公开(公告)号：US20190140825A1

公开(公告)日：2019-05-09

申请号：US16241888

申请日：2019-01-07

Applicant: Cloudflare, Inc.

Inventor： Nicholas Thomas Sullivan ,  Brendan Scott McMillion

IPC: H04L9/08 ,  H04L9/14

Abstract: Managing private key access in multiple nodes is described. A piece of data (e.g., a private key) is encrypted using identity-based broadcast encryption and identity-based revocation encryption so that only certain servers in a distributed network of servers can decrypt the piece of data. The piece of data is encrypted with a key encryption key (KEK). The KEK is split into two pieces. The first piece is encrypted using identity-based broadcast encryption with a first set of identities as input such that only servers of the first set of identities can decrypt the first piece, and the second piece is encrypted using identity-based revocation encryption so that all servers except those that have the second set of identities can decrypt the second piece. The keys are transmitted to the servers.

公开(公告)号：US09954840B2

公开(公告)日：2018-04-24

申请号：US15148856

申请日：2016-05-06

Applicant: CLOUDFLARE, INC.

Inventor： Daniel Morsing ,  Marek Majkowski ,  Nicholas Thomas Sullivan ,  Olafur Gudmundsson ,  Filippo Valsorda

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/08 ,  H04L61/1511 ,  H04L63/12 ,  H04L67/10 ,  H04L67/1036 ,  H04L67/42

Abstract: A DNS server receives, from a client device, a DNS query for a resource record type at a domain name. The DNS server determines that the resource record type does not exist at the domain name and generates an answer that indicates that the queried resource record type does not exist at the domain name and also indicates that a plurality of other resource record types exist at the domain name regardless of whether those plurality of other resource record types actually exist at the domain name. The DNS server transmits the generated answer to the client device.

公开(公告)号：US09942044B2

公开(公告)日：2018-04-10

申请号：US15585079

申请日：2017-05-02

Applicant: CloudFlare, Inc.

Inventor： Nicholas Thomas Sullivan

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/62 ,  G06F21/40 ,  G06F21/31

CPC classification number: H04L9/3226 ,  G06F21/31 ,  G06F21/40 ,  G06F21/45 ,  G06F21/60 ,  G06F21/62 ,  G06F21/6209 ,  G06F2221/2147 ,  H04L9/0822 ,  H04L9/085 ,  H04L9/0861 ,  H04L9/0863 ,  H04L63/0435 ,  H04L63/0478 ,  H04L63/065 ,  H04L63/08 ,  H04L63/10 ,  H04L63/104 ,  H04L2463/062

Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.

公开(公告)号：US09843565B2

公开(公告)日：2017-12-12

申请号：US15219139

申请日：2016-07-25

Applicant: CloudFlare, Inc.

Inventor： Nicholas Thomas Sullivan ,  Zi Lin ,  Rajeev Devendra Sharma

IPC: H04L29/06 ,  G06F17/30 ,  H04L9/08 ,  H04L9/14 ,  H04L29/08

CPC classification number: H04L63/0435 ,  G06F17/3089 ,  H04L9/0819 ,  H04L9/14 ,  H04L63/0281 ,  H04L63/061 ,  H04L63/10 ,  H04L63/168 ,  H04L67/2842 ,  H04L2209/24

Abstract: A request for a web page is received and the requested web page is retrieved. The web page is modified to obfuscate a set of form attribute values into a corresponding set of obfuscated form attribute values. The modified web page is transmitted to the requesting device. The modified web page does not include the set of form attribute values in their original form. Form data for the set of obfuscated form attribute values is received from the requesting device. The set of obfuscated form attribute values is deobfuscated thereby revealing the original set of form attribute values. The form data for the set of original form attribute values is further processed.

公开(公告)号：US09639687B2

公开(公告)日：2017-05-02

申请号：US14945089

申请日：2015-11-18

Applicant: CloudFlare, Inc.

Inventor： Nicholas Thomas Sullivan

IPC: G06F21/40 ,  G06F21/31 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/3226 ,  G06F21/31 ,  G06F21/40 ,  G06F21/45 ,  G06F21/60 ,  G06F21/62 ,  G06F21/6209 ,  G06F2221/2147 ,  H04L9/0822 ,  H04L9/085 ,  H04L9/0861 ,  H04L9/0863 ,  H04L63/0435 ,  H04L63/0478 ,  H04L63/065 ,  H04L63/08 ,  H04L63/10 ,  H04L63/104 ,  H04L2463/062

Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.

公开(公告)号：US20170012967A1

公开(公告)日：2017-01-12

申请号：US15206118

申请日：2016-07-08

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Nicholas Thomas Sullivan

IPC: H04L29/06

Abstract: A server receives a single certificate signature request from a requestor and determines that the requestor is authorized for a certificate corresponding to the single certificate signature request. The server generates a first certificate corresponding to the single certificate signature request, wherein the first certificate has a first expiry value. The server transmits the generated first certificate to the requestor. Responsive to an amount of time elapsing, the server automatically generating a second certificate corresponding to the single certificate signature request, wherein the amount of time expiring is less than the first expiry value. The server transmits the generated second certificate to the requestor.

Abstract translation: 服务器从请求者接收单个证书签名请求，并确定请求者被授权对应于单个证书签名请求的证书。 服务器生成与单个证书签名请求对应的第一证书，其中第一证书具有第一到期值。 服务器将生成的第一个证书发送给请求者。 响应于经过一段时间，服务器自动生成对应于单个证书签名请求的第二证书，其中到达的时间量小于第一到期值。 服务器将生成的第二证书发送给请求者。

公开(公告)号：US20160337324A1

公开(公告)日：2016-11-17

申请号：US15219139

申请日：2016-07-25

Applicant: CloudFlare, Inc.

Inventor： Nicholas Thomas Sullivan ,  Zi Lin ,  Rajeev Devendra Sharma

IPC: H04L29/06 ,  H04L29/08 ,  G06F17/30

CPC classification number: H04L63/0435 ,  G06F17/3089 ,  H04L9/0819 ,  H04L9/14 ,  H04L63/0281 ,  H04L63/061 ,  H04L63/10 ,  H04L63/168 ,  H04L67/2842 ,  H04L2209/24

Abstract: A request for a web page is received and the requested web page is retrieved. The web page is modified to obfuscate a set of form attribute values into a corresponding set of obfuscated form attribute values. The modified web page is transmitted to the requesting device. The modified web page does not include the set of form attribute values in their original form. Form data for the set of obfuscated form attribute values is received from the requesting device. The set of obfuscated form attribute values is deobfuscated thereby revealing the original set of form attribute values. The form data for the set of original form attribute values is further processed.

公开(公告)号：US20160315767A1

公开(公告)日：2016-10-27

申请号：US15202371

申请日：2016-07-05

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08 ,  H04L9/14 ,  H04L9/30 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09450950B2

公开(公告)日：2016-09-20

申请号：US14675385

申请日：2015-03-31

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09184911B2

公开(公告)日：2015-11-10

申请号：US14248254

申请日：2014-04-08

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器接收使用与客户端设备尝试建立安全会话的域绑定的公共密钥进行加密的预安全秘密。 服务器将加密的前提密码传送到不同的服务器以进行解密以及计算安全会话的主密钥和会话密钥所需的其他信息。 不同的服务器解密加密的前提秘密，生成主密钥，并生成在安全会话中使用的会话密钥，用于加密和解密客户端设备与服务器之间的通信，并将这些会话密钥发送到该服务器。