Patent Grant
9647835
Technical Field
This application relates generally to secure network-based communications using cryptographic protocols such as SSL.
Brief Description of the Related Art
Distributed computer systems are well-known in the prior art. One such distributed computer system is a “content delivery network” or “CDN” that is operated and managed by a service provider. The service provider typically provides the content delivery service on behalf of third parties (customers) who use the service provider's infrastructure. A distributed system of this type typically refers to a collection of autonomous computers linked by a network or networks, together with the software, systems, protocols and techniques designed to facilitate various services, such as content delivery, web application acceleration, or other support of outsourced origin site infrastructure. A CDN service provider typically provides service delivery through digital properties (such as a website), which are provisioned in a customer portal and then deployed to the network. A digital property typically is bound to one or more edge configurations that allow the service provider to account for traffic and bill its customer.
Secure Sockets Layer (SSL) is a well-known cryptographic protocol that is used to secure communications over networks such as the Internet. Cryptographic protocols such as SSL are often based on public key cryptographic systems, such as the RSA (Rivest, Shamir and Adelman) encryption algorithm. For a traditional RSA-based SSL session, the two sides of a connection agree upon a “pre-master secret” (PMS) which is used to generate the parameters for the remainder of the session. Typically, the two sides use RSA asymmetric encryption to establish the pre-master secret without exchanging the actual value in plaintext. In operation, the SSL client generates the pre-master secret and encrypts it with the SSL server's publicly available RSA key. This generates an encrypted pre-master secret (ePMS), which is then provided to the SSL server. The SSL server has a private decryption key, which is then used to decrypt the encrypted pre-master secret. At this point, both the client and the server have the original pre-master secret and can use it to generate the symmetric key used for actual encrypted and secure data exchange.
Decrypting the encrypted pre-master secret is the only time in the SSL connection that the private key is needed. This decryption occurs at a so-called SSL termination point. In many instances, the SSL termination point is insecure, and thus the storage and use of that key there presents significant security risks.
An Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy “service” as an enhancement to the Secure Sockets Layer (“SSL”) protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS “locally,” the SSL server proxies (forwards) the ePMS to an RSA (Rivest-Shamir-Adelman) proxy server component and receives, in response, the decrypted pre-master secret. In this manner, the decryption key does not need to be stored in association with the SSL server.
In one system embodiment, at least one machine in a first network-accessible location includes an RSA proxy server software program, and at least one machine in a second network-accessible location includes an RSA proxy client software program. The RSA proxy server software program and the RSA proxy client software program each include code to establish and maintain a secure (e.g., a mutually-authenticated SSL) connection there-between. The RSA proxy client software typically executes in association with an SSL server component (such as OpenSSL). According to this disclosure, however, SSL decryption keys are not accessible to the RSA proxy client software. Rather, decryption of encrypted pre-master secrets is off-loaded to the RSA proxy server software program. In operation, the RSA proxy client software program receives and forwards to the RSA proxy server software program over the mutually-authenticated SSL connection an encrypted pre-master secret associated with a new SSL handshake request received (at the RSA proxy client) from an end user client program (e.g., an SSL-enabled web browser, a native mobile app, or the like). The RSA proxy server software program decrypts the encrypted pre-master secret using a decryption key that is maintained at the RSA proxy server software program and not otherwise accessible to the RSA proxy client software program. The RSA proxy server software program then returns a decrypted pre-master secret to the RSA proxy client software program over the mutually-authenticated SSL connection. The end user client program and the SSL server component both are then in possession of the pre-master secret (and can use it to generate the symmetric key used for encrypting the connection between them).
Although not meant to be limiting, the first network-accessible location is a data center associated with an entity, and the second network-accessible location is a physical location remote from the first network-accessible location. As between the two locations, the data center (at which the RSA proxy server component executes) is more secure.
The foregoing has outlined some of the more pertinent features of the invention. These features should be construed to be merely illustrative. Many other beneficial results can be attained by applying the disclosed invention in a different manner or by modifying the invention as will be described.
For a more complete understanding of the present invention and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
In a known system, such as shown in
As illustrated in
A CDN edge server is configured to provide one or more extended content delivery features, preferably on a domain-specific, customer-specific basis, preferably using configuration files that are distributed to the edge servers using a configuration system. A given configuration file preferably is XML-based and includes a set of content handling rules and directives that facilitate one or more advanced content handling features. The configuration file may be delivered to the CDN edge server via the data transport mechanism. U.S. Pat. No. 7,111,057 illustrates a useful infrastructure for delivering and managing edge server content control information, and this and other edge server control information can be provisioned by the CDN service provider itself, or (via an extranet or the like) the content provider customer who operates the origin server.
The CDN may include a storage subsystem, such as described in U.S. Pat. No. 7,472,178, the disclosure of which is incorporated herein by reference.
The CDN may operate a server cache hierarchy to provide intermediate caching of customer content; one such cache hierarchy subsystem is described in U.S. Pat. No. 7,376,716, the disclosure of which is incorporated herein by reference.
The CDN may provide secure content delivery among a client browser, edge server and customer origin server in the manner described in U.S. Publication No. 20040093419. Secure content delivery as described therein enforces SSL-based links between the client and the edge server process, on the one hand, and between the edge server process and an origin server process, on the other hand. This enables an SSL-protected web page and/or components thereof to be delivered via the edge server.
As an overlay, the CDN resources may be used to facilitate wide area network (WAN) acceleration services between enterprise data centers (which may be privately-managed) and third party software-as-a-service (SaaS) providers.
In a typical operation, a content provider identifies a content provider domain or sub-domain that it desires to have served by the CDN. The CDN service provider associates (e.g., via a canonical name, or CNAME) the content provider domain with an edge network (CDN) hostname, and the CDN provider then provides that edge network hostname to the content provider. When a DNS query to the content provider domain or sub-domain is received at the content provider's domain name servers, those servers respond by returning the edge network hostname. The edge network hostname points to the CDN, and that edge network hostname is then resolved through the CDN name service. To that end, the CDN name service returns one or more IP addresses. The requesting client browser then makes a content request (e.g., via HTTP or HTTPS) to an edge server associated with the IP address. The request includes a host header that includes the original content provider domain or sub-domain. Upon receipt of the request with the host header, the edge server checks its configuration file to determine whether the content domain or sub-domain requested is actually being handled by the CDN. If so, the edge server applies its content handling rules and directives for that domain or sub-domain as specified in the configuration. These content handling rules and directives may be located within an XML-based “metadata” configuration file.
By way of further background, CDN customers may subscribe to a “behind the firewall” managed service product to accelerate Intranet web applications that are hosted behind the customer's enterprise firewall, as well as to accelerate web applications that bridge between their users behind the firewall to an application hosted in the internet cloud. To accomplish these two use cases, CDN software may execute on virtual machines hosted in one or more customer data centers, and on virtual machines hosted in remote “branch offices.” The CDN software executing in the customer data center typically provides service configuration, service management, service reporting, remote management access, customer SSL certificate management, as well as other functions for configured web applications. The software executing in the branch offices provides last mile web acceleration for users located there. The CDN itself typically provides CDN hardware hosted in CDN data centers to provide a gateway between the nodes running behind the customer firewall and the service provider's other infrastructure (e.g., network and operations facilities. This type of managed solution provides an enterprise with the opportunity to take advantage of CDN technologies with respect to their Company's intranet.
For BTF to properly accelerate SSL traffic, it needs the SSL keys and certificates on the end nodes. As described above, SSL uses a one-time RSA decryption to establish a private pre-master secret between the client and server. According to this disclosure, this RSA decryption is off-loaded to a secure end node or other service which contains the private key, while the rest of the handshake and SSL connection continue as normal. This process is now described.
Terminating SSL Connections without Locally-Accessible Private Keys
With the above as background, the subject matter of this disclosure is now described. Familiarity with SSL handshaking is presumed.
According to this disclosure, the conventional SSL handshake and, in particular, the decryption of the encrypted pre-master secret, occurs externally to (i.e., remotely from) the normal SSL termination point (the SSL server). As illustrated in
Preferably, the client component 402 and the server component 404 of the proxy server are based on RSA encryption; thus, these components are sometimes referred to herein as components of an RSA proxy. The forwarding of the encrypted pre-master secret (from the client component to the server component) is sometimes referred to herein as an RSA proxy request. While RSA is a preferred algorithm, other asymmetric encryption algorithms may be used as well.
Referring now back to
As shown in
During the handshake, the module terminates the SSL connection and sends a ServerCertificate to the requesting client with the cert from the learning table. When the ClientKeyExchange message and ePMS are received, the module sends the RSA proxy request to the correct data center. According to this disclosure, and as noted above, the RSA proxy request and response are handled by the server component of the RSA proxy server 404, which sends and receives the data over the mutually-authenticated SSL connection. If the server component 404 of the RSA proxy server returns a failure or times-out, the SSL module (the client component 402) terminates the client connection and the handshake does not succeed.
Without limitation, the SSL module is implemented as an SSL protocol terminator. In one embodiment, it is program code build on top of standard OpenSSL.
The RSA proxy client component (the SSL module in the branch office) uses a message interface to send the RSA proxy request and response over the mutually-authenticated SSL connection. Preferably, the RSA client request is a packet that includes the following information fields: {ePMS length, ePMS, hash of a server certificate}. The response packet returned from the RSA proxy server component (the SSL module in the data center) has the following information fields: {status, decrypted PMS length, decrypted pre-master secret}.
An embodiment of the RSA proxy server component executing at the data center facility is now described. As noted, its basic operation is to receive unencrypted packets containing the request specified above and to respond with the defined response packet. Preferably, the RSA proxy server maintains a least-recently-used (LRU) cache of ePMS values. Before performing a decryption, the module checks the cache to see if the requested ePMS has been seen. This check may be performed using a hash lookup scheme. If the hash of the encrypted pre-master secret already exists in the cache, a bad status is returned to the RSA proxy client component (and an error or alert is generated for the administrator). Preferably, the server component of the RSA proxy server rate limits requests to prevent a compromised machine from using a flush attack to remove a previously decrypted secret. Preferably, the server component of the RSA proxy server also maintains a table of the certificate and keypairs for which it can act as a proxy. Using this table (which also may be implemented as a hash table) enables the proxy server to efficiently look up server keypairs (e.g., by the hash of the certificate which is sent by the client component). Once the server component of the RSA proxy server has verified the ePMS is new, it adds it to the cache, looks up the server private key in its table, decrypts the ePMS, and sends the response.
The technique described herein has many advantages. The primary advantage is that SSL private keys are not stored on the SSL server. In a distributed solution such as described above, this means that the private keys are not stored in the branch office box that is terminating SSL, but instead at the data center box that is hosting the server component of the RSA proxy server. With replay protection implemented, an attacker cannot use a compromised SSL server to decrypt previous SSL transactions. On a normal SSL server, if the key is compromised, other technologies (such as certificate revocation lists or OCSP at the client browser) must be used to prevent use of the stolen SSL key. With RSA proxy, the service provider only needs to make a configuration change in the RSA proxy server. Using this distributed approach, the computationally-expensive part of the SSL transaction, the RSA decryption, can be done on a machine with custom hardware in the data center.
If a web proxy node (at a branch office) is discovered to be compromised, the administrator simply needs to remove authenticated credentials for the compromised node. For standard SSL, the revocation would need to be done on each end user system, which may be more difficult to administer. Additionally, key rotation only needs to occur on the RSA proxy machine, rather than all the web proxy machines, as would be required with standard SSL.
The behind-the-firewall embodiment is not intended to limit this disclosure. The RSA proxy approach may be used whenever an enterprise uses CDN technologies (such as described above) over Internet links as an optimize WAN connecting branches, data center, teleworks and mobile users to applications over the Internet. Still more generally, the approach may be used whenever one party (the client) wishes to encrypt communications via RSA-based SSL with another party (the server) and the server is not trusted to store the RSA private key directly.
In a representative implementation, the RSA proxy is implemented in software, as computer program instructions executed by a processor.
More generally, the techniques described herein are provided using a set of one or more computing-related entities (systems, machines, processes, programs, libraries, functions, or the like) that together facilitate or provide the described functionality described above. In a typical implementation, a representative machine on which the software executes comprises commodity hardware, an operating system, an application runtime environment, and a set of applications or processes and associated data, that provide the functionality of a given system or subsystem. As described, the functionality may be implemented in a standalone machine, or across a distributed set of machines. The functionality may be provided as a service, e.g., as a SaaS solution.
While the above describes a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary, as alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, or the like. References in the specification to a given embodiment indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic.
While the disclosed subject matter has been described in the context of a method or process, the subject disclosure also relates to apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including an optical disk, a CD-ROM, and a magnetic-optical disk, a read-only memory (ROM), a random access memory (RAM), a magnetic or optical card, or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus.
While given components of the system have been described separately, one of ordinary skill will appreciate that some of the functions may be combined or shared in given instructions, program sequences, code portions, and the like.
Preferably, the functionality is implemented in an application layer solution, although this is not a limitation, as portions of the identified functions may be built into an operating system or the like.
The functionality may be implemented with other application layer protocols besides HTTPS, such as SSL VPN, or any other protocol having similar operating characteristics.
There is no limitation on the type of computing entity that may implement the client-side or server-side of the connection. Any computing entity (system, machine, device, program, process, utility, or the like) may act as the client or the server.
While the techniques herein are described in the context of an RSA proxy for use in an SSL communication, this is not a limitation. Moreover, the scheme may be implemented in other transport protocols (such as TLS) that are protected by cryptographic techniques. More generally, the techniques herein may be used in any context in which secret data needs to be exchanged from one peer to another using asymmetric cryptography and wherein the receiving peer is not trusted to have the private key.
This application is based on and claims priority to Ser. No. 61/554,571, filed Dec. 16, 2011.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6094485 | Weinstein | Jul 2000 | A |
| 6108703 | Leighton et al. | Aug 2000 | A |
| 7111057 | Sherman et al. | Sep 2006 | B1 |
| 7240100 | Wein et al. | Jul 2007 | B1 |
| 7254634 | Davis et al. | Aug 2007 | B1 |
| 7293093 | Leighton et al. | Nov 2007 | B2 |
| 7340532 | Swildens | Mar 2008 | B2 |
| 7376716 | Dilley et al. | May 2008 | B2 |
| 7472178 | Lisiecki et al. | Dec 2008 | B2 |
| 7870380 | VanHeyningen et al. | Jan 2011 | B2 |
| 7966646 | Chou et al. | Jun 2011 | B2 |
| 8131835 | Davis et al. | Mar 2012 | B2 |
| 8484361 | Hawthorne | Jul 2013 | B1 |
| 8782774 | Pahl et al. | Jul 2014 | B1 |
| 20020178381 | Lee et al. | Nov 2002 | A1 |
| 20030233539 | Tardo et al. | Dec 2003 | A1 |
| 20040093419 | Weihl et al. | May 2004 | A1 |
| 20040161110 | Kanai et al. | Aug 2004 | A1 |
| 20060064750 | Kersey et al. | Mar 2006 | A1 |
| 20060095969 | Portolani et al. | May 2006 | A1 |
| 20060098215 | Enokida | May 2006 | A1 |
| 20060101510 | Kadyk et al. | May 2006 | A1 |
| 20070074282 | Black | Mar 2007 | A1 |
| 20070101130 | Tardo | May 2007 | A1 |
| 20080022085 | Hiltgen | Jan 2008 | A1 |
| 20080046714 | Suganthi et al. | Feb 2008 | A1 |
| 20080052770 | Ali et al. | Feb 2008 | A1 |
| 20080098215 | Belgaied et al. | Apr 2008 | A1 |
| 20080216150 | Brabson | Sep 2008 | A1 |
| 20080307219 | Karandikar | Dec 2008 | A1 |
| 20080320297 | Sabo et al. | Dec 2008 | A1 |
| 20090220080 | Herne | Sep 2009 | A1 |
| 20100005290 | Urien et al. | Jan 2010 | A1 |
| 20100031016 | Nawate et al. | Feb 2010 | A1 |
| 20100031337 | Black et al. | Feb 2010 | A1 |
| 20100153838 | Arnold et al. | Jun 2010 | A1 |
| 20100299525 | Shah et al. | Nov 2010 | A1 |
| 20110231652 | Bollay et al. | Sep 2011 | A1 |
| 20110231655 | Bollay | Sep 2011 | A1 |
| 20110264905 | Ovsiannikov | Oct 2011 | A1 |
| 20120117375 | Kanekar | May 2012 | A1 |
| 20120182884 | Pyatkovskiy et al. | Jul 2012 | A1 |
| 20120265991 | Kanekar | Oct 2012 | A1 |
| 20130145146 | Suganthi | Jun 2013 | A1 |
| 20140244998 | Amenedo | Aug 2014 | A1 |
| Number | Date | Country |
|---|---|---|
| 1113617 | Jul 2001 | EP |
| 2000312203 | Nov 2000 | JP |
| 2004206573 | Jul 2004 | JP |
| 2009206568 | Sep 2009 | JP |
| 2006046289 | May 2006 | WO |
| WO2007078329 | Jul 2007 | WO |
| 2007134082 | Nov 2007 | WO |
| Entry |
|---|
| Huang et al, Proxy-based TCP-friendly Streaming Over Mobile Networks, 2002, ACM, pp. 17-24. |
| Saima et al, Staggered-TCP for Parallel Split-Sessions Across Multiple Proxies Heterogeneous Networks, 2010, IEEE, pp. 1-6. |
| Chen et al, Characterizing Roles of Front-End Servers in End-to-End Performance of Dynamic Content Distribution, ACM, Nov. 4, 2011, pp. 559-567. |
| Yan et al, Network Mobility Support in PMIPv6 Network, ACM, Jul. 2, 2010, pp. 890-894. |
| PCT/US2012/070005, International Search Report, mailed Apr. 12, 2013. |
| PCT/US2012/070005, Written Opinion, mailed Apr. 12, 2013. |
| Australian Patent Application 2012351909, Patent Examination Report No. 1 mailed on Feb. 2, 2016, 3 pages. |
| Chinese Application No. 201280068340.7, 1st Office Action mailed on Jul. 4, 2016, 21 pages. |
| EU Application No. 12856897.9, Extended European Search Report, mailed on Jun. 30, 2015, 6 pages. |
| Japanese Application No. 2014-547546, First Office Action received, Aug. 18, 2016, 18 pages including English translation. |
| Number | Date | Country | |
|---|---|---|---|
| 20130156189 A1 | Jun 2013 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61576378 | Dec 2011 | US |
