US 11,991,157 B2
Secure session capability using public-key cryptography without access to the private key
Sébastien Andreas Henry Pahl, San Francisco, CA (US); Matthieu Philippe François Tourne, San Francisco, CA (US); Piotr Sikora, San Francisco, CA (US); Ray Raymond Bejjani, San Francisco, CA (US); Dane Orion Knecht, San Francisco, CA (US); Matthew Browning Prince, San Francisco, CA (US); John Graham-Cumming, London (GB); Lee Hahn Holloway, Santa Cruz, CA (US); and Albertus Strasheim, San Francisco, CA (US)
Assigned to CLOUDFLARE, INC., San Francisco, CA (US)
Filed by Cloudflare, Inc., San Francisco, CA (US)
Filed on Jan. 3, 2023, as Appl. No. 18/092,750.
Application 16/159,437 is a division of application No. 15/413,187, filed on Jan. 23, 2017, granted, now 10,129,224, issued on Nov. 13, 2018.
Application 18/092,750 is a continuation of application No. 17/036,988, filed on Sep. 29, 2020, granted, now 11,546,309.
Application 17/036,988 is a continuation of application No. 16/159,437, filed on Oct. 12, 2018, granted, now 10,791,099, issued on Sep. 29, 2020.
Application 15/413,187 is a continuation of application No. 14/315,241, filed on Jun. 25, 2014, granted, now 9,553,856, issued on Jan. 24, 2017.
Application 14/315,241 is a continuation of application No. 13/788,784, filed on Mar. 7, 2013, granted, now 8,782,774, issued on Jul. 15, 2014.
Prior Publication US 2023/0224290 A1, Jul. 13, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/33 (2013.01); H04L 9/08 (2006.01); H04L 9/32 (2006.01)
CPC H04L 63/0435 (2013.01) [G06F 21/335 (2013.01); H04L 9/0825 (2013.01); H04L 9/0841 (2013.01); H04L 9/0869 (2013.01); H04L 9/3263 (2013.01); H04L 63/0442 (2013.01); H04L 63/061 (2013.01); H04L 63/0823 (2013.01); H04L 63/0869 (2013.01); H04L 63/166 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A method in a first server for establishing a secure session with a client device where a private key used for the secure session is stored in a second server, the method comprising:
establishing an encrypted connection between the first server and the second server;
receiving a set of one or more messages from the client device for establishing the secure session between the client device and the first server, wherein the set of one or more messages includes information for generation of a premaster secret;
generating a set of cryptographic parameters;
transmitting over the encrypted connection between the first server and the second server and as part of establishing the secure session between the client device and the first server, a request to the second server to use the private key, wherein the request includes the set of cryptographic parameters;
receiving, from the second server over the encrypted connection, a response to the request to use the private key, the response including a signature using the private key over at least the set of cryptographic parameters;
transmitting, to the client device, the set of cryptographic parameters and the signature;
generating, at the first server, the premaster secret using at least part of the generated set of cryptographic parameters and the information for generation of the premaster secret included in the set of one or more messages received from the client device;
generating a master secret using the generated premaster secret; and
generating, using the generated master secret, a set of one or more session keys to be used in the secure session for encrypting and decrypting communication between the client device and the first server.