Encryption Architecture

US 20150379277A1
Filed: 06/30/2014
Published: 12/31/2015
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method of encrypting messages on a computer on which multiple virtual machines (VMs) execute, the method comprising:

intercepting a data message transmitted by a particular VM;

determining whether the data message should be encrypted by analyzing a set of attributes of the data message; and

encrypting the data message upon determining that the data message should be encrypted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.

52 Citations

View as Search Results

24 Claims

1. A method of encrypting messages on a computer on which multiple virtual machines (VMs) execute, the method comprising:
- intercepting a data message transmitted by a particular VM;
  
  determining whether the data message should be encrypted by analyzing a set of attributes of the data message; and
  
  encrypting the data message upon determining that the data message should be encrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the particular VM is a first VM and the data message is a first data message, the method further comprising:
    - intercepting a second data message transmitted by a second VM;
      
      determining whether the second data message should be encrypted by analyzing a set of attributes of the second data message; and
      
      encrypting the second data message upon determining that the data message should be encrypted.
  - 3. The method of claim 1, wherein the particular VM is a first VM and the data message is a first data message, the method further comprising:
    - intercepting a second data message transmitted by a second VM;
      
      determining whether the second data message should be encrypted by analyzing a set of attributes of the second data message; and
      
      foregoing the encryption of the second data message upon determining that the second data message should not be encrypted.
  - 4. The method of claim 1, wherein intercepting the data message comprises intercepting the data message along an egress datapath of the data message out from the particular VM.
  - 5. The method of claim 4, wherein the egress datapath leads the data message out of the host.
  - 6. The method of claim 4, wherein the egress datapath leads the data message out of the host or leads the data message to another VM executing on the host.
  - 7. The method of claim 4,wherein the egress data path includes a software forwarding element that executes on the host to provide forwarding operations that lead the data message to a destination of the data message;
    - wherein the forwarding element has a plurality of ports that are connected to sources and destinations for the data messages; and
      
      wherein intercepting the data message along the egress datapath comprises capturing the data message at one of said ports and forwarding the data message to an encryptor that performs said determination and encryption operations.
  - 8. The method of claim 1, wherein determining whether the data message should be encrypted comprises using the set of attributes of the data message to identify an encryption rule that specifies that the data message should be encrypted.
  - 9. The method of claim 1, wherein the set of attributes of the data message comprises a set of values in a header field of the data message.

10. A host computer for executing multiple virtual machines (VMs), the host comprising:
- an encryption agent for receiving encryption configuration data from a set of controllers; and
  
  a set of encryptors for encrypting data messages sent from one or more of the VMs, based on the received encryption configuration data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 11. The host of claim 10, wherein the set of encryptors includes one encryptor for all VMs executing on the host, wherein the encryptor determines whether each data message from a VM has to be encrypted, and encrypts the data message when the encryptor determines that the data message should be encrypted.
  - 12. The host of claim 10, wherein the set of encryptors includes one encryptor for each group of related VMs that executes on the host, wherein each encryptor determines whether each data message from a VM in its group of VMs has to be encrypted, and encrypts the data message when the encryptor determines that the data message should be encrypted.
  - 13. The host of claim 10, wherein the set of encryptors includes one encryptor for each VM executing on the host, wherein each encryptor determines whether each data message from the encryptor'"'"'s corresponding VM has to be encrypted, and encrypts the data message when the encryptor determines that the data message should be encrypted.
  - 14. The host of claim 10, wherein the set of encryptors includes first and second encryptors respectively for first and second VMs executing on the host, wherein the first encryptor determines that data messages from the first VM have to be encrypted, while the second encryptor determines that data messages from the second VM do not have to be encrypted.
  - 15. The host of claim 14, wherein the first encryptor determines that the first-VM data messages should be encrypted and the second encryptor determines that the second-VM data messages should not be encrypted by comparing sets of attributes of the first-VM messages and the second-VM messages with the corresponding attributes of the encryption rules in order to find a matching encryption rule.
  - 16. The host of claim 10, wherein the encryption configuration data comprises identity information of at least one key manager to contact in order to retrieve encryption keys.
  - 17. The host of claim 16, wherein the encryption configuration data further comprises encryption key identifiers of the encryption keys that need to be retrieved.
  - 18. The host of claim 10, wherein the encryption configuration data comprises encryption key identifiers of the encryption keys that need to be retrieved.
  - 19. The host of claim 10, wherein the encryption configuration data comprises encryption policies that the encryption agent needs to resolve in order to generate encryption rules for the set of encryptors to enforce.
  - 20. The host of claim 19, wherein the generated encryption rules are a first set of encryption rules, wherein the encryption configuration data further comprises a second set of encryption rules for the set of encryptors to enforce.
  - 21. The host of claim 10, wherein the encryption configuration data comprises encryption rules that the set of encryptors needs to enforce.
  - 22. The host of claim 10, wherein the set of encryptors are further for decrypting encrypted data messages received from one or more VMs.

23. A non-transitory machine readable medium storing a program for encrypting messages on a computer on which multiple virtual machines (VMs) execute, the program comprising sets of instructions for:
- intercepting a data message transmitted by a particular VM;
  
  determining whether the data message should be encrypted by analyzing a set of attributes of the data message; and
  
  encrypting the data message upon determining that the data message should be encrypted.

24-31. -31. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Leonard Heyman
Inventors
Thota, Kiran Kumar, Feroz, Azeem, Wiese, James C.

Granted Patent

US 10,445,509 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/602   Providing cryptographic fac...

G06F 21/6236   between heterogeneous systems

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/542   Event management; Broadcast...

G09C 1/00   Apparatus or methods whereb...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 9/14   using a plurality of keys o...

Encryption Architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption Architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links