公开(公告)号：US20160315767A1

公开(公告)日：2016-10-27

申请号：US15202371

申请日：2016-07-05

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08 ,  H04L9/14 ,  H04L9/30 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09450950B2

公开(公告)日：2016-09-20

申请号：US14675385

申请日：2015-03-31

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US20160065684A1

公开(公告)日：2016-03-03

申请号：US14937799

申请日：2015-11-10

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Stephen Joel ,  Michael Sofaer ,  Lee Hahn Holloway ,  Ray Raymond Bejjani ,  Matthieu Philippe François Tourne ,  Sébastien Andreas Henry Pahl ,  Dane Orion Knecht

IPC: H04L29/08 ,  H04W4/18 ,  G06T3/40

CPC classification number: H04L67/2804 ,  G06F17/30905 ,  G06T3/40 ,  H04L67/2823 ,  H04W4/185

Abstract: A request is received at a proxy server for a web page, the request originating from a client network application of a client device. The requested web page includes multiple references to multiple images. The proxy server retrieves the requested web page. The proxy server modifies code of the retrieved web page such that the client network application will not, for each one of images, request that image until the location where that image is to be displayed is within a viewport of the client network application or within a defined distance from the viewport of the client network application. The proxy server transmits the modified web page to the client device.

Abstract translation: 在用于网页的代理服务器处接收到来自客户端设备的客户端网络应用的请求。 所请求的网页包括对多个图像的多个引用。 代理服务器检索所请求的网页。 代理服务器修改检索到的网页的代码，使得客户端网络应用程序对于每个图像将不请求该图像，直到该图像要被显示的位置在客户端网络应用的视口内，或者在 与客户端网络应用程序的视口的距离。 代理服务器将修改的网页发送到客户端设备。

公开(公告)号：US09184911B2

公开(公告)日：2015-11-10

申请号：US14248254

申请日：2014-04-08

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器接收使用与客户端设备尝试建立安全会话的域绑定的公共密钥进行加密的预安全秘密。 服务器将加密的前提密码传送到不同的服务器以进行解密以及计算安全会话的主密钥和会话密钥所需的其他信息。 不同的服务器解密加密的前提秘密，生成主密钥，并生成在安全会话中使用的会话密钥，用于加密和解密客户端设备与服务器之间的通信，并将这些会话密钥发送到该服务器。

公开(公告)号：US11991157B2

公开(公告)日：2024-05-21

申请号：US18092750

申请日：2023-01-03

Applicant: Cloudflare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L9/40 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L63/0435 ,  G06F21/335 ,  H04L9/0825 ,  H04L9/0841 ,  H04L9/0869 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake is stored in a different server. An encrypted connection is established between the first server and the second server. A message is received from the client device that initiates a procedure to establish the secure session between the client device and the first server. As part of this procedure, the first server transmits over the encrypted connection a request to the second server to use the private key. The first server receives, over the encrypted connection, a response to the request that includes a result of the use of the private key. The first server uses the result during the procedure to establish the secure session.

公开(公告)号：US20220217176A1

公开(公告)日：2022-07-07

申请号：US17509829

申请日：2021-10-25

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L9/40 ,  G06F21/55 ,  G06F21/57

Abstract: An authoritative DNS server receives DNS requests for domains. The authoritative DNS server responds to the requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first response to a DNS query for a domain can include IP addresses different from IP addresses included in a second response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may randomly select the IP addresses to include in responses to the requests regardless of the domain.

公开(公告)号：US11044083B2

公开(公告)日：2021-06-22

申请号：US16043972

申请日：2018-07-24

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

Abstract: A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.

公开(公告)号：US20190140843A1

公开(公告)日：2019-05-09

申请号：US16019109

申请日：2018-06-26

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/30 ,  H04L9/14 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US10033529B2

公开(公告)日：2018-07-24

申请号：US15202371

申请日：2016-07-05

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US20170223050A1

公开(公告)日：2017-08-03

申请号：US15489421

申请日：2017-04-17

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.