1. Field of the Invention
This invention generally relates to the field of secure communication between networked computers and more particularly to SSL (secure socket layer) sessions in a distributed network.
2. Description of the Related Art
More particularly computer networks such as the Internet are used for the requesting, sending and receiving of secure information. One typical client/server example is communicating through the Internet. Two examples are: First a PC connected to the Internet through an ISP. The second example is a computer, which may be a client or a servers connected to the Internet through an ASP. The protocol in this connection is TCP/IP. This protocol enables fast, direct, and dynamic communication of information. A client computer requests information such as a particular web page. The web site hosting server responds with the information. The format of the data that is transferred is typically HTML. The images transferred are in a format such as GIF and JPEG. All of the information, both data and images, is transferred over an open or unsecured path. Stated differently, the information is exposed and is subject to unauthorized access. For the vast majority of network usage, such as the Internet, unsecured transmission is acceptable. However, secure transmission is desirable for more sensitive information including financial information, medical information and other confidential information. Accordingly, there is a need for secure information transmission.
In response to the need for secure transmissions, certain standards have been adopted. One known standard is SSL (Secure Sockets Layer). SSL is a protocol for managing the security of a message transmission on the Internet. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL was developed by Netscape Corporation. SSL is included as part of most Internet client browsers and web servers including those available from Netscape and Microsoft. The “sockets” part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system invented by RSA (Rivest-Shamir-Adleman), which also includes the use of a digital certificate.
Under normal usage no encryption is used. The use of encryption although desirable has its shortcomings. One shortcoming is that both the client and the server must support the SSL session. Another shortcoming is speed. SSL slows down the transaction because of all of the encryption and de-cryption and checking that is required.
For example, when an airline ticket is purchased over the Internet, the client or customer financial information, such as a credit card is transferred. In this example, if the purchase did not use encryption, a “hacker” could capture the client's credit card information and make unauthorized purchases, thus stealing from the client. In addition the hacker may also gain unauthorized access to the server and cause further damage.
In many secure sessions, multiple purchases are completed. For example, a client or customer buys a book at a particular web site, then customer exits the web site they make an additional purchase such as a DVD or video. Another example is a customer buying airline tickets over the Internet. Immediately after tickets are purchased, a car rental and perhaps a hotel room are also purchased. Under SSL, there is no way to avoid the time for the first SSL session to be set up between the travel web site and the client. But once the SSL session is established the additional purchases may require the same amount of set-up time. The travel web site may be hosted on multiple servers that are assembled and controlled by a load dispatching processor. The use of multiple servers allows for individual products and services to be hosted on different serving computers.
From the point of view of the client, the amount of the wait time for the original first SSL transaction is long. Moreover, once the first SSL session is established, the additional transactions requirement to re-establish the first SSL session with additional servers is very undesirable, especially where the client did not change from the master web site, e.g. moving from car rental to airline reservations all under a single website such as travelocity.com. Accordingly, a need exists for reduced wait time when making additional secure purchases from a given web site.
Turning to the point of view of the hosting enterprise, the servers that are used for SSL transactions are established to serve information securely. As expected these servers use resources including Internet connections, and system time while attempting to serve as many clients as possible. Therefore, once a SSL session is established there is a tendency for the load-dispatching computer to try to maintain this SSL connection for additional transactions. This causes a server “affinity” problem. Affinity is a tendency between a client and a server in a client-server architecture for maintaining an existing SSL session as opposed to starting a new SSL session. In a negative way, affinity is the bias towards assigning a server to a client based on a prior existing SSL session versus the location of the requested data. Affinity is especially a problem in a hosting enterprise, environment where certain products and services are typically hosted across different servers. Prolonged affinity is the source of load-balancing problems, which result in certain servers, being busy while other servers are underutilized. Once a SSL session is established the load-dispatching computer will try to maintain the connection. Accordingly the need exists for the removal of the server affinity with respect to subsequent SSL transactions.
Companies such as F5 Networks have developed SSL accelerators. They are special purpose devices that manage SSL certificates on individual web servers. The SSL accelerators benefit from easier manageability as well as centralized security. In addition, SSL accelerators allow for the servers to be used for serving while the SSL accelerator handles the details of the SSL sessions. Although the use of SSL accelerators is useful, it is not without its shortcomings. One shortcoming is that each time a server is added an accelerator card must be added. This not only becomes expensive but also cumbersome to manage. Accordingly, a need exists for a solution the will maintain security, provide for timely SSL response while scaling easily with a web site's growth.