公开(公告)号：US20160080337A1

公开(公告)日：2016-03-17

申请号：US14937805

申请日：2015-11-10

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

公开(公告)号：US20160013935A1

公开(公告)日：2016-01-14

申请号：US14630585

申请日：2015-02-24

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器向不同的服务器代理消息，包括使用不同服务器上的私钥签名的一组签名的加密参数。 不同的服务器生成主密钥，并生成并发送会话密钥到要在安全会话中使用的服务器，以加密和解密客户端设备和服务器之间的通信。

公开(公告)号：US11621924B2

公开(公告)日：2023-04-04

申请号：US17490975

申请日：2021-09-30

Applicant: Cloudflare, Inc.

Inventor： Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Christopher Stephen Joel ,  John Brinton Roberts ,  Michael Jonas Sofaer ,  Jason Thomas Walter Benterou

IPC: H04L47/70 ,  H04L67/00 ,  G06F8/61 ,  H04L67/01 ,  H04L67/565 ,  H04L67/02

Abstract: A proxy server automatically includes web applications in web pages at the network level. The proxy server receives, from a client device, a request for a network resource at a domain and is hosted at an origin server. The proxy server retrieves the requested network resource. The retrieved network resource does not include the web applications. The proxy server determines that the web applications are to be installed within the network resource. The proxy server automatically modifies the retrieved network resource to include the web applications. The proxy server transmits a response to the client device that includes the modified network resource. The network resource may remain unchanged at the origin server.

公开(公告)号：US11546175B2

公开(公告)日：2023-01-03

申请号：US17181917

申请日：2021-02-22

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/40 ,  H04L9/32 ,  H04L67/56 ,  H04W76/10

Abstract: An attack is detected on a first IP address and a determination is made that the first IP address is associated with a primary digital certificate that is bound with multiple different domains. For each of these domains, a secondary certificate is accessed that is bound only to that domain and that secondary certificate is associated with a unique IP address such that each of the different domains has a unique IP address associated with its secondary certificate respectively. The attack is isolated to the domain the attack follows.

公开(公告)号：US20210176079A1

公开(公告)日：2021-06-10

申请号：US17181917

申请日：2021-02-22

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

公开(公告)号：US20210014204A1

公开(公告)日：2021-01-14

申请号：US17036988

申请日：2020-09-29

Applicant: Cloudflare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

Abstract: A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

公开(公告)号：US10853443B2

公开(公告)日：2020-12-01

申请号：US16162167

申请日：2018-10-16

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Michelle Marie Zatlyn

IPC: G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  H04L29/14 ,  G06F40/14 ,  G06F15/16 ,  G06F21/00 ,  H04L12/58 ,  H04L12/911

Abstract: A proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server and the origin servers are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to that request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server blocks the request and transmits a block page to the client device that indicates that the request has been blocked.

公开(公告)号：US20200314212A1

公开(公告)日：2020-10-01

申请号：US16836613

申请日：2020-03-31

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Naga Sunil Tripirineni ,  Rustam Xing Lalkaka ,  Nick Wondra ,  Mohd Irtefa ,  Matthew Browning Prince ,  Andrew Taylor Plunk ,  Oliver Yu ,  Vlad Krasnov

IPC: H04L29/08 ,  H04L29/06 ,  H04L12/46

Abstract: A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.

公开(公告)号：US10785198B2

公开(公告)日：2020-09-22

申请号：US16188244

申请日：2018-11-12

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US10671694B2

公开(公告)日：2020-06-02

申请号：US16363835

申请日：2019-03-25

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye ,  Matthieu Philippe François Tourne ,  Michelle Marie Zatlyn

IPC: G06F21/00 ,  G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  H04L29/14 ,  G06F40/14 ,  G06F15/16 ,  H04L12/58 ,  H04L12/911

Abstract: A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.