The proposed technology generally relates to provision of web services to a client e.g. concerning cloud caching in HTTPS (Hypertext Transfer Protocol Secure) enabled communication systems.
With the increasing use of software applications designed to run on smartphones, tablets and other mobile devices, users are generally interacting with their smartphones in two different ways; either through native applications running on their phones or using a browser and a web page possibly implemented in the phone as a so call web application.
A native application is installed directly onto the device and users typically acquire these applications through an online store. Native applications run fast and smoothly on the user's device since the data used by the application can be stored locally, and native code can be used instead of interpreted code. The programmer has access to application programming interfaces to render graphics quickly using a built-in graphics processing unit.
Instead of using a native application, the users can choose to visit a web page using a browser or a web application. Many services today can be accessed both ways; for instance, Facebook can be accessed by using a native application as well as by visiting the Facebook homepage from the browser. Historically, browsing was quite slow since every click resulted in a request to the web server, and the user would have to wait for the content to return. Today, small scripting programs typically written in the JavaScript are downloaded to the user device and run locally. This means that tedious round-trip times of the network often can be avoided and JavaScript based webpages can be almost as responsive as a native application. While native applications still have an advantage when it comes to high demanding applications such as games, the gap between web applications and native applications has been narrowing.
In this context it is relevant to discuss cloud computing and cloud caching.
The term cloud computing in its most general meaning is used to describe the concept of using computing resources e.g. hardware and software that are delivered as a service over a network e.g. Internet. The name is derived from the nowadays-common use of a cloud as an abstraction for the complex infrastructure it contains in system diagrams. Another way of formulating it is that cloud computing enables convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Typically, cloud computing is described as a stack due to the number of services built on top of each other. These services can be divided into three main models, namely Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), where IaaS is the most basic model.
A prevalent trend in today's communication systems is utilizing the cloud and so-called cloud computing which involves distributed computing over a network. Consequently, a program or application may run on many connected computers at the same time. It specifically refers to a computing hardware machine or group of computing hardware machines commonly referred as a server connected through a communication network such as the Internet, an intranet, a local area network (LAN) or wide area network (WAN). Any individual user who has permission to access the server can use the server's processing power to run an application, store data, or perform any other computing task. Therefore, instead of using a personal computer every-time to run the application, the individual can now run the application from anywhere in the world, as the server provides the processing power to the application and the server is also connected to a network via internet or other connection platforms to be accessed from anywhere.
Network-based services, which appear to be provided by real server hardware and are in fact served up by virtual hardware simulated by software running on one or more real machines, are often called cloud computing. Such virtual servers do not physically exist and can therefore be moved around and scaled up or down on the fly without affecting the end user, somewhat like a cloud becoming larger or smaller without being a physical object.
In a mobile context, cloud based solutions also have disadvantages. One disadvantage is the latency in accessing information. For example, when content is selected for use, it takes a finite amount of time for the content to be downloaded to the device before the user may access the content (for example, downloading a song). To overcome this delay, solutions that rely on partial downloading of information to the mobile device have been proposed. For example, the beginning of the content may be stored locally (thereby saving storage space) and the rest of the content may be downloaded while the beginning of the content may be accessed. As the amount of content a subscriber has grows and as more data intensive content (e.g. video) becomes a greater fraction of the content accessed, this solution cannot adequately address the reduction in mobile cloud user experience.
One solution is so-called transparent Internet caching which is a common technology to speed up web site access and reduce network usage. This technology works well with static web pages but lacks support for dynamic, server side rendering of web pages. These dynamic web pages are getting more and more common. New protocols running over HTTP are also hard to cache, in many cases it is impossible.
HTTPS which is an abbreviation of Hypertext Transfer Protocol Secure is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of a security protocol such as the SSL/TLS (secure sockets layer/transport layer security) protocol, thus in this case adding the security capabilities of SSL/TLS to standard HTTP communications.
The security of HTTPS is therefore depending on the underlying TLS, which uses long term public and secret keys to exchange a short term session key to encrypt the data flow between client and server.
TLS is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and a client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL) protocol. To guarantee that a user is authentic, so called X.509 certificates are used. As a consequence, certificate authorities and a public key infrastructure is necessary to verify the relation between the owner of a certificate and the certificate, as well as to generate, sign, and administer the validity of certificates.
In its popular deployment on the internet, HTTPS provides authentication of the web site and associated web server that one is communicating with, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with precisely the web site that one intended to communicate with (as opposed to an imposter), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.
The above mentioned problem of cloud caching becomes very apparent when implementing HTTPS. Traditional caching will not work when HTTPS is enabled, the alternative is to cache the site/application further out in the network. This adds another problem with the encryption instead—in order for this to work, the secret encryption keys and certificates must be spread across all the caching nodes. US2009/0271613 A1 discloses a content-based load balancer where the load balancer moves a connection from the client in an up streamed direction towards a selected target stack. Hence, US2009/0271613 does not relate to a connection down streams as in the cloud caching situation.
Consequently, there is a need for solutions enabling cloud caching when using HTTPS which overcomes the above mentioned problems.
It is an object to provide a solution to the above described problems.
This and other objects are met by embodiments of the proposed technology.
According to a first aspect, there is provided a method in a primary network node for providing a web-service to clients, wherein the method comprises the steps of verifying a TCP (Transmission Control Protocol) session with a client node and generating TLS (Transport Layer Security) keys for the session, and temporarily suspending the TCP session, and controlling migrating the TCP session and the generated TLS keys for the client node to a secondary network node for resumption of the session with the client node.
According to a second aspect, there is provided a primary network node configured to providing a web-service to a client node, wherein the network node is configured to set up and verify TCP/TLS sessions with a client node, and wherein the network node is configured to temporarily suspend an ongoing and verified TCP session, and wherein the network node is configured to control migrating the temporarily suspended TCP session to a secondary network node with initially agreed TLS session keys.
The primary network node may also comprise a processor and a memory wherein said memory comprising instructions executable by the processor whereby the processor is operative to set up and verify TCP/TLS sessions with client nodes. Said processor is operative to temporarily suspend an ongoing and verified TCP session; and wherein said processor is operative to control migrating said temporarily suspended TCP session to a secondary network node with initially agreed TLS session keys.
According to a third aspect, there is provided a primary network node for providing a web-service to clients wherein the primary network node comprises a verification functional module for setting up a TCP/TLS session to verify a client node, and a temporarily suspension functional module for temporarily suspending the TCP session, and a migration control functional module for controlling migrating the temporarily suspended TCP session to a secondary network node with initially agreed TLS session keys.
According to a fourth aspect, there is provided a method in a secondary network node for providing a web-service to client nodes, wherein the method comprises the steps of receiving a migrated temporarily suspended TCP session and generated TLS keys for a session with a client node from a verified primary network node, and un-suspending the received migrated temporarily suspended TCP session, and resuming the TCP session with the client node.
According to a fifth aspect there is provided a secondary network node configured to provide a web-service to a client node, wherein the secondary network node is configured to receive a migrated temporarily suspended TCP session from a primary network node, the TCP session being verified with a client node with initially agreed TLS session keys, and wherein the secondary network node is configured to un-suspend the received migrated temporarily suspended TCP session, and wherein the secondary network node is configured to resume the TCP session with the client node with initially agreed TLS session keys.
According to a sixth aspect, there is provided a secondary network node for providing a web-service to a client node, wherein the secondary network node comprises a receiving functional module for receiving a migrated temporarily suspended TCP session verified with a client node with initially agreed TLS session keys, an un-suspending functional module for un-suspending the migrated temporarily suspended TCP session, and a resuming functional module for resuming the un-suspended TCP session with the client node with initially agreed TLS session keys.
According to a seventh aspect, there is provided a method in a client node for receiving a web-service from a primary network node, which method comprising the steps of verifying the primary network node to set up a TCP session and generate TLS keys, receiving an indication of a session migration of the TCP session from the primary network node to a secondary network node, and resuming the temporarily suspended TCP session with the secondary network node based on the received indication.
According to an eighth aspect, there is provided a client node configured to receive a web-service from a primary network node, wherein the client node is configured to verify TCP/TLS sessions with the network node, and wherein the client node is configured to receive an indication of a migrated temporarily suspended TCP session verified with TLS keys, and wherein the client node is configured to resume the temporarily suspended TCP session with a secondary network node based on the received indication.
According to a further aspect a client node is provided. The client node comprises a processor and a memory, wherein said memory comprises instructions executable by the processor. The processor is operative to set up and verify TCP/TLS sessions with a primary network node, wherein said processor is configured to resume a migrated temporarily suspended TCP session with a secondary network node with initially agreed TLS session keys.
According to a ninth aspect, there is provided a client node for receiving a web-service from a primary network node wherein the client node comprises a receiving functional module for verifying the primary network node to set up a TCP session and generate TLS keys, and a receiving functional module for receiving an indication of a session migration of the TCP session from the primary network node to a secondary network node, and a resuming functional module for resuming the migrated temporarily suspended TCP session with the secondary network node based on the received indication.
According to further aspects there are provided computer programs comprising instructions, which when executed by at least one processor, cause the processor(s) to perform the methods above and carriers comprising a respective computer program wherein the carrier is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
Embodiments of the proposed technology enables/makes it possible to migrate authenticated TCP sessions and enable automatic cloud caching for HTTPS enabled communication systems.
Other advantages will be appreciated when reading the detailed description.
The embodiments, together with further objects and advantages thereof, may best be understood by making reference to the following description taken together with the accompanying drawings, in which:
Throughout the drawings, the same reference designations are used for similar or corresponding elements.
As mentioned previously, for regular HTTP, traffic passing multiple nodes can be locally stored or cached. However, for HTTPS this is not possible, since all communication takes place using authenticated TLS/TCP sessions, i.e. a TLS session on top of TCP (Transmission Control Protocol). In HTTPS all traffic is encrypted using a temporary key for each HTTP session. All traffic is thereby encrypted as it passes a managed session provider, and since the keys are changing it is not possible to determine whether the content can be cached or if the request content has been previously retrieved. For streamed web services this becomes particularly troublesome since each authentication handshake takes time and might interrupt communication or service provision of a streamed service. The inventors have identified the possibility to enable a primary network node or server or central site to migrate an already authenticated TLS/TCP session associated with a client node to another server or secondary node or clached (“cloud cache”—a combination of site caching and static content caching) slave site in the system. Thereby, the potential delay or interruption of a streamed service is reduced or eliminated whilst maintain a secure transfer of information. Instead of having to repeat a TLS authentication/handshake process, already agreed TLS session keys can be migrated to a new server or node, thereby speeding up the resumption of the service. In addition, this process can take place without the client being aware of it.
The reasons for migrating a session can be varying from case to case, and also from system to system. It can include factors such as congestion or load or load balancing in the system as a whole or in a particular node or layer, or could be based on a geographical location or other such parameter of the client node and/or the site itself.
The decision to migrate a session can be taken by the central site or primary network node or by a clached slave site or secondary network node. In addition, the migration can be of a complete site or for part of a site or application depending on the circumstances.
In short, the proposed technology introduces a new concept for session authentication with HTTPS/TLS. The idea is that an end user client access the main server initially that takes care of the TLS handshake/authentication and then migrates the live TCP session with the handshake TLS session keys to the slave node in the network. Thereby the proposed technology handles web site cloud caching automatically—it needs no special configuration to set up. This distributed site module is developed and owned by the origin site directly—it is a trusted extension of the origin site that is being executed inside the operator network. Consequently, the HTTPS/TLS extension according to the proposed technology adds centrally controlled secure encryption for cloud caching without distributing the HTTPS certificates.
The proposed technology provides a primary network node/server/centralsite configured to provide a service to authenticated client nodes, wherein the primary network node/server/central site is configured to temporarily suspend an ongoing and already authenticated/verified TCP session and migrate the TCP session together with agreed TLS keys or parameters to a slave site/secondary network node/clached slave site.
Further, the proposed technology provides a clache slave/slave/secondary network node configured to provide a service to authenticated client nodes, wherein the secondary network node/clache slave/slave is configured to receive a migrated temporarily suspended TCP session for a client node together with agreed TLS keys or parameters from a central site/server/primary network node and to un-suspend the TCP session and resume/establish the TCP session with the client node based on the already authenticated TLS keys or parameters.
The clache slave/slave/secondary network node can comprise a downsized or simplified or stripped version of the central site/primary network node, or correspond to a node with the same capabilities as the central site.
The proposed technology may be applied to a user terminal or a node, which may be a wired or wireless device.
The central site or primary network node can comprise a web server or a managed server provider (MSP) with extra capabilities to execute slave sites or clached sites typically virtual machines associated with a hypervisor.
The proposed technology is particularly useful in environments where authenticated TLS/TCP sessions are typically long and may need to be or may beneficially be moved out from a central site or provider and be relocated at a slave site which is e.g. geographically closer to an end user. One example could be an authenticated web-application such as Facebook or similar, where a central site can export a slave application to a slave site in order to e.g. redistribute load in the system. By using the proposed technology a user e.g. a Facebook client can authenticate (i.e. verify) its session at the central site and the session can be moved to a slave site and the client communicates with the slave site. The slave site in turn is configured to update content from other clients than the particular client via the central site, whereas the client can update her/his content via the slave site.
As used herein, the non-limiting terms “client node”, “User Equipment” and “wireless device” may refer to a mobile phone, a cellular phone, a Personal Digital Assistant, PDA, equipped with radio communication capabilities, a smart phone, a laptop or Personal Computer, PC, equipped with an internal or external mobile broadband modem, a tablet with radio communication capabilities, a target device, a device to device UE, a machine type UE or UE capable of machine to machine communication, iPAD, customer premises equipment, CPE, laptop embedded equipment, LEE, laptop mounted equipment, LME, USB dongle, a portable electronic radio communication device, a sensor device equipped with radio communication capabilities or the like. In particular, the term “UE” and the term “wireless device” should be interpreted as non-limiting terms comprising any type of wireless device communicating with a radio network node in a cellular or mobile communication system or any device equipped with radio circuitry for wireless communication according to any relevant standard for communication within a cellular or mobile communication system.
The term “wired device” may refer to any device configured or prepared for wired connection to a network. In particular, the wired device may be at least some of the above devices, with or without radio communication capability, when configured for wired connection.
As used herein, the non-limiting term “network node” may refer to servers, base stations, network control nodes such as network controllers, radio network controllers, base station controllers, and the like. In particular, the term “base station” may encompass different types of radio base stations including standardized base stations such as Node Bs, or evolved Node Bs, eNBs, and also macro/micro/pico radio base stations, home base stations, also known as femto base stations, relay nodes, repeaters, radio access points, base transceiver stations, BTSs, and even radio control nodes controlling one or more Remote Radio Units, RRUs, or the like.
Optionally, the wireless device, UE, network node may also include communication circuitry. The communication circuitry may include functions for wired and/or wireless communication with other devices and/or network nodes in the network. In a particular example, the wireless device, UE, network node may include radio circuitry for communication with one or more other nodes, including transmitting and/or receiving information. The communication circuitry may be interconnected to the processor and/or memory.
In the following description the terms central site and primary network node will be used in an interchangeable manner, also the terms slave site and secondary network node will be used in a likewise interchangeable manner. The respective nodes can comprise actual physical nodes, or represent virtual machines or instances implemented in a virtual environment. The functionality of the embodiments of the proposed technology enables transferring part of e.g. an application, or all of the functionality of the central site or primary network node to a clached slave or secondary node.
With reference to
In
In
Basically, normal TLS authentication is performed by a client node against central server where private certificate and keys are stored. The TLS session key(s) is negotiated between client node and server or primary network node and then the TCP-session is frozen or temporarily suspended. The frozen or temporarily suspended session is then migrated to the clache slave node or secondary network node and unfrozen or un-suspended again, where after normal TLS is continued—now between the client node and the clache slave node or secondary network node.
The term “freeze” or temporarily suspend can be interpreted as containing the followings steps. The central site or primary network node stops all communication for the authenticated TCP session and refrains from sending any further information to the TLS client node. All relevant information for the TCP session is stored on the LAN card and forwarded to the clached slave site or secondary network node. The clached slave site or secondary network node copies the information associated with the TCP and resumes the TCP/TLS session with the TLS client node. The interruption of the service to the client is very brief.
The respective central site and the slave site can comprise actual physical sites, or virtual sites in a cloud environment.
Typically, the central site 100 and the slave site 200 are both owned and controlled by the same operator, wherefore the operator can define how the communication between the central site 100 and the slave site 200 should be formatted or secured. According to a further embodiment the proposed technology could comprise a stand-alone module which can be acquired and implemented by an operator, whereby the framework of the functionality could be standardized but still tailored for each particular operator or web-application.
With reference to
With reference to
According to a particular embodiment, the secondary network node 200 provides, in step S25, an indication about an upcoming TCP session migration to the client node to enable the client node to switch from one port or connection to another to resume the TCP session but now with the secondary network node.
With reference to
It will be appreciated that the methods and devices described herein can be combined and re-arranged in a variety of ways.
With reference to
An embodiment of a central site or server or primary network node 100 is configured to providing a web-service to a client node 200, wherein the primary network node 100 is configured to set up and verify TLS/TCP sessions with the client node 300, and to temporarily suspend an ongoing and verified TCP session with the client node 300, and finally to control migrating the temporarily suspended TCP session to a secondary network node 200) with the initially agreed TLS session keys or parameters where it can then be resumed with the initially agreed TLS session keys or parameters. The functionality or part thereof can be implemented in a migration controller 121.
An embodiment of a slave site or secondary network node 200 is configured to provide a web-service to a client node 300, wherein the secondary network node 200 is configured to receive a migrated temporarily suspended TCP session from a primary network node 100 with initially agreed TLS session keys or parameters, which TCP session has already been authenticated or verified with the client node 300. Further, the secondary network node 200 is configured to un-suspend the received migrated temporarily suspended TCP session, and resume the TCP session with the client node with the initially agreed TLS session keys or parameters. The functionality or part thereof can be implemented in a session resumer 221.
An embodiment of a client node 300 configured to receive a web-service from a primary network node 100, wherein the client node 300 is configured to verify and authenticate TCP/TLS sessions with the network node 100. Further, the client node 300 is configured to receive an indication of a migrated temporarily suspended and verified TCP/TLS session, i.e. the TCP session and the associated TLS keys or parameters, and to resume the temporarily suspended TCP session with a secondary network node 200 based on the received indication. The functionality or part thereof can be implemented in an indication manager 321.
For example, embodiments may be implemented in hardware, or in software for execution by suitable processing circuitry, or a combination thereof.
The steps, functions, procedures, modules and/or blocks described herein may be implemented in hardware using any conventional technology, such as discrete circuit or integrated circuit technology, including both general-purpose electronic circuitry and application-specific circuitry.
Particular examples include one or more suitably configured digital signal processors and other known electronic circuits, e.g. discrete logic gates interconnected to perform a specialized function, or Application Specific Integrated Circuits (ASICs).
Alternatively, at least some of the steps, functions, procedures, modules and/or blocks described herein may be implemented in software such as a computer program for execution by suitable processing circuitry such as one or more processors or processing units.
Examples of processing circuitry includes, but is not limited to, one or more microprocessors, one or more Digital Signal Processors (DSPs), one or more Central Processing Units (CPUs), video acceleration hardware, and/or any suitable programmable logic circuitry such as one or more Field Programmable Gate Arrays (FPGAs), or one or more Programmable Logic Controllers (PLCs).
It should also be understood that it may be possible to re-use the general processing capabilities of any conventional device or unit in which the proposed technology is implemented. It may also be possible to re-use existing software, e.g. by reprogramming of the existing software or by adding new software components.
In a particular example, with reference to
In another particular example, with reference to
In a further particular example, with reference to
Accordingly, with reference to
According to a particular embodiment, the primary network node 100 comprises communication circuitry 110 configured to migrate the temporarily suspended TCP session, i.e. the TCP session with initially agreed TLS session keys or parameters to a secondary network node 200.
The secondary network node 200, with reference to
With reference to
According to a particular embodiment, the client node 300 comprises communication circuitry 310 configured to receive the indication from the secondary network node.
In this particular example, with reference to
The term ‘processor’ should be interpreted in a general sense as any system or device capable of executing program code or computer program instructions to perform a particular processing, determining or computing task.
The processing circuitry including one or more processors is thus configured to perform, when executing the computer program, well-defined processing tasks such as those described herein.
The processing circuitry does not have to be dedicated to only execute the above-described steps, functions, procedure and/or blocks, but may also execute other tasks.
In a particular embodiment, with reference to
In another particular embodiment, with reference to
In another particular embodiment, with reference to
The proposed technology also provides a carrier comprising the computer program, wherein the carrier is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.
By way of example, the software or computer program may be realized as a computer program product, which is normally carried or stored on a computer-readable medium, in particular a non-volatile medium. The computer-readable medium may include one or more removable or non-removable memory devices including, but not limited to a Read-Only Memory (ROM), a Random Access Memory (RAM), a Compact Disc (CD), a Digital Versatile Disc (DVD), a Blu-ray disc, a Universal Serial Bus (USB) memory, a Hard Disk Drive (HDD) storage device, a flash memory, a magnetic tape, or any other conventional memory device. The computer program may thus be loaded into the operating memory of a computer or equivalent processing device for execution by the processing circuitry thereof.
The flow diagram or diagrams presented herein may therefore be regarded as a computer flow diagram or diagrams, when performed by one or more processors. A corresponding primary network node 100 and secondary network node 200 and client node 300 may each be defined as a group of function modules, where each step performed by the processor corresponds to a function module. In this case, the function modules are implemented as a computer program running on the processor. Hence, the primary network node 100 and secondary network node 200 and client node 300 may alternatively be defined as a group of function modules, where the function modules are implemented as a computer program running on at least one processor.
The computer program residing in memory may thus be organized as appropriate function modules configured to perform, when executed by the processor, at least part of the steps and/or tasks described herein. An example of such function modules is illustrated in
With reference to
With reference to
With reference to
By utilizing the teachings of the proposed technology it is possible for a server to migrate an authenticated or verified TCP session with a client node to a slave site without necessitating a new authentication or verification process between the slave site and the client node. This enables cloud caching also for a HTTPS/TLS enabled communication system.
The embodiments described above are merely given as examples, and it should be understood that the proposed technology is not limited thereto. It will be understood by those skilled in the art that various modifications, combinations and changes may be made to the embodiments without departing from the present scope as defined by the appended claims. In particular, different part solutions in the different embodiments can be combined in other configurations, where technically possible.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/SE2015/050339 | 3/23/2015 | WO | 00 |
Number | Date | Country | |
---|---|---|---|
62003667 | May 2014 | US |