1. Field of the Invention
The invention relates generally to computer networks technology. More particularly, this invention relates to the management of client transactions in secure client-server based networks.
2. Description of the Related Technology
Communication of data over a network, such as the Internet, has become as common as communicating voice over a telephone. The tremendous increase in network communication has been subject to intrusion by unauthorized users, such as computer hackers. To combat these intruders, most communication protocols now implement some form of communication security, which ranges from simple scrambling to very sophisticated encryption algorithms. More particularly, the Transmission Control Protocol (TCP)/Internet Protocol (IP) used by many networks, including the Internet, was adapted to include security protocols such as Secure Socket Layer (SSL) and IP Security (IPsec). The following is a brief description of each of these security protocols.
SSL is a protocol developed for the transmission of private data (e.g., a text document) via the Internet. SSL provides a secure connection to communicate data between a client and a server by using a private key to encrypt the data. Private key/public key encryption is well understood and frequently implemented by modem computer networks to ensure privacy of information being transmitted from a sender computer to a recipient computer. Web browsers, such as Netscape Navigator and Internet Explorer, support SSL, and many Web sites implement the SSL protocol to obtain confidential user information, such as credit card numbers. SSL provides the mechanism to implement authentication and encryption. Authentication ensures that each of the client and server is who it claims to be. In practice, authentication may simply involve entering a user identification (ID) and password. However, a computer hacker may eavesdrop on the client-server link to intercept password and user name information. Encryption deters such mischief by scrambling the user ID and password information before transmission over the network. In addition to encrypting user information, SSL uses encryption to secure nearly every type of data including the payload (i.e., a text document) communicated between the client and server. In effect, SSL provides for encryption of a session, and authentication of a server, message, and optionally a client. For further details on the SSL protocol, reference is made to SSL Protocol Specification, versions 2 and 3, which are incorporated by reference.
SSL is a protocol that protects any level protocol built on protocol sockets, such as telnet, file transfer protocol (FTP), or hypertext transfer protocol (HTTP). As is known in the network technology, a socket is a software object that connects an application to a network protocol. For example, in UNIX, a program sends and receives TCP/IP messages by opening a socket and reading and writing data to and from the socket. This simplifies program development because the programmer need only worry about manipulating the socket and may rely on the operating system to actually transport messages across the network correctly. Many of the functions provided by SSL are part of a next generation IP protocol (IPng) known as IP version 6 (IPv6), being considered by Internet Engineering Task Force (IETF), which is the main standards organization for the Internet.
IPSec is a set of protocols that support secure exchange of packets at the IP layer. IPSec supports two encryption modes: Transport and Tunnel. At the source device (i.e., transmitting station) of an IP packet, the Transport mode encrypts only the data portion (i.e., payload) of the IP packet, and leaves the header unaffected. The Tunnel mode provides more security than the Transport mode by encrypting both the header and payload of the IP packet. At the destination device (i.e., receiving station), an IPSec-compliant device decrypts received IP packets. Generally, the source and destination devices share a public key. This may be accomplished by implementing a protocol known as Internet Security and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the destination device to obtain a public key and authenticate the source device using X.509 standard, which is an International Telecommunication Union (ITU) standard for defining digital certificates.
The referenced application describes a broker server configured to manage client transactions and relieve data path congestion in a communication network. For details on the broker operation over a TCP/IP network, reference is made to the referenced application which is incorporated by reference in its entirety herein. When a communication network involves secure operations, management of client transactions requires adaptation to and compliance with the secure operations. The need to speed up client transactions over a secure network is particularly important because a typical Web (World Wide Web) server processes secure transactions at a slower rate than conventional (i.e., non-secure) HTTP traffic. With current technology, Web users who make secure transactions with a Web server have to wait a long time for transactions to be processed and the overall reliability and availability of the Web site are impacted.
Therefore, there is a need in the network communication technology, such as the Internet, to support brokering of client transactions over secure (e.g., SSL) communication networks. The invention should eliminate server performance bottlenecks during secure SSL transactions.
In one embodiment, the invention provides a server computer configured to manage transactions over a communication network. The server computer comprises a data interface operably connected to and configured to receive a data packet from a computer over a secure link of the communication network. The server computer further comprises a data processor operably connected to the data interface and programmed to access the received data packet. The processor is further programmed to decrypt contents of the data packet and re-direct the data packet to another computer. The server computer further comprises a data storage operably connected to the processor and the data interface. The data storage is configured to store the data packet until the other computer becomes ready to receive the client packet.
In another embodiment, the invention provides a system configured to respond to electronic requests over a computer network. The system comprises a first server configured to interface with and receive a data packet over a secure link of the computer network. The first server is further configured to decrypt contents of the data packet and re-direct the data packet. The system further comprises a second server in data communication with the first server and configured to accept the data packet from the first server and execute the data packet pursuant to instructions contained therein.
In another embodiment, the invention provides a method of managing electronic requests in a computer network. The method comprises receiving a data packet having encrypted information from a client computer over a secure link of the computer network. The method further comprises decrypting the information of the received data packet. The method further comprises establishing a link with a server that is available to execute the data packet. The method further comprises sending the data packet to the server.