公开(公告)号：US20150288514A1

公开(公告)日：2015-10-08

申请号：US14248254

申请日：2014-04-08

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时在握手中使用的私钥被存储在不同的服务器中。 在握手过程中，服务器接收使用与客户端设备尝试建立安全会话的域绑定的公共密钥进行加密的预安全秘密。 服务器将加密的前提密码传送到不同的服务器以进行解密以及计算安全会话的主密钥和会话密钥所需的其他信息。 不同的服务器解密加密的前提秘密，生成主密钥，并生成在安全会话中使用的会话密钥，用于加密和解密客户端设备与服务器之间的通信，并将这些会话密钥发送到该服务器。

公开(公告)号：US11991157B2

公开(公告)日：2024-05-21

申请号：US18092750

申请日：2023-01-03

Applicant: Cloudflare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L9/40 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L63/0435 ,  G06F21/335 ,  H04L9/0825 ,  H04L9/0841 ,  H04L9/0869 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake is stored in a different server. An encrypted connection is established between the first server and the second server. A message is received from the client device that initiates a procedure to establish the secure session between the client device and the first server. As part of this procedure, the first server transmits over the encrypted connection a request to the second server to use the private key. The first server receives, over the encrypted connection, a response to the request that includes a result of the use of the private key. The first server uses the result during the procedure to establish the secure session.

公开(公告)号：US20230325459A1

公开(公告)日：2023-10-12

申请号：US18333319

申请日：2023-06-12

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye ,  Matthieu Philippe François Tourne ,  Michelle Marie Zatlyn

IPC: G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L9/40 ,  G06Q30/0251 ,  G06Q30/0241 ,  G06Q10/107 ,  H04L67/02 ,  H04L69/40 ,  G06F40/143 ,  G06F40/14 ,  H04L51/42 ,  H04L61/4511 ,  H04L61/5007 ,  H04L67/56 ,  H04L67/561 ,  H04L67/568 ,  G06F15/16 ,  G06F21/00 ,  H04L67/146 ,  H04L47/74

CPC classification number: G06F16/958 ,  G06F16/95 ,  G06F21/552 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/102 ,  H04L63/126 ,  H04L63/1433 ,  G06Q30/0251 ,  G06Q30/0277 ,  G06Q10/107 ,  G06Q30/0241 ,  H04L63/1441 ,  H04L67/02 ,  H04L69/40 ,  G06F40/143 ,  G06F40/14 ,  H04L51/42 ,  H04L61/4511 ,  H04L61/5007 ,  H04L67/56 ,  H04L67/561 ,  H04L67/568 ,  H04L63/0281 ,  G06F15/16 ,  G06F21/00 ,  H04L63/1466 ,  H04L67/146 ,  H04L63/0254 ,  H04L63/1458 ,  H04L63/1416 ,  H04L47/745 ,  H04L61/59

Abstract: A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.

公开(公告)号：US11675872B2

公开(公告)日：2023-06-13

申请号：US17667365

申请日：2022-02-08

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye ,  Matthieu Philippe François Tourne ,  Michelle Marie Zatlyn

IPC: G06F21/00 ,  G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L9/40 ,  G06Q30/0251 ,  G06Q30/0241 ,  G06Q10/107 ,  H04L67/02 ,  H04L69/40 ,  G06F40/143 ,  G06F40/14 ,  H04L51/42 ,  H04L61/4511 ,  H04L61/5007 ,  H04L67/56 ,  H04L67/561 ,  H04L67/568 ,  G06F15/16 ,  H04L67/146 ,  H04L47/74 ,  H04L61/59

CPC classification number: G06F16/958 ,  G06F15/16 ,  G06F16/95 ,  G06F21/00 ,  G06F21/552 ,  G06F40/14 ,  G06F40/143 ,  G06Q10/107 ,  G06Q30/0241 ,  G06Q30/0251 ,  G06Q30/0277 ,  H04L47/745 ,  H04L51/42 ,  H04L61/4511 ,  H04L61/5007 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0254 ,  H04L63/0281 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/102 ,  H04L63/126 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/1458 ,  H04L63/1466 ,  H04L67/02 ,  H04L67/146 ,  H04L67/56 ,  H04L67/561 ,  H04L67/568 ,  H04L69/40 ,  H04L61/59

Abstract: A proxy server receives from a client network application a request for an action to be performed on an identified network resource of a domain of an origin server. The request is received at the proxy server as a result of a DNS request for the domain returning an IP address of the proxy server. The proxy server determines that the first request is indicative of being from a bot. Responsive to this determination, the proxy server transmits a block page to the client network application that includes a mechanism to allow a human user of the client network application to provide input that indicates that they are human and not a bot. If the proxy server does not receive input from the client network application through the mechanism in the block page that indicates that the first request is not from a bot, the proxy server blocks the request.

公开(公告)号：US20220400166A1

公开(公告)日：2022-12-15

申请号：US17893003

申请日：2022-08-22

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Naga Sunil Tripirineni ,  Rustam Xing Lalkaka ,  Nick Wondra ,  Mohd Irtefa ,  Matthew Browning Prince ,  Andrew Taylor Plunk ,  Oliver Yu ,  Vlad Krasnov

IPC: H04L67/63 ,  H04L9/40 ,  H04L67/10 ,  H04L12/46

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

公开(公告)号：US20220217176A1

公开(公告)日：2022-07-07

申请号：US17509829

申请日：2021-10-25

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L9/40 ,  G06F21/55 ,  G06F21/57

Abstract: An authoritative DNS server receives DNS requests for domains. The authoritative DNS server responds to the requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first response to a DNS query for a domain can include IP addresses different from IP addresses included in a second response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may randomly select the IP addresses to include in responses to the requests regardless of the domain.

公开(公告)号：US11044083B2

公开(公告)日：2021-06-22

申请号：US16043972

申请日：2018-07-24

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

Abstract: A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.

公开(公告)号：US10931465B2

公开(公告)日：2021-02-23

申请号：US16356304

申请日：2019-03-18

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08 ,  H04W76/10

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

公开(公告)号：US10922377B2

公开(公告)日：2021-02-16

申请号：US16848641

申请日：2020-04-14

Applicant: Cloudflare, Inc.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye

IPC: G06F15/16 ,  G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  H04L29/14 ,  G06F40/14 ,  G06F21/00 ,  H04L12/58 ,  H04L12/911

Abstract: A proxy server for limiting Internet connection speed of visitors that pose a threat. The proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to the request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server reduces the speed at which the proxy server processes the request while keeping a connection to the client device open.

公开(公告)号：US20190140843A1

公开(公告)日：2019-05-09

申请号：US16019109

申请日：2018-06-26

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/30 ,  H04L9/14 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.