公开(公告)号：US11991157B2

公开(公告)日：2024-05-21

申请号：US18092750

申请日：2023-01-03

申请人： Cloudflare, Inc.

发明人： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC分类号： H04L9/40 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32

CPC分类号： H04L63/0435 ,  G06F21/335 ,  H04L9/0825 ,  H04L9/0841 ,  H04L9/0869 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/166

摘要： A server establishes a secure session with a client device where a private key used in the handshake is stored in a different server. An encrypted connection is established between the first server and the second server. A message is received from the client device that initiates a procedure to establish the secure session between the client device and the first server. As part of this procedure, the first server transmits over the encrypted connection a request to the second server to use the private key. The first server receives, over the encrypted connection, a response to the request that includes a result of the use of the private key. The first server uses the result during the procedure to establish the secure session.

公开(公告)号：US11909808B2

公开(公告)日：2024-02-20

申请号：US17956695

申请日：2022-09-29

申请人： CLOUDFLARE, INC.

发明人： Killian Koenig ,  Dane Orion Knecht ,  James Royal

IPC分类号： H04L67/02 ,  H04L9/40 ,  H04L67/51 ,  H04L67/561

CPC分类号： H04L67/02 ,  H04L63/0435 ,  H04L63/0823 ,  H04L63/102 ,  H04L67/51 ,  H04L67/561

摘要： A server receives from a browser executing on a client device an HTTP request. The server transmits a response to the HTTP request to the browser. The response includes code that when executed by the browser, executes a non-HTTP layer 7 protocol client that communicates with a non-HTTP layer 7 protocol service at an external network. The server receives, from the non-HTTP layer 7 protocol client executing in the browser, data related to the non-HTTP layer 7 protocol service. The server proxies the data related to the non-HTTP layer 7 protocol service over a layer 4 tunnel that is interfaced with the non-HTTP layer 7 protocol service. The server logs event data received from the non-HTTP layer 7 protocol client executing in the browser.

公开(公告)号：US11044083B2

公开(公告)日：2021-06-22

申请号：US16043972

申请日：2018-07-24

申请人： CLOUDFLARE, INC.

发明人： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

摘要： A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.

公开(公告)号：US20190320035A1

公开(公告)日：2019-10-17

申请号：US16357766

申请日：2019-03-19

申请人： CLOUDFLARE, INC.

发明人： Christopher Stephen Joel ,  Lee Hahn Holloway ,  Dane Orion Knecht ,  Albertus Strasheim

IPC分类号： H04L29/08 ,  G06F16/95 ,  G06F16/957 ,  G06F17/22 ,  H04L29/06 ,  G06F17/24

摘要： A request for a web page is received at a proxy server. The request originates from a client network application of a client device. The requested web page includes multiple references to multiple images. The proxy server retrieves the requested web page. The proxy server modifies code of the retrieved web page such that the client network application will not, for each one of those images, initially request those images when parsing the page. The proxy server also adds code to the retrieved web page that, when executed by the client network application, causes at least two of the images to be requested with a single request. The proxy server transmits the modified web page to the client device.

公开(公告)号：US20190140843A1

公开(公告)日：2019-05-09

申请号：US16019109

申请日：2018-06-26

申请人： CLOUDFLARE, INC.

发明人： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC分类号： H04L9/32 ,  H04L29/06 ,  H04L9/08 ,  G06F21/33 ,  H04L9/30 ,  H04L9/14 ,  H04L29/08

CPC分类号： H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

摘要： A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US20180219960A1

公开(公告)日：2018-08-02

申请号：US15920298

申请日：2018-03-13

申请人： CLOUDFLARE, INC.

发明人： Dane Orion Knecht

IPC分类号： H04L29/08 ,  H04L29/06

CPC分类号： H04L67/20 ,  G06F21/645 ,  H04L9/3247 ,  H04L63/0245 ,  H04L63/126 ,  H04L63/145 ,  H04L67/02 ,  H04L67/2842

摘要： A first server receives, from a client network application, a request for a network resource. The first server retrieves the requested network resource, where the requested network resource is handled by a second server that is different than the first server. The first server validates whether at least a portion of the retrieved network resource conforms to a set of one or more rules. If it does, the first server cryptographically signs the at least portion of the retrieved network resource thereby creating a digital signature. The first server transmits a response to the client network application that includes the at least the portion of the retrieved network resource and the digital signature. The client network application is configured to validate the first digital signature that validates that the portion of the network resource conforms to the set of rules.

公开(公告)号：US10033529B2

公开(公告)日：2018-07-24

申请号：US15202371

申请日：2016-07-05

申请人： CloudFlare, Inc.

发明人： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14 ,  H04L9/30

摘要： A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US09917908B1

公开(公告)日：2018-03-13

申请号：US15420080

申请日：2017-01-30

申请人： CLOUDFLARE, INC.

发明人： Dane Orion Knecht

IPC分类号： H04L29/06 ,  H04L29/08

CPC分类号： H04L67/20 ,  H04L67/02 ,  H04L67/10 ,  H04L67/2842 ,  H04L67/42

摘要： A first server receives, from a client network application, a request for a network resource. The first server retrieves the requested network resource, where the requested network resource is handled by a second server that is different than the first server. The first server validates whether at least a portion of the retrieved network resource conforms to a set of one or more rules. If it does, the first server cryptographically signs the at least portion of the retrieved network resource thereby creating a digital signature. The first server transmits a response to the client network application that includes the at least the portion of the retrieved network resource and the digital signature. The client network application is configured to validate the first digital signature that validates that the portion of the network resource conforms to the set of rules.

公开(公告)号：US09680950B1

公开(公告)日：2017-06-13

申请号：US15211790

申请日：2016-07-15

申请人： CLOUDFLARE, INC.

发明人： Dane Orion Knecht ,  John Graham-Cumming

IPC分类号： H04L9/00 ,  H04L29/08 ,  H04L29/06

CPC分类号： H04L67/2814 ,  H04L63/0428 ,  H04L63/1458 ,  H04L67/02 ,  H04L67/42

摘要： A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted, where the response includes a first number of redirects that the client device is to complete prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, determining whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

公开(公告)号：US20170134346A1

公开(公告)日：2017-05-11

申请号：US15413187

申请日：2017-01-23

申请人： CloudFlare, Inc.

发明人： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Albertus Strasheim

IPC分类号： H04L29/06 ,  H04L9/32

CPC分类号： H04L63/0435 ,  G06F21/335 ,  H04L9/0825 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/166

摘要： A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.