SECURE DATA HANDLING BY A VIRTUAL MACHINE

US 20150244710A1
Filed: 09/09/2013
Published: 08/27/2015
Est. Priority Date: 10/12/2012
Status: Active Grant

First Claim

Patent Images

1. A system for executing a virtual machine instance, comprisingan executing environment for creating a virtual machine instance, wherein the virtual machine instance comprises:

an instance authorization unit for receiving an instance authorization credential created externally of the virtual machine instance, wherein the instance authorization credential is uniquely associated with the virtual machine instance;

a data key unit for generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and

a decryption unit for decrypting a data item based on the data key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for executing a virtual machine instance is provided. An executing environment (11) is arranged for creating a virtual machine instance (10). The virtual machine instance (10) comprises an instance authorization unit (1) for receiving an instance authorization credential, wherein the instance authorization credential is uniquely associated with the virtual machine instance (10). A data key unit (2) is arranged for generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance (10). A decryption unit (3) is arranged for decrypting a data item (7) based on the data key. A key server system (6) is arranged for issuing keys to a virtual machine instance (10). An instance authorization providing unit (22) is arranged for providing the instance authorization credential to the virtual machine instance (10).

29 Citations

View as Search Results

15 Claims

1. A system for executing a virtual machine instance, comprisingan executing environment for creating a virtual machine instance, wherein the virtual machine instance comprises:
- an instance authorization unit for receiving an instance authorization credential created externally of the virtual machine instance, wherein the instance authorization credential is uniquely associated with the virtual machine instance;
  
  a data key unit for generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and
  
  a decryption unit for decrypting a data item based on the data key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system according to claim 1, wherein the virtual machine instance further comprises a user credential unit for obtaining a user credential associated with a user or a group of users, and wherein the data key unit arranged for generating the request further based on the user credential or the decryption unit is arranged for decrypting the data item further based on the user credential.
  - 3. The system according to claim 1, wherein the instance authorization unit is arranged for issuing a request for the instance authorization credential, wherein the request is indicative of at least one attribute that is specific to the virtual machine instance.
  - 4. The system according to claim 3, further comprisingan instance owner unit for registering an authorization code associated with the virtual machine instance at a key server and providing the authorization code to the virtual machine instance;
    - wherein said at least one attribute is indicative of the authorization code.
  - 5. The system according to claim 4, wherein the instance owner unit is arranged for sending an instruction comprising an authorization code to the executing environment of virtual machines, and wherein the executing environment is arranged for creating the virtual machine instance and providing the authorization code to the virtual machine instance in response to receiving the instruction.
  - 6. The system according claim 1, wherein the data key unit is arranged for including in the request for the data key a code that is indicative of a position of the request in a sequence of requests issued by the virtual machine instance.
  - 7. The system according to claim 1, wherein the virtual machine instance is arranged for keeping the data key and/or data decrypted using the data key in a volatile memory and/or erasing the data key and the data decrypted using the data key after use.

8. A key server system for issuing keys to a virtual machine instance, comprisingan instance identifying unit for identifying a virtual machine instance based on at least one attribute that is specific to the virtual machine instance;
- an instance authorization determiner for determining an instance authorization credential, and uniquely associating the instance authorization credential with the virtual machine instance;
  
  an instance authorization providing unit for providing the instance authorization credential to the virtual machine instance;
  
  a data key request receiver for receiving a request for a data key from the virtual machine instance, wherein the request for the data key comprises an instance authorization component associated with the instance authorization credential;
  
  a data authorization unit for determining whether the virtual machine instance is authorized to receive the data key based on the instance authorization component; and
  
  a data key providing unit for providing the data key to the virtual machine instance if the virtual machine instance is authorized to receive the data key.
- View Dependent Claims (9, 10, 11)
- - 9. The key server system according to claim 8, further comprisingan instance credential request receiver for receiving a request for the instance authorization credential from the virtual machine instance, wherein the request is indicative of the attribute that is specific to the virtual machine instance;
    - andan instance validation unit for verifying a validity of the virtual machine instance based on the attribute.
  - 10. The key server system according to claim 8, wherein the data authorization unit is arranged for performing the determining whether the virtual machine instance is authorized to receive the data key further based on the location of the virtual machine instance;
    - or the instance validation unit is arranged for performing the verifying of the validity of the virtual machine instance further based on an attribute indicative of a location of the virtual machine instance.
  - 11. The key server system according to claim 8,wherein the request for the data key is further indicative of a user credential that is associated with a user or a group of users of the virtual machine instance, andwherein the data authorization unit is arranged for performing the determining whether the virtual machine instance is authorized to receive the data key further based on the indication of the user credential received with the request for the data key and an access policy of the data protected by the data key.

12. A virtual machine image capable of being instantiated as a virtual machine instance, wherein the virtual machine image comprises:
- instruction code for causing the virtual machine instance to receive an instance authorization credential created externally of the virtual machine instance, wherein the instance authorization credential is uniquely associated with the virtual machine instance;
  
  instruction code for causing the virtual machine instance to generate a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and
  
  instruction code for causing the virtual machine instance to decrypt a data item based on the data key.

13. A method of executing a virtual machine instance, the method comprising, by the virtual machine instance:
- receiving an instance authorization credential, wherein the instance authorization credential is uniquely associated with the virtual machine instance;
  
  generating a request for a data key, based on the instance authorization credential associated with the virtual machine instance; and
  
  decrypting a data item based on the data key.
- View Dependent Claims (15)
- - 15. A computer program product comprising instructions for causing a processor system to perform the method according to claim 13.

14. A method of issuing keys to a virtual machine instance, comprisingidentifying a virtual machine instance based on at least one attribute that is specific to the virtual machine instance;
- determining an instance authorization credential, and uniquely associating the instance authorization credential with the virtual machine instance;
  
  providing the instance authorization credential to the virtual machine instance;
  
  receiving a request for a data key from the virtual machine instance, wherein the request for the data key comprises an instance authorization component associated with the instance authorization credential;
  
  determining whether the virtual machine instance is authorized to receive the data key based on the instance authorization component; and
  
  providing the data key to the virtual machine instance if the virtual machine instance is authorized to receive the data key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Koninklijke Philips N.V.
Original Assignee
Koninklijke Philips N.V.
Inventors
Koster, Robert Paul, Petkovic, Milan, Deng, Mina

Granted Patent

US 9,635,013 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2125   Just-in-time application of...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0457   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/065   for group communications cr...

H04L 63/0823   using certificates cryptogr...

H04L 9/083   involving central third par...

SECURE DATA HANDLING BY A VIRTUAL MACHINE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE DATA HANDLING BY A VIRTUAL MACHINE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links