     
     
       5. The system of  claim 1 , wherein the processor security gateway node is further operable to further executes the following steps:
 based on the matching, determine determining, by the security gateway node, a partial match of the server certificate and the gateway certificate entry; 
 upon the determining, modify modifying, by the security gateway node, the gateway certificate entry based on the server certificate to obtain a modified gateway certificate, the modified gateway certificate being associated with the server certificate; and 
 storestoring, by the security gateway node, the modified gateway certificate to the gateway certificate table. 
 
     
     
       6. The system of  claim 1 , wherein the security gateway node is further operable to:
 exchange  processor further exchanges, by the security gateway node, one or more gateway certificates with a further security gateway node, wherein the exchanging includes sending by the security gateway node one or more of the plurality of gateway certificates to the further security gateway node and receiving, by the security gateway node, a further plurality of gateway certificates from the further security gateway node. 
 
     
     
       7. The system of  claim 1 , wherein the security gateway node is further operable to  processor further executes the following steps:
 continuously monitor monitoring the gateway certificate table based on a current time and time information associated with the plurality of gateway certificates stored in the gateway certificate table; and 
 determinedetermining that one of the plurality of gateway certificates has expired. 
 
     
     
       8. The system of  claim 7 , wherein the security gateway node is further operable to processor further executes the following steps:
 based on the determining that one of the plurality of gateway certificates has expired, query querying the server to receive an updated server certificate; 
 upon receipt of the updated server certificate, generate generating a further gateway certificate based on the one of the plurality of gateway certificates; and 
 replacereplacing the one of the plurality of gateway certificates with the further gateway certificate in one of gateway certificate entries of the gateway certificate table. 
 
     
     
       9. A method for caching network generated security certificates, the method comprising:
 receiving, by a security gateway node, from a client, a session request to establish a secure connection with a server; 
 based on the session request, establishing, by the security gateway node, a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server; 
 upon establishing the second secure session, receiving, by the security gateway node, a server certificate from the server; 
 matching, by the security gateway node, the server certificate against a gateway certificate table based on one or more predetermined criteria to find a gateway certificate entry matching the server certificate, the gateway certificate table operable to cache a plurality of gateway certificates associated with one or more previous secure sessions between the client and the server; 
 based on the matching, receiving, by the security gateway node, a gateway certificate, the gateway certificate being associated with the gateway certificate entry matching the server certificate and being used for performing the first secure session; and 
 upon receiving the gateway certificate, forging the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate. 
 
     
     
       10. The method of  claim 9 , further comprising:
 based on the matching, determining that no gateway certificate entry matching the server certificate exists; 
 upon the determination, generating a further gateway certificate based on the server certificate; and 
 storing the further gateway certificate to the gateway certificate table. 
 
     
     
       11. The method of  claim 9 , further comprising, upon the receiving of the gateway certificate, validating, by the security gateway node, the gateway certificate, wherein the validating is based at least on time information associated with the gateway certificate. 
     
     
       12. The method of  claim 11 , further comprising:
 based on the validating, determining, by the security gateway node, that the gateway certificate is invalid; 
 based on the determining, generating, by the security gateway node, a further gateway certificate, the further gateway certificate being associated with the server certificate; and 
 storing the further gateway certificate to the gateway certificate table. 
 
     
     
       13. The method of  claim 12 , further comprising removing the gateway certificate from the gateway certificate table. 
     
     
       14. The method of  claim 9 , further comprising:
 based on the matching, determining a partial match of the server certificate and the gateway certificate entry; 
 upon the determining, modifying the gateway certificate entry based on the server certificate to obtain a modified gateway certificate, the modified gateway certificate being associated with the server certificate; and 
 storing the modified gateway certificate to the gateway certificate table. 
 
     
     
       15. The method of  claim 9 , further comprising:
 exchanging, by the security gateway node, one or more gateway certificates with a further security gateway node, wherein the exchanging includes sending by the security gateway node one or more of the plurality of gateway certificates to the further security gateway node and receiving, by the security gateway node, a further plurality of gateway certificates from the further security gateway node. 
 
     
     
       16. The method of  claim 9 , further comprising:
 continuously monitoring the gateway certificate table based on a current time and time information associated with the plurality of gateway certificates stored in the gateway certificate table; and 
 determining that one of the plurality of gateway certificates has expired. 
 
     
     
       17. The method of  claim 16 , further comprising:
 based on the determining that one of the plurality of gateway certificates has expired, querying the server to receive an updated server certificate; 
 upon receipt of the updated server certificate, generating a further gateway certificate based on the one of the plurality of gateway certificates; and 
 replacing the one of the plurality of gateway certificates with the further gateway certificate in one of gateway certificate entries of the gateway certificate table. 
 
     
     
       18. A system for caching network generated security certificates, the system comprising:
 a security gateway node operable to:   receive, from a client, a session request to establish a secure connection with a server;   based on the session request, establish a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server;   upon establishing the second secure session, receive a server certificate from the server;   match the server certificate against a gateway certificate table based on one or more predetermined criteria to find a gateway certificate entry matching the server certificate, the gateway certificate table operable to cache a plurality of gateway certificates associated with one or more previous secure sessions between the client and the server;   based on the matching, receive a gateway certificate, the gateway certificate being associated with the gateway certificate entry matching the server certificate and being used for performing the first secure session;   upon the receiving of the gateway certificate, validate the gateway certificate, wherein the validating is based at least on time information associated with the gateway certificate and forge the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate;   based on the matching, determine that no gateway certificate entry matching the server certificate exists;   upon the determining, generate a further gateway certificate based on the server certificate; and   store the further gateway certificate to the gateway certificate table; and   a storage module operable to store at least the gateway certificate table.   
     
     
       19. A system for caching network generated security certificates, the system comprising programmable instructions stored in a computer-readable media, wherein upon reading the programmable instructions by a processor, the processor executes the following steps:
 receiving, by a security gateway node, a session request to establish a secure connection with a server;   based on the session request, establishing, by the security gateway node, a first secure session and a second secure session, the first secure session including a secure session between the client and the security gateway node and the second secure session including a secure session between the security gateway node and the server;   upon establishing the second secure session, receiving, by the security gateway node, a server certificate from the server;   matching, by the security gateway node, the server certificate against a gateway certificate table based on one or more predetermined criteria to determine whether a gateway certificate entry matching the server certificate exists;   based on the determining that the gateway certificate entry matching the server certificate exists:
 receiving, by the security gateway node, a gateway certificate associated with the gateway certificate entry; and 
 upon receiving the gateway certificate, forging the gateway certificate to obtain a forged gateway certificate, wherein the first secure session is performed using the forged gateway certificate; 
   based on the determining that no gateway certificate entry matching the server certificate exists, generating a further gateway certificate based on the server certificate, the further gateway certificate.    
     
     
       20. The system of claim 19, wherein the processor, upon generating the further gateway certificate based on the server certificate, stores the further gateway certificate to the gateway certificate table.  
     
     
       21. The system of claim 19, wherein the processor, upon the receiving of the gateway certificate, further validates the gateway certificate, wherein the validating is based at least on time information associated with the gateway certificate.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.