公开(公告)号：US20190140843A1

公开(公告)日：2019-05-09

申请号：US16019109

申请日：2018-06-26

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/30 ,  H04L9/14 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US10097511B2

公开(公告)日：2018-10-09

申请号：US14978209

申请日：2015-12-22

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Thomas Sullivan

IPC: H04L29/12 ,  H04L29/08

Abstract: Methods and apparatuses for identifying a domain of a command and control server of a botnet are described. Upon receipt of a request to register a domain for a service that includes a proxy server, where the proxy server is to receive and process traffic for that domain if registration is successful, a determination of whether the domain was generated by a domain generation algorithm (DGA) is performed. Responsive to determining that the domain was generated by the DGA, performing at least one of: denying registration of the domain for the service, and accepting registration of the domain for the service and causing the proxy server to monitor communications received to and from the domain

公开(公告)号：US10033529B2

公开(公告)日：2018-07-24

申请号：US15202371

申请日：2016-07-05

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09385864B2

公开(公告)日：2016-07-05

申请号：US14630585

申请日：2015-02-24

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US20160182517A1

公开(公告)日：2016-06-23

申请号：US14578223

申请日：2014-12-19

Applicant: CloudFlare, Inc.

Inventor： Nicholas Thomas Sullivan ,  Zi Lin ,  Rajeev Devendra Sharma

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  G06F17/30

CPC classification number: H04L63/0435 ,  G06F17/3089 ,  H04L9/0819 ,  H04L9/14 ,  H04L63/0281 ,  H04L63/061 ,  H04L63/10 ,  H04L63/168 ,  H04L67/2842 ,  H04L2209/24

Abstract: A request for a web page is received and the requested web page is retrieved. The web page is modified to obfuscate a set of form attribute values into a corresponding set of obfuscated form attribute values. The modified web page is transmitted to the requesting device. The modified web page does not include the set of form attribute values in their original form. Form data for the set of obfuscated form attribute values is received from the requesting device. The set of obfuscated form attribute values is deobfuscated thereby revealing the original set of form attribute values. The form data for the set of original form attribute values is further processed.

Abstract translation: 接收到对网页的请求，并且检索所请求的网页。 修改网页以将一组表单属性值混淆到相应的一组混淆形式属性值中。 被修改的网页被发送到请求设备。 修改后的网页不包含其原始形式的表单属性值集合。 从请求设备接收到用于一组混淆形式属性值的表单数据。 混淆形式属性值的集合被反混淆，从而揭示原始的表单属性值集合。 进一步处理原始表单属性值集合的表单数据。

公开(公告)号：US20160080337A1

公开(公告)日：2016-03-17

申请号：US14937805

申请日：2015-11-10

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

公开(公告)号：US20160013935A1

公开(公告)日：2016-01-14

申请号：US14630585

申请日：2015-02-24

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器向不同的服务器代理消息，包括使用不同服务器上的私钥签名的一组签名的加密参数。 不同的服务器生成主密钥，并生成并发送会话密钥到要在安全会话中使用的服务器，以加密和解密客户端设备和服务器之间的通信。

公开(公告)号：US12206789B2

公开(公告)日：2025-01-21

申请号：US17217703

申请日：2021-03-30

Applicant: CLOUDFLARE, INC.

Inventor： Watson Bernard Ladd ,  Alexander Andrew Davidson ,  Marwan Fayed ,  Armando Faz Hernández ,  Sai Krishna Deepak Maram ,  Nicholas Thomas Sullivan

IPC: H04L9/32 ,  G06F21/32 ,  H04L9/14

Abstract: A client device receives a challenge request from a server to prove that internet traffic was initiated by a human user through verifying a physical interaction between a human user and a hardware component. The client device causes a prompt to be displayed to perform the physical interaction with the hardware component. A cryptographic attestation is received that includes an attestation signature that is generated after confirmation that the physical interaction was performed with the hardware component. A zero-knowledge proof of the attestation signature is generated and transmitted to the server for verification. The client device receives the requested content responsive to the server verifying the validity of the zero-knowledge proof.

公开(公告)号：US10938554B2

公开(公告)日：2021-03-02

申请号：US16241888

申请日：2019-01-07

Applicant: Cloudflare, Inc.

Inventor： Nicholas Thomas Sullivan ,  Brendan Scott McMillion

IPC: H04L9/08 ,  H04L9/14

Abstract: Managing private key access in multiple nodes is described. A piece of data (e.g., a private key) is encrypted using identity-based broadcast encryption and identity-based revocation encryption so that only certain servers in a distributed network of servers can decrypt the piece of data. The piece of data is encrypted with a key encryption key (KEK). The KEK is split into two pieces. The first piece is encrypted using identity-based broadcast encryption with a first set of identities as input such that only servers of the first set of identities can decrypt the first piece, and the second piece is encrypted using identity-based revocation encryption so that all servers except those that have the second set of identities can decrypt the second piece. The keys are transmitted to the servers.

公开(公告)号：US10893031B2

公开(公告)日：2021-01-12

申请号：US16422947

申请日：2019-05-24

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Thomas Sullivan ,  Lee Hahn Holloway ,  Piotr Sikora ,  Ryan Lackey ,  John Graham-Cumming ,  Dane Orion Knecht ,  Patrick Donahue ,  Zi Lin

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/33

Abstract: A server receives a request from a client to establish a secure session. The server analyzes the request to determine a set of one or more properties of the request. The server selects, based at least in part on the determined set of properties, one of multiple certificates for a hostname of the server, where each of the certificates is signed using a different signature and hash algorithm pair. The server returns the selected certificate to the client.