公开(公告)号：US10904005B2

公开(公告)日：2021-01-26

申请号：US16687418

申请日：2019-11-18

Applicant: Cloudflare, Inc.

Inventor： Nicholas Thomas Sullivan

IPC: H04L9/32 ,  G06F21/45 ,  H04L29/06 ,  H04L9/08 ,  G06F21/62 ,  G06F21/31 ,  G06F21/60 ,  G06F21/40

Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.

公开(公告)号：US20200186351A1

公开(公告)日：2020-06-11

申请号：US16687418

申请日：2019-11-18

Applicant: Cloudflare, Inc.

Inventor： Nicholas Thomas Sullivan

IPC: H04L9/32 ,  G06F21/45 ,  H04L29/06 ,  H04L9/08 ,  G06F21/62 ,  G06F21/60 ,  G06F21/31 ,  G06F21/40

Abstract: A server receives a piece of data for encryption. The server encrypts the piece of data such that no single key can decrypt the encrypted piece of data and any combination of a first multiple of unique keys taken a second multiple at a time are capable of decrypting the encrypted piece of data. Each of the first multiple of unique keys is tied to account credentials of a different user. The second multiple is less than or equal to the first multiple. The encrypted piece of data is returned.

公开(公告)号：US10177909B1

公开(公告)日：2019-01-08

申请号：US15828123

申请日：2017-11-30

Applicant: Cloudflare, Inc.

Inventor： Nicholas Thomas Sullivan ,  Brendan Scott McMillion

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/14

Abstract: Managing private key access in multiple nodes is described. A piece of data (e.g., a private key) is encrypted using identity-based broadcast encryption and identity-based revocation encryption so that only certain servers in a distributed network of servers can decrypt the piece of data. The piece of data is encrypted with a key encryption key (KEK). The KEK is split into two pieces. The first piece is encrypted using identity-based broadcast encryption with an identified location as input such that only servers of the identified location can decrypt the first piece, and the second piece is encrypted using identity-based revocation encryption so that certain identified servers of the identified location cannot decrypt cannot decrypt the second piece. The keys are transmitted to the servers.

公开(公告)号：US10009183B2

公开(公告)日：2018-06-26

申请号：US15271190

申请日：2016-09-20

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  H04L9/30 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09680807B2

公开(公告)日：2017-06-13

申请号：US14937805

申请日：2015-11-10

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Phillippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  G06F21/33

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

公开(公告)号：US20160330185A1

公开(公告)日：2016-11-10

申请号：US15148856

申请日：2016-05-06

Applicant: CLOUDFLARE, INC.

Inventor： Daniel Morsing ,  Marek Majkowski ,  Nicholas Thomas Sullivan ,  Olafur Gudmundsson

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/08 ,  H04L61/1511 ,  H04L63/12 ,  H04L67/10 ,  H04L67/1036 ,  H04L67/42

Abstract: A DNS server receives, from a client device, a DNS query for a resource record type at a domain name. The DNS server determines that the resource record type does not exist at the domain name and generates an answer that indicates that the queried resource record type does not exist at the domain name and also indicates that a plurality of other resource record types exist at the domain name regardless of whether those plurality of other resource record types actually exist at the domain name. The DNS server transmits the generated answer to the client device.

Abstract translation: DNS服务器从客户端设备收到域名下资源记录类型的DNS查询。 DNS服务器确定资源记录类型在域名中不存在，并生成一个答案，该答案表示查询的资源记录类型在域名中不存在，并且还指示域上存在多个其他资源记录类型 不管这些多个其他资源记录类型是否实际存在于域名上。 DNS服务器将生成的答案发送给客户端设备。

公开(公告)号：US20150288514A1

公开(公告)日：2015-10-08

申请号：US14248254

申请日：2014-04-08

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L9/0844 ,  H04L9/085 ,  H04L63/0442 ,  H04L63/045 ,  H04L63/0869 ,  H04L63/16 ,  H04L63/164 ,  H04L63/166 ,  H04L63/168

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret and session keys for the secure session. The different server decrypts the encrypted premaster secret, generates the master secret, and generates session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server and transmits those session keys to that server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时在握手中使用的私钥被存储在不同的服务器中。 在握手过程中，服务器接收使用与客户端设备尝试建立安全会话的域绑定的公共密钥进行加密的预安全秘密。 服务器将加密的前提密码传送到不同的服务器以进行解密以及计算安全会话的主密钥和会话密钥所需的其他信息。 不同的服务器解密加密的前提秘密，生成主密钥，并生成在安全会话中使用的会话密钥，用于加密和解密客户端设备与服务器之间的通信，并将这些会话密钥发送到该服务器。

公开(公告)号：US20250168014A1

公开(公告)日：2025-05-22

申请号：US19033124

申请日：2025-01-21

Applicant: CLOUDFLARE, INC.

Inventor： Watson Bernard Ladd ,  Alexander Andrew Davidson ,  Marwan Fayed ,  Armando Faz Hernández ,  Sai Krishna Deepak Maram ,  Nicholas Thomas Sullivan

IPC: H04L9/32 ,  G06F21/32 ,  H04L9/14

Abstract: A client device receives a challenge request from a server to prove that internet traffic was initiated by a human user through verifying a physical interaction between a human user and a hardware component. The client device causes a prompt to be displayed to perform the physical interaction with the hardware component. A cryptographic attestation is received that includes an attestation signature that is generated after confirmation that the physical interaction was performed with the hardware component. A zero-knowledge proof of the attestation signature is generated and transmitted to the server for verification. The client device receives the requested content responsive to the server verifying the validity of the zero-knowledge proof.

公开(公告)号：US11647008B2

公开(公告)日：2023-05-09

申请号：US15961632

申请日：2018-04-24

Applicant: CLOUDFLARE, INC.

Inventor： Daniel Morsing ,  Marek Majkowski ,  Nicholas Thomas Sullivan ,  Olafur Gudmundsson ,  Filippo Valsorda

IPC: H04L9/40 ,  H04L67/1036 ,  H04L67/10 ,  H04L61/4511 ,  H04L67/01

CPC classification number: H04L63/08 ,  H04L61/4511 ,  H04L63/12 ,  H04L67/01 ,  H04L67/10 ,  H04L67/1036

Abstract: A DNS server receives, from a client device, a DNS query for a resource record type at a domain name. The DNS server determines that the resource record type does not exist at the domain name and generates an answer that indicates that the queried resource record type does not exist at the domain name and also indicates that a plurality of other resource record types exist at the domain name regardless of whether those plurality of other resource record types actually exist at the domain name. The DNS server transmits the generated answer to the client device.

公开(公告)号：US11044083B2

公开(公告)日：2021-06-22

申请号：US16043972

申请日：2018-07-24

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

Abstract: A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.