Patent application number | Description | Published |
20100322104 | SYSTEMS AND METHODS FOR DISTRIBUTING CRYPTO CARDS TO MULTIPLE CORES - The present invention is directed towards systems and methods for distributed operation of a plurality of cryptographic cards in a multi-core system. In various embodiments, a plurality of cryptographic cards providing encryption/decryption resources are assigned to a plurality of packet processing engines in operation on a multi-core processing system. The packet processing engines can be configured to operate in user space of a system, and can access cryptographic resources via memory allocations mapped from kernel space to user space. A method for use with the multi-card/multi-core system can comprise detecting, by a kernel of the multi-core system, a plurality of cryptographic cards available to the system, identifying, by a configurator of the multi-core system, a plurality of packet processing engines configured to operate in user space on a plurality of cores of the multi-core system, and determining, by a card distribution manager, a distribution layout that identifies an assignment of the plurality of cryptographic cards to the plurality of packet processing engines. | 12-23-2010 |
20100325418 | SYSTEMS AND METHODS FOR SSL SESSION CLONING - TRANSFER AND REGENERATION OF SSL SECURITY PARAMETERS ACROSS CORES, HOMOGENOUS SYSTEM OR HETEROGENEOUS SYSTEMS - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 12-23-2010 |
20100325419 | SYSTEMS AND METHODS FOR ENCODING THE CORE IDENTIFIER IN THE SESSION IDENTIFIER - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 12-23-2010 |
20100325420 | SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 12-23-2010 |
20100325429 | SYSTEMS AND METHODS FOR MANAGING CRLS FOR A MULTI-CORE SYSTEM - The present invention is directed towards systems and methods for maintaining Certificate Revocation Lists (CRLs) for client access in a multi-core system. A first core may generate a secondary CRL corresponding to a master CRL maintained by the first core. The CRLs may identify certificates to revoke. The first core can store the secondary CRL to a memory element accessible by the cores. A second core may receive a request to validate a certificate. The second core can provisionally determine, via access to the secondary CRL, whether the certificate is revoked. The second core may also determine not to revoke the certificate. Responsive to the determination, the second core may request the first core to validate the certificate. The first core can determine whether to revoke the certificate based on the master CRL. The first core may send a message to the second core based on the determination. | 12-23-2010 |
20110153985 | SYSTEMS AND METHODS FOR QUEUE LEVEL SSL CARD MAPPING TO MULTI-CORE PACKET ENGINE - The present invention is directed towards systems and methods for distributed operation of a plurality of cryptographic cards in a multi-core system. In various embodiments, a plurality of cryptographic cards providing encryption/decryption resources are assigned to a plurality of packet processing engines in operation on a multi-core processing system. One or more cryptographic cards can be configured with a plurality of hardware or software queues. The plurality of queues can be assigned to plural packet processing engines so that the plural packet processing engines share cryptographic services of a cryptographic card having multiple queues. In some embodiments, all cryptographic cards are configured with multiple queues which are assigned to the plurality of packet processing engines configured for encryption operation. | 06-23-2011 |
20110154017 | SYSTEMS AND METHODS FOR EVALUATING AND PRIORITIZING RESPONSES FROM MULTIPLE OCSP RESPONDERS - The present invention is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator. | 06-23-2011 |
20110154018 | SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL - The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client. | 06-23-2011 |
20110154026 | SYSTEMS AND METHODS FOR PARALLEL PROCESSING OF OCSP REQUESTS DURING SSL HANDSHAKE - The present invention is directed towards systems and methods for processing an Online Certificate Status Protocol (OCSP) request in parallel to processing a Secure Socket Layer (SSL) handshake. The method includes transmitting, by an OCSP responder of an intermediary device between a plurality of clients and one or more servers, an OCSP request to a OCSP server for a status of a client certificate responsive to receiving the client certificate from a client during a SSL handshake. The intermediary device may continue to perform remaining portions of the SSL handshake while the OCSP request to the OCSP server is outstanding. The intermediary device may establish an SSL connection for the SSL handshake. The intermediary device may determine whether to terminate or maintain the established SSL connection based on the status of the client certificate received via a response from the OCSP server. | 06-23-2011 |
20120117375 | SYSTEMS AND METHODS FOR OPTIMIZING SSL HANDSHAKE PROCESSING - A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described. | 05-10-2012 |
20120265991 | SYSTEMS AND METHODS FOR OPTIMIZING SSL HANDSHAKE PROCESSING - A method for enabling efficient SSL handshakes through pre-computing of handshake messages, the method includes: receiving, by an appliance, a server certificate identifying a server; generating, by the appliance, at least one of: (i) an SSL server certificate message comprising the received server certificate, (ii) an SSL client certificate request message, and (iii) an SSL hello done message; storing, by the appliance, the generated messages; receiving, by the appliance from a client, an SSL client hello message identifying the server; and transmitting, by the appliance to the client, an SSL server hello message and at least one of the stored messages. Corresponding systems are also described. | 10-18-2012 |
20130145146 | SYSTEMS AND METHODS FOR BULK ENCRYPTION AND DECRYPTION OF TRANSMITTED DATA - A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two or more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described. | 06-06-2013 |
20140068245 | SYSTEMS AND METHODS FOR HANDLING SSL SESSION NOT REUSABLE ACROSS MULTIPLE CORES - The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session. | 03-06-2014 |
20140101441 | SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL - The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client. | 04-10-2014 |
20140108788 | SYSTEMS AND METHODS FOR EVALUATING AND PRIORITIZING RESPONSES FROM MULTIPLE OCSP RESPONDERS - The present disclosure is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator. | 04-17-2014 |
20140181531 | SYSTEMS AND METHODS FOR QUEUE LEVEL SSL CARD MAPPING TO MULTI-CORE PACKET ENGINE - The present invention is directed towards systems and methods for distributed operation of a plurality of cryptographic cards in a multi-core system. In various embodiments, a plurality of cryptographic cards providing encryption/decryption resources are assigned to a plurality of packet processing engines in operation on a multi-core processing system. One or more cryptographic cards can be configured with a plurality of hardware or software queues. The plurality of queues can be assigned to plural packet processing engines so that the plural packet processing engines share cryptographic services of a cryptographic card having multiple queues. In some embodiments, all cryptographic cards are configured with multiple queues which are assigned to the plurality of packet processing engines configured for encryption operation. | 06-26-2014 |
20140304354 | SYSTEMS AND METHODS FOR RELIABLE REPLICATION OF AN APPLICATION-STATE, DISTRIBUTED REPLICATION TABLE - The present application is directed towards using a distributed hash table to track the use of resources and/or maintain the persistency of resources across the plurality of nodes in the multi-node system. More specifically, the systems and methods can maintain the persistency of resources across the plurality of nodes by the use of a global table. A global table may be maintained on each node. Each node's global table enables efficient storage and retrieval of distributed hash table entries. Each global table may contain a linked list of the cached distributed hash table entries that are currently stored on a node. | 10-09-2014 |