SECURE KEY MANAGEMENT PROTOCOL FOR DISTRIBUTED NETWORK ENCRYPTION

US 20180063103A1
Filed: 01/31/2017
Published: 03/01/2018
Est. Priority Date: 08/26/2016
Status: Active Grant

First Claim

Patent Images

1. A method of providing encryption services in a system comprising a plurality of computing machines, the method comprising:

from a server that provides encryption rules for encrypting messages on a host on which a plurality of compute nodes (CNs) execute, receiving a key voucher at the host;

sending the key voucher to a key manager that is different than the server, in order to retrieve an encryption key, said key voucher authenticating the host as an authorized key requestor;

receiving a key from the key manager; and

encrypting a message sent by a compute node on the host using the received key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.

32 Citations

View as Search Results

29 Claims

1. A method of providing encryption services in a system comprising a plurality of computing machines, the method comprising:
- from a server that provides encryption rules for encrypting messages on a host on which a plurality of compute nodes (CNs) execute, receiving a key voucher at the host;
  
  sending the key voucher to a key manager that is different than the server, in order to retrieve an encryption key, said key voucher authenticating the host as an authorized key requestor;
  
  receiving a key from the key manager; and
  
  encrypting a message sent by a compute node on the host using the received key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the key voucher comprises an authentication parameter that authenticates the key request.
  - 3. The method of claim 1, wherein the key voucher comprises key identification data.
  - 4. The method of claim 3 further comprising receiving encryption rules from the server separately from the key voucher.
  - 5. The method of claim 1,wherein a key voucher is generated based on a key policy, andwherein a key voucher is only generated for the host if the key policy applies to the hypervisor.
  - 6. The method of claim 5, wherein whether a particular key policy applies to a particular host is determined based on a set of encryption rules, each encryption rule in the set of encryption rules referring to one key policy in a set of key policies.
  - 7. The method of claim 6, whereinthe encryption rule in the set of encryption rules is applied to a set of hosts;
    - anda particular key policy applies to a particular host further if at least one encryption rule referring to the particular key policy is applied to the particular host.
  - 8. The method of claim 5, wherein the key policy comprises a key manager specification, a key algorithm specification, a key strength specification, and a key rotation specification.
  - 9. The method of claim 6, wherein the key voucher comprises a plurality of data fields.
  - 10. The method of claim 9, wherein the plurality of data fields comprises a key ID field, a hypervisor ID field, an expiry field, and a controller signature field.
  - 11. The method of claim 9, wherein sending the key voucher to retrieve an encryption key further comprises sending the key voucher as part of a request to the key manager, the request comprising the key voucher, a requested key algorithm, and a requested key length.
  - 12. The method of claim 11, wherein if the key manager does not store an encryption key identified by the request, the key manager generates an encryption key for the request, returns the generated encryption key for retrieval, and stores the generated encryption key;
    - andif the key manager stores an encryption key identified by the request, the key manager returns the stored encryption key for retrieval.
  - 13. The method of claim 12, wherein returning an encryption key for retrieval further comprises a verification of the expiry field and controller signature.

14. A method of providing encryption keys in a system comprising a plurality of computing machines, the method comprising:
- receiving a key voucher at a key manager, said key voucher authenticating the host as an authorized key requestor;
  
  verifying that the key voucher is valid; and
  
  returning an encryption key identified by the key voucher to the host from which the key voucher was received for the host to use in encrypting messages sent from a compute node (CN) executing on the host.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, wherein verifying that the key voucher is valid comprises verifying that a server that generated the key voucher was authorized to generate the key voucher.
  - 16. The method of claim 15, wherein verifying that the server that generated the key voucher was authorized to generate the key voucher comprises using a certificate of the server received during a registration process.
  - 17. The method of claim 14, wherein verifying that the key voucher is valid comprises verifying that an encryption key identified in the key voucher has not expired.
  - 18. The method of claim 17, wherein the expiry of the identified encryption key is specified in a key policy for the identified encryption key.
  - 19. The method of claim 17, wherein the expiry of the identified encryption key is based on the length of time the key has been in use.
  - 20. The method of claim 17, wherein the expiry of the identified encryption key is based on the amount of data the encryption key has been used to encrypt.
  - 21. The method of claim 14, wherein the key manager is a hardware appliance.

22. A method of configuring a system to provide encryption services in a system comprising a plurality of computing machines, the method comprising:
- receiving an encryption key policy from a manager computer;
  
  generating, for an encryption management module executing on a host computer, a key voucher based on the received encryption key policy; and
  
  sending the generated key voucher to the encryption management module to be used to retrieve, from a key manager, an encryption key identified by the key voucher.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The method of claim 22 further comprising:
    - receiving an encryption rule from a manager computer; and
      
      distributing the received encryption rule to a set of encryption management modules executing on a set of host computers, a particular encryption management module using the encryption rules to determine that a data message sent from a compute node (CN) executing on the same host requires encryption.
  - 24. The method of claim 23, wherein the encryption rule refers to a key policy to identify an encryption key used to encrypt data messages that require encryption based on the encryption rule.
  - 25. The method of claim 23, wherein determining that a data message requires encryption comprises determining that a data message should have an integrity check value appended.
  - 26. The method of claim 22, wherein generating a key voucher comprises generating a set of key vouchers, each key voucher in the set of key vouchers comprising a unique pair of security parameter indices (SPIs) and key identifiers (KIDs).
  - 27. The method of claim 23, wherein the encryption key identifier is only generated for the encryption management module if the encryption key policy applies to computing machines executing on the same host as the encryption management module.
  - 28. The method of claim 22 wherein the key voucher includes at least one of a key identifier, a host identifier, an expiry for the key voucher, and a controller signature.
  - 29. The method of claim 22, wherein using the key voucher to retrieve an encryption key further comprises sending a request to the key manager, said request including the key voucher.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Jahid, Sonia, Chandrashekhar, Ganesan, Qian, Bin, Feroz, Azeem

Granted Patent

US 10,798,073 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/0807 using tickets, e.g. Kerbero...

SECURE KEY MANAGEMENT PROTOCOL FOR DISTRIBUTED NETWORK ENCRYPTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

SECURE KEY MANAGEMENT PROTOCOL FOR DISTRIBUTED NETWORK ENCRYPTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others