公开(公告)号：US09553856B2

公开(公告)日：2017-01-24

申请号：US14315241

申请日：2014-06-25

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33

CPC classification number: H04L63/0435 ,  G06F21/335 ,  H04L9/0825 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器接收使用与客户端设备尝试建立安全会话的域绑定的公共密钥进行加密的预安全秘密。 服务器将加密的前提密码发送到另一个服务器进行解密。 服务器接收解密的预分配密钥，并且继续握手过程，包括从解密的前端秘密生成主密钥，并生成在安全会话中使用的用于加密和解密客户端设备与服务器之间的通信的一个或多个会话密钥。

公开(公告)号：US09385864B2

公开(公告)日：2016-07-05

申请号：US14630585

申请日：2015-02-24

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09350829B2

公开(公告)日：2016-05-24

申请号：US14458144

申请日：2014-08-12

Applicant: CloudFlare, Inc.

Inventor： John Graham-Cumming

IPC: G06F15/16 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L69/161 ,  H04L63/0281 ,  H04L63/123 ,  H04L63/1458 ,  H04L63/1466 ,  H04L63/166 ,  H04L67/02

Abstract: A transparent TCP proxy device intercepts TCP connection requests received from a TCP client and destined for a TCP server as if acting as the TCP server in a handshake with the TCP client. Only after completing the handshake with the TCP client, the transparent TCP proxy participates in a handshake with the TCP server as if acting as the TCP client. After the handshake with the TCP server is complete, the transparent TCP proxy intercepts and translates subsequent TCP packets received from the TCP client and destined for the TCP server into a form expected by the TCP server including updating an acknowledgement number and TCP checksum; and intercepts and translates subsequent TCP packets received from the TCP server and destined for the TCP client into a form expected by the TCP client including updating an acknowledgement number and TCP checksum.

Abstract translation: 透明的TCP代理设备拦截从TCP客户端接收的TCP连接请求，并发送给TCP服务器，就像在与TCP客户端的握手中作为TCP服务器一样。 只有在与TCP客户端完成握手之后，透明TCP代理才能像TCP客户端一样参与与TCP服务器的握手。 在与TCP服务器握手完成后，透明TCP代理拦截并转换从TCP客户端接收的后续TCP数据包，并将TCP服务器转发为TCP服务器预期的形式，包括更新确认号码和TCP校验和; 并拦截并转换从TCP服务器接收的并发往TCP客户端的后续TCP数据包，形式为TCP客户端预期的形式，包括更新确认号码和TCP校验和。

公开(公告)号：US20160080337A1

公开(公告)日：2016-03-17

申请号：US14937805

申请日：2015-11-10

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

公开(公告)号：US20160013935A1

公开(公告)日：2016-01-14

申请号：US14630585

申请日：2015-02-24

Applicant: CloudFlare, Inc.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器向不同的服务器代理消息，包括使用不同服务器上的私钥签名的一组签名的加密参数。 不同的服务器生成主密钥，并生成并发送会话密钥到要在安全会话中使用的服务器，以加密和解密客户端设备和服务器之间的通信。

公开(公告)号：US12248792B2

公开(公告)日：2025-03-11

申请号：US18393385

申请日：2023-12-21

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  G06F9/455 ,  G06F21/53 ,  H04L9/40 ,  H04L41/50 ,  H04L67/00 ,  H04L67/02 ,  H04L67/10 ,  H04L67/53 ,  H04L67/63

Abstract: A compute server receives a request that triggers execution of a code piece out of multiple code pieces. A single process at the compute server executes the code piece, which is run in an isolated execution environment. Each other code piece runs in other isolated execution environments respectively and executed by the single process. The code piece, when executed, modifies a response to the request. The response is generated based at least in part on the executed code piece. The generated response is transmitted.

公开(公告)号：US11949647B2

公开(公告)日：2024-04-02

申请号：US17728407

申请日：2022-04-25

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant ,  Christopher Philip Branch ,  Tom Paseka

IPC: H04L61/2592 ,  H04L12/46 ,  H04L61/4511 ,  H04L67/01 ,  H04L67/02 ,  H04L67/10 ,  H04L67/1017 ,  H04L67/1031 ,  H04L61/5007

CPC classification number: H04L61/2592 ,  H04L12/4633 ,  H04L12/4641 ,  H04L61/4511 ,  H04L67/01 ,  H04L67/02 ,  H04L67/10 ,  H04L67/1017 ,  H04L67/1031 ,  H04L61/5007

Abstract: A tunnel is established between a first edge server of a distributed edge compute and routing service and a tunnel client residing on an origin server. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the first edge server. The routing rules are based at least in part on traffic information gathered from processing other traffic that traverses the distributed edge compute and routing service. A request for content served by the origin server through the tunnel is received at a second edge server of the distributed edge compute and routing service. A path from the second edge server to the first edge server is determined based on the routing rules. The request is transmitted on the determined path. The first edge server receives the request and transmits the request to the origin server over the tunnel.

公开(公告)号：US11561805B2

公开(公告)日：2023-01-24

申请号：US17114382

申请日：2020-12-07

Applicant: CLOUDFLARE, INC.

Inventor： Kenton Taylor Varda ,  Zachary Aaron Bloom ,  Marek Przemyslaw Majkowski ,  Ingvar Stepanyan ,  Kyle Kloepper ,  Dane Orion Knecht ,  John Graham-Cumming ,  Dani Grant

IPC: G06F9/448 ,  H04L67/00 ,  H04L67/02 ,  H04L67/10 ,  G06F9/455 ,  H04L9/40 ,  H04L67/53 ,  H04L67/63 ,  G06F21/53

Abstract: A compute server receives a request from a client device that triggers execution of a third-party code piece. The compute server is one of multiple compute servers that are part of a distributed cloud computing network. The request may be an HTTP request and directed to a zone. A single process at the compute server executes the third-party code piece in an isolated execution environment. The single process is also executing other third-party code pieces in other isolated execution environments respectively. A response is generated to the request based at least in part on the executed third-party code piece, and the generated response is transmitted to the client device.

公开(公告)号：US11252182B2

公开(公告)日：2022-02-15

申请号：US16417367

申请日：2019-05-20

Applicant: CLOUDFLARE, INC.

Inventor： Maciej Bilas ,  John Graham-Cumming ,  Marek Majkowski

IPC: H04L29/06 ,  H04L9/32 ,  H04L12/26 ,  H04L29/08

Abstract: An edge server receives a plurality of requests from a client network application for actions to be performed on a resource that is hosted at an origin server. The edge server determines request attributes of the requests and associates the request attributes with a session identifying the client network application. The edge server generates a confidence value for the client network application based at least on the determined request attributes of the plurality of requests and computed session metrics of the session. When the confidence value indicates that the client network application is malicious, the edge server performs one or more mitigation actions.

公开(公告)号：US11159479B2

公开(公告)日：2021-10-26

申请号：US16505433

申请日：2019-07-08

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming

IPC: G06F15/16 ,  H04L29/12

Abstract: A DNS name server manages CNAME records. The server receives a query for a first Address record for a fully qualified domain name from a requester. The server determines that the fully qualified domain name has a CNAME record, where the fully qualified domain name is a root domain. The server traverses a chain according to the CNAME record to locate a second Address record that includes an IP address. The server generates a response to the query that includes a third Address record for the fully qualified domain name that includes at least the IP address of the located second Address record. The server transmits the generated response to the requester.