IMPLEMENTATION OF SECURE COMMUNICATIONS IN A SUPPORT SYSTEM

US 20130085880A1
Filed: 09/29/2011
Published: 04/04/2013
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing secure communications, comprising:

under the control of one or more computer systems configured with executable instructions,receiving, by a hypervisor, a set of credentials associated with a guest operating system;

using, by the hypervisor on behalf of the guest operating system, the set of credentials to establish a secure connection to a computing device using a secure protocol, the hypervisor acting as a local endpoint of the secure connection;

receiving, by the hypervisor, one or more outgoing messages from the guest operating system to the computing device;

encrypting, by the hypervisor on behalf of the guest operating system using the secure protocol and the set of credentials, the one or more outgoing messages from the guest operating system to the computing device, the one or more outgoing messages becoming one or more outgoing encrypted messages;

sending, by the hypervisor, the outgoing encrypted messages to the computing device using the secure protocol;

receiving, by the hypervisor, one or more incoming encrypted messages from the computing device;

decrypting, by the hypervisor on behalf of the guest operating system using the secure protocol and the set of credentials, the one or more incoming encrypted messages from the computing device becoming one or more incoming decrypted messages; and

sending the one or more incoming decrypted messages to the guest operating system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A support system negotiates secure connections on behalf of multiple guest systems using a set of credentials associated with the guest systems. The operation of the secure connection may be transparent to the guest system such that guest system may send and receive messages that are encrypted or decrypted by the support system, such as a hypervisor. As the support system is in between the guest system and a destination, the support system may act as a local endpoint to the secure connection. Messages may be altered by the support system to indicate to a guest system which communications were secured. The credentials may be managed by the support system such that the guest system does not require access to the credentials.

77 Citations

View as Search Results

30 Claims

1. A computer-implemented method for providing secure communications, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, by a hypervisor, a set of credentials associated with a guest operating system;
  
  using, by the hypervisor on behalf of the guest operating system, the set of credentials to establish a secure connection to a computing device using a secure protocol, the hypervisor acting as a local endpoint of the secure connection;
  
  receiving, by the hypervisor, one or more outgoing messages from the guest operating system to the computing device;
  
  encrypting, by the hypervisor on behalf of the guest operating system using the secure protocol and the set of credentials, the one or more outgoing messages from the guest operating system to the computing device, the one or more outgoing messages becoming one or more outgoing encrypted messages;
  
  sending, by the hypervisor, the outgoing encrypted messages to the computing device using the secure protocol;
  
  receiving, by the hypervisor, one or more incoming encrypted messages from the computing device;
  
  decrypting, by the hypervisor on behalf of the guest operating system using the secure protocol and the set of credentials, the one or more incoming encrypted messages from the computing device becoming one or more incoming decrypted messages; and
  
  sending the one or more incoming decrypted messages to the guest operating system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein negotiating includes storing protocol state information as associated with the guest operating system and the computing device, the protocol state information retrievable using identifying information of the guest operating system and the computing device, the protocol state information used during encrypting the one or more outgoing messages and decrypting the one or more encrypted incoming messages.
  - 3. The computer-implemented method of claim 2, wherein decrypting includes:
    - inspecting the one or more encrypted incoming messages to determine identifying information of the computing device and the guest operating system referenced in the incoming communication;
      
      retrieving the protocol state information using the determined identifying information of the guest operating system and the computing device; and
      
      decrypting the one or more encrypted incoming messages using the retrieved protocol state information.
  - 4. The computer-implemented method of claim 2, wherein encrypting includes:
    - receiving one or more outgoing messages from a guest operating system, the guest operating system having identifying information;
      
      inspecting the one or more outgoing messages to determine identifying information of the computing device referenced in the one or more outgoing messages;
      
      retrieving the protocol state information using the identifying information of the guest operating system and the computing device; and
      
      encrypting the one or more outgoing messages using the retrieved protocol state information.
  - 5. The computer-implemented method of claim 1, wherein decrypting includes routing the one or more incoming decrypted messages to the guest operating system, the guest operating system among a set of two or more guest operating systems managed by the hypervisor.
  - 6. The computer-implemented method of claim 1, wherein decrypting includes verifying the integrity and authenticity of the one or more incoming encrypted messages before providing the one or more incoming decrypted messages to the guest operating system.

7. A computer-implemented method for providing secure communications, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, by a support system of a host system, a request for a secure connection with a device to a guest operating system on the host system, the host system having the support system and configured to host at least one guest operating system;
  
  receiving, by the support system, a set of credentials associated with the guest operating system;
  
  using, by the support system, the set of credentials on behalf of the guest operating system to establish a secure connection with the device, the support system acting as an endpoint of the secure connection in place of the guest operating system; and
  
  sending, by the support system over the secure connection, one or more communications between the guest operating system and the device, the support system processing the one or more communications to enable the secure connection.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The computer-implemented method of claim 7, the method further including:
    - receiving, by the support system of the host system, a request for a second secure connection with a second device to a second guest operating system on the host system;
      
      retrieving, by the support system, a second set of credentials associated with the second guest operating system;
      
      using, by the support system, the second set of credentials on behalf of the second guest operating system to establish a second secure connection with the second device, the support system acting as an endpoint of the second secure connection in place of the second guest operating system; and
      
      sending, by the support system over the second secure connection, one or more second communications between the second guest operating system and the second device.
  - 9. The computer-implemented method of claim 7, wherein using the set of credentials further includes storing the set of credentials by the support system on behalf of the guest operating system, the set of credentials unreadable to the guest operating system.
  - 10. The computer-implemented method of claim 7, wherein the support system is a hypervisor.
  - 11. The computer-implemented method of claim 7, wherein sending one or more communications further includes encrypting the one or more communications using a secure protocol.
  - 12. The computer-implemented method of claim 11, wherein the secure protocol is transport layer security.
  - 13. The computer-implemented method of claim 7, wherein the support system is a hardware security module.
  - 14. The computer-implemented method of claim 7, wherein the support system is a separate processor within the host system.
  - 15. The computer-implemented method of claim 7, wherein the support system encrypts at least some of the communication over the secure connection.

16. A computer system for enabling a secure connection, comprising:
- one or more processors; and
  
  memory, including instructions executable by the one or more processors to cause the computer system to at least;
  
  receive, by a support system having a set of guest systems, a secure communication directed to a guest system from the set of guest systems;
  
  select, by the support system, the guest system from the set of guest systems to which the secure communication is directed; and
  
  provide, by the host system using a set of credentials that represent an identity of the selected guest operating system, a decrypted message to the selected guest operating system, the decrypted message prepared from the secure communication, the credentials unavailable to the selected guest system.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16, the system further including a hardware security module, the hardware security module in communication with the one or more processors, the hardware security module providing encryption and decryption services to at least one of the one or more processors, the hardware security module accessible to the support system to decrypt the message.
  - 18. The system of claim 16, wherein the support system is a hardware security module.
  - 19. The system of claim 16, wherein the support system is a network device, the support system placed between the one or more guest systems and a network from which the secure communication is received.
  - 20. The system of claim 17, wherein providing a decrypted message further includes:
    - sending the secure communication to the hardware security module; and
      
      receiving the decrypted message from the hardware security module.
  - 21. The system of claim 16, wherein providing a decrypted message further includes:
    - receiving the secure communication through a first channel of communication, the receipt through the first channel causing the support system to decrypt the secure communication, wherein the support system is configured to decrypt communications received through the first channel; and
      
      passing through one or more communications received through a second channel of communication to the guest system, wherein the support system is configured to pass through communications received through a second channel.
  - 22. The system of claim 16, wherein providing a decrypted message further includes altering the decrypted message to indicate the decrypted message was previously encrypted.
  - 23. The system of claim 16, wherein the set of credentials include a private key assigned to the guest operating system.

24. One or more computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- receive, by a support system, a request for a secure connection with a device to a guest system;
  
  retrieve, by the support system, a set of credentials associated with the guest system, the credentials protected from access by the guest system;
  
  use, by the support system, the set of credentials on behalf of the guest system to establish a secure connection with the device, the support system acting as an endpoint of the secure connection in place of the guest system; and
  
  send, by the support system over the secure connection, one or more communications between the guest system and the device.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The computer-readable storage media of claim 24, the media further including instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
    - receive a request to add a secure connection service to the guest system, the service using the support system to manage secure connections on behalf of the guest system;
      
      request the set of credentials for the guest system be created; and
      
      store, by the support system, the set of credentials.
  - 26. The computer-readable storage media of claim 25, the media further including instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
    - send an offer to a user to add the secure connection service to the guest system in exchange for a fee; and
      
      receive the fee from the user in exchange for adding the secure connection service, the receipt of value indicating the request to add the secure connection service to the guest system be sent.
  - 27. The computer-readable storage media of claim 26, wherein the support system is selected from a group consisting of network hardware, network card, driver, and hypervisor.
  - 28. The computer-readable storage media of claim 24, wherein the request for a secure connection occurs through use of a channel of communication, wherein connections through the channel of communication are configured to be secured.
  - 29. The computer-readable storage media of claim 28, wherein the channel of communication is selected from a group consisting of port, virtual adapter and source IP address.
  - 30. The computer-readable storage media of claim 24, wherein the support system is embedded within a network interface card attached to the guest system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.), Qualcomm Innovation Center Incorporated (Qualcomm, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Baer, Graeme D., Brandwine, Eric J., Fitch, Nathan R., Crahen, Eric D.

Granted Patent

US 9,037,511 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/26.1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 9/44505   Configuring for program ini...

G06F 9/45558   Hypervisor-specific managem...

G06Q 30/06   Buying, selling or leasing ...

H04L 63/0209   Architectural arrangements,...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

IMPLEMENTATION OF SECURE COMMUNICATIONS IN A SUPPORT SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

IMPLEMENTATION OF SECURE COMMUNICATIONS IN A SUPPORT SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links