公开(公告)号：US11044083B2

公开(公告)日：2021-06-22

申请号：US16043972

申请日：2018-07-24

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

Abstract: A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.

公开(公告)号：US10326853B2

公开(公告)日：2019-06-18

申请号：US16172651

申请日：2018-10-26

Applicant: CLOUDFLARE, INC.

Inventor： John Graham-Cumming

IPC: H04L29/08 ,  H04L29/06

Abstract: A method and computing device for delta compression techniques for reducing network resource transmission size are described. A first version of a network resource is received. The first version of the network resource is stored regardless of a directive that a cached version is not to be used to respond to a future request for that network resource. A first request for the network resource is received. A second request for the network resource is transmitted, to a second computing device. A response including a set differences between the first version of the network resource with a most current version of the network resource is received from the second computing device without receiving the entire network resource. An updated version of the network resource is transmitted to the client device, where the updated version is generated by applying the set of differences to the first version of the network resource.

公开(公告)号：US10298601B2

公开(公告)日：2019-05-21

申请号：US15444041

申请日：2017-02-27

Applicant: CLOUDFLARE, INC.

Inventor： John Graham-Cumming

IPC: H04L29/06 ,  H04L9/32 ,  H04L29/12 ,  H04L29/08

Abstract: A network address includes a predefined portion that identifies a hostname, where the predefined portion is less than all of the network address. A request is received for a secure session at the network address. The hostname is identified from the predefined portion of the network address and a secure session negotiation is made including returning a digital certificate for the identified hostname.

公开(公告)号：US20190140843A1

公开(公告)日：2019-05-09

申请号：US16019109

申请日：2018-06-26

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/30 ,  H04L9/14 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US10033529B2

公开(公告)日：2018-07-24

申请号：US15202371

申请日：2016-07-05

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09819762B2

公开(公告)日：2017-11-14

申请号：US15192803

申请日：2016-06-24

Applicant: CLOUDFLARE, INC.

Inventor： John Graham-Cumming ,  Andrew Galloni ,  Terin Stock

IPC: G06F15/16 ,  H04L29/08 ,  H04L29/06

CPC classification number: H04L67/2842 ,  H04L67/02 ,  H04L67/14 ,  H04L67/322 ,  H04L67/42

Abstract: A browser receives a web page that includes a script that is configured to control subsequent requests of the browser for at least the web page and caches a first portion of the web page that includes reference(s) to other web resource(s). A subsequent request for the web page is dispatched to the script which returns the cached first portion of the web page to the browser and a request for the full web page is made. Request(s) are also transmitted for the web resource(s) referenced in the first portion of the web page without waiting for the full web page to be received. When the full web page is received, if the first portion of the page matches the corresponding portion of the full page, that corresponding portion is removed from the full page and the remaining page is returned to the browser.

公开(公告)号：US20170171232A1

公开(公告)日：2017-06-15

申请号：US15444041

申请日：2017-02-27

Applicant: CLOUDFLARE, INC.

Inventor： John Graham-Cumming

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/1416 ,  H04L9/3263 ,  H04L61/1511 ,  H04L61/2007 ,  H04L61/2076 ,  H04L61/6004 ,  H04L61/6059 ,  H04L63/0281 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/1441 ,  H04L63/166 ,  H04L63/168 ,  H04L67/141 ,  H04L2209/24 ,  H04L2209/64

Abstract: A network address includes a predefined portion that identifies a hostname, where the predefined portion is less than all of the network address. A request is received for a secure session at the network address. The hostname is identified from the predefined portion of the network address and a secure session negotiation is made including returning a digital certificate for the identified hostname.

公开(公告)号：US09680950B1

公开(公告)日：2017-06-13

申请号：US15211790

申请日：2016-07-15

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming

IPC: H04L9/00 ,  H04L29/08 ,  H04L29/06

CPC classification number: H04L67/2814 ,  H04L63/0428 ,  H04L63/1458 ,  H04L67/02 ,  H04L67/42

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted, where the response includes a first number of redirects that the client device is to complete prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, determining whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

公开(公告)号：US20170134346A1

公开(公告)日：2017-05-11

申请号：US15413187

申请日：2017-01-23

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/0435 ,  G06F21/335 ,  H04L9/0825 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09635043B1

公开(公告)日：2017-04-25

申请号：US15179516

申请日：2016-06-10

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/101 ,  H04L9/3228 ,  H04L9/3297 ,  H04L61/10 ,  H04L61/1511 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/0838 ,  H04L63/108 ,  H04L63/1416 ,  H04L63/1458 ,  H04L67/02 ,  H04L67/10 ,  H04L67/28 ,  H04L67/2833 ,  H04L67/2842 ,  H04L67/42 ,  H04L2463/142

Abstract: A method and apparatus for causing a delay in processing requests for Internet resources received from client devices is described. A server receives from a client device a request for a resource. The server transmits a response to the first client device indicating that access to the resource is temporarily denied. The response includes a cryptographic token associated with the first request and a predetermined period of time during which the first client device is to wait prior to transmitting another request to access the resource. The server receives a second request for the resource, upon determining that the second request includes a valid cryptographic token, the server causes the second request to be processed. The server receives a third request for the resource, and upon determining that the third request does not include a valid cryptographic token, the server blocks the third request.