Packet authentication and encryption in virtual networks

US 8,584,228 B1
Filed: 12/29/2009
Issued: 11/12/2013
Est. Priority Date: 12/29/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for cryptographic key distribution in a physical network having a plurality of physical nodes, the method comprising:

receiving, by one or more computing systems configured to provide a mapping service, information mapping a virtual network address of a virtual node to a physical network address of a physical node, the virtual node being associated with a virtual network, and the received information identifying the virtual network address of the virtual node and the physical network address of the physical node; and

transmitting, by the one or more configured computing systems, a current version of a cryptographic key from the mapping service to the physical node,wherein;

a destination node receives from the physical node a packet generated by the virtual node, a hash value of a header of the packet, the hash value being computed using the current version of the cryptographic key, and an identifier of the current version of the cryptographic key;

the destination node selects a local version of the cryptographic key based on the received identifier; and

the destination node authenticates the received packet when a hash value that is computed locally using the local version of the cryptographic key matches the received hash value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide logic for distributing cryptographic keys in a physical network comprising a plurality of physical nodes. In one implementation, a computer-implemented method is provided for distributing cryptographic keys in a physical network. The method includes receiving information mapping a virtual network address of a virtual node to a physical network address of a physical node. The virtual node may be associated with a virtual network hosted by the physical node, and the received mapping information identifies a virtual network address of the node and the physical network address of the node. The mapping service transmits a current version of a cryptographic key and an identifier of the current version to the physical node.

18 Citations

View as Search Results

44 Claims

1. A computer-implemented method for cryptographic key distribution in a physical network having a plurality of physical nodes, the method comprising:
- receiving, by one or more computing systems configured to provide a mapping service, information mapping a virtual network address of a virtual node to a physical network address of a physical node, the virtual node being associated with a virtual network, and the received information identifying the virtual network address of the virtual node and the physical network address of the physical node; and
  
  transmitting, by the one or more configured computing systems, a current version of a cryptographic key from the mapping service to the physical node,wherein;
  
  a destination node receives from the physical node a packet generated by the virtual node, a hash value of a header of the packet, the hash value being computed using the current version of the cryptographic key, and an identifier of the current version of the cryptographic key;
  
  the destination node selects a local version of the cryptographic key based on the received identifier; and
  
  the destination node authenticates the received packet when a hash value that is computed locally using the local version of the cryptographic key matches the received hash value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - generating, by the mapping service, an updated version of the cryptographic key; and
      
      transmitting, from the mapping service, the updated version of the cryptographic key and an identifier of the updated version of the cryptographic key to the physical node.
  - 3. The method of claim 1, wherein:
    - the identifier of the current version of the cryptographic key comprises a date associated with the current version of the cryptographic key; and
      
      the local version of the cryptographic key falls within a specified time period of the date.
  - 4. The method of claim 1, wherein:
    - the identifier of the current version of the cryptographic key comprises a version number of the current version of the cryptographic key; and
      
      the local version of the cryptographic key falls within a specified number of versions of the version number.
  - 5. The method of claim 1, wherein the destination node discards the received packet when the local hash value does not match the received hash value.
  - 6. The method of claim 1, wherein:
    - the physical node encrypts the generated packet using the current version of the cryptographic key;
      
      the physical node transmits the encrypted packet, the computed hash, and the identifier across the physical network to the destination node; and
      
      the destination node, upon authentication of the received packet, decrypts the received packet using the local version of the cryptographic key.
  - 7. The method of claim 1, wherein the destination node generates an alarm when the local hash value fails to match the received hash value.

8. A computer-implemented method for distributing cryptographic keys in a physical network having a plurality of physical nodes, the method comprising:
- under the control of one or more mapping server devices, and for each of multiple virtual networks;
  
  receiving, by the one or more mapping server devices, information mapping a virtual network address of a virtual node of the virtual network to a physical network address of a physical node, the received mapping information identifying the virtual network address of the virtual node within the virtual network and the physical network address of the physical node; and
  
  transmitting, by the one or more mapping server devices and based at least in part on the received mapping information, a cryptographic key associated with the virtual network to the physical node, to enable the physical node to use the cryptographic key with one or more packets generated by the virtual node.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 9. The method of claim 8, wherein the physical node comprises a physical computing system.
  - 10. The method of claim 8, wherein the cryptographic key is specific to a physical computing system associated with the physical node, to a subset of the plurality of physical nodes that includes the physical node, to one or more virtual nodes of the virtual network, or to the physical network.
  - 11. The method of claim 8, wherein, for at least one of the multiple virtual networks, the transmitting of the cryptographic key to the physical node includes:
    - generating an updated version of the cryptographic key; and
      
      transmitting the updated version of the cryptographic key and an identifier of the updated version of the cryptographic key to the physical node.
  - 12. The method of claim 11, wherein transmitting the updated version of the cryptographic key comprises:
    - transmitting the updated version of the cryptographic key to the physical node at a periodic interval, at a non-periodic interval, or in response a communication from the physical node.
  - 13. The method of claim 8, wherein, for at least one of the multiple virtual networks, transmitting the cryptographic key comprises:
    - transmitting additional data to the physical node, the transmitted additional data being filtered according to access data associated with the physical node.
  - 14. The method of claim 8, wherein, for at least one of the multiple virtual networks:
    - the virtual node generates a packet for transmission across the physical network;
      
      the physical node computes a hash value of a header of the generated packet using the cryptographic key; and
      
      the physical node transmits the generated packet, the computed hash value, and an identifier of the current version of the cryptographic key across the physical network.
  - 15. The method of claim 14, wherein, for the at least one virtual network, the computed hash value is based at least in part on the header of the generated packet and a payload of the generated packet.
  - 16. The method of claim 14, wherein, for the at least one virtual network:
    - the physical node encrypts the generated packet to form an encrypted packet; and
      
      the physical node transmits the encrypted packet, the computed hash value, and the identifier across the physical network.
  - 17. The method of claim 8, wherein, for at least one of the multiple virtual networks:
    - the physical node receives a packet, a corresponding hash value, and an identifier of a current version of the cryptographic key;
      
      the physical node selects a local version of the cryptographic key based on the received identifier and computes a local hash value of the received packet using the local version of the cryptographic key; and
      
      the physical node compares the computed local hash value with the received hash value.
  - 18. The method of claim 17, wherein, for the at least one virtual network, the physical node authenticates the received packet when the local hash value matches the received hash value.
  - 19. The method of claim 17, wherein, for the at least one virtual network:
    - the received packet is encrypted; and
      
      the physical node, upon authentication of the received packet, decrypts the received packet.
  - 20. The method of claim 17, wherein, for the at least one virtual network, the physical node discards the received packet when the local hash value fails to match the received hash value.
  - 21. The method of claim 17, wherein, for the at least one virtual network, the physical node generates an alarm signal when the local hash value fails to match the received hash value.
  - 22. The method of claim 17, wherein, for the at least one virtual network:
    - the identifier comprises a date associated with the current version of the cryptographic key; and
      
      the local version of the cryptographic key falls within a specified time period of the date.
  - 23. The method of claim 17, wherein, for the at least one virtual network:
    - the identifier comprises a version number of the current version of the cryptographic key; and
      
      the local version of the cryptographic key falls within a specified number of versions of the version number.
  - 24. The method of claim 8, wherein a first of the multiple virtual networks is associated with a first user, wherein a distinct second of the multiple virtual networks is associated with a distinct second user, and wherein the one or more mapping server devices are part of a mapping service that stores information associated with the plurality of nodes of the physical network, the information identifying one or more of the multiple virtual networks that are hosted by the physical nodes, and identifying one or more virtual nodes of the one or more virtual networks.

25. A system for key distribution within a physical network, comprising:
- a physical node; and
  
  a mapping server in communication with the node, the mapping server comprising a processor and a storage device, wherein the mapping server is configured to;
  
  receive first information mapping a first virtual network address of a first virtual node associated with a first virtual network to a physical network address of a physical node, the received mapping information identifying the virtual network address of the virtual node and the physical network address of the physical node; and
  
  based at least in part on the received mapping information, transmit a first cryptographic key associated with the first virtual network to the physical node, to enable the physical node to use the first cryptographic key with one or more generated packets on behalf of the first virtual node.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 44)
- - 26. The system of claim 25, wherein the physical node comprises a physical computing system hosting the first and second virtual nodes, and wherein the mapping server is further configured to transmit a second cryptographic key associated with the second virtual network to the physical node, to enable the physical node to use the second cryptographic key with one or more generated packets on behalf of the second virtual node.
  - 27. The system of claim 25, wherein the transmitting of the first cryptographic key to the physical node includes:
    - generating an updated version of the first cryptographic key; and
      
      transmitting the updated version of the first cryptographic key and an identifier of the updated version to the physical node.
  - 28. The system of claim 27, wherein the mapping server is further configured to:
    - transmit the updated version of the first cryptographic key to the physical node at a periodic interval, at a non-periodic interval, or in response to a communication from the physical node.
  - 29. The system of claim 25, wherein the mapping server is further configured to:
    - transmit additional data to the physical node, the transmitted additional data being filtered according to access data associated with the physical node.
  - 30. The system of claim 25, wherein:
    - the first virtual node generates a packet for transmission across the physical network;
      
      the physical node computes a hash value of a header of the generated packet using the first cryptographic key; and
      
      the physical node transmits the generated packet, the computed hash value, and an identifier of the first cryptographic key across the physical network.
  - 31. The system of claim 30, wherein the computed hash value is based on the header of the generated packet and a payload of the generated packet.
  - 32. The system of claim 30, further wherein:
    - the physical node encrypts the generated packet to form an encrypted packet; and
      
      the physical node transmits the encrypted packet, the computed hash, and the identifier across the physical network.
  - 33. The system of claim 25, wherein:
    - the physical node receives a packet, a corresponding hash value, and an identifier of a current version of the first cryptographic key;
      
      the physical node selects a local version of the first cryptographic key based on the received identifier and computes a local hash value of the received packet using the local version of the first cryptographic key; and
      
      the physical node compares the computed local hash value with the received hash value.
  - 34. The system of claim 33, wherein the physical node authenticates the received packet when the local hash value matches the received hash value.
  - 35. The system of claim 33, wherein:
    - the received packet is encrypted; and
      
      the physical node, upon authentication of the received packet, decrypts the received packet.
  - 36. The system of claim 33, wherein:
    - the identifier comprises a date associated with the current version of the first cryptographic key; and
      
      the local version of the first cryptographic key falls within a specified time period of the date.
  - 37. The system of claim 33 wherein:
    - the identifier comprises a version number of the current version of the first cryptographic key; and
      
      the local version of the first cryptographic key falls within a specified number of versions of the version number.
  - 38. The system of claim 33, wherein the physical node discards the received packet when the computed hash value does not match the received hash value.
  - 39. The system of claim 33, wherein the physical node generates an alarm signal when the computed hash value fails to match the received hash value.
  - 40. The system of claim 25, wherein the first virtual node is one of multiple virtual nodes associated with the first virtual network, wherein the second virtual node is one of multiple other virtual nodes associated with the second virtual network, and wherein the mapping server stores information associated with the first and second virtual nodes, the information comprising information identifying at least the first and second virtual networks and information identifying at least some of the multiple virtual nodes of the first virtual network and at least some of the multiple other virtual nodes of the second virtual network.
  - 44. The system of claim 25 wherein the first information is received from a first user that is associated with the first virtual network, and wherein the second information is received from a distinct second user that is associated with the second virtual network.

41. A non-transitory computer-readable medium storing program instructions providing key distribution in a physical network, the program instructions being executed by a processor to perform a process comprising:
- for each of multiple virtual networks;
  
  receiving information mapping a virtual network address of a virtual node of the virtual network to a physical network address of a physical node, the received mapping information identifying the virtual network address of the virtual node within the virtual network and the physical network address of the physical node; and
  
  transmitting, based at least in part on the received mapping information, a current version of a cryptographic key associated with the virtual network to the physical node, to enable the physical node to use the current version of the cryptographic key with one or more generated packets on behalf of the virtual node.
- View Dependent Claims (42, 43)
- - 42. The non-transitory computer-readable medium of claim 41, wherein the process further comprises transmitting an identifier of the updated version of the cryptographic key to the physical node.
  - 43. The non-transitory computer-readable medium of claim 41 wherein a first of the multiple virtual networks is associated with a first user, and wherein a distinct second of the multiple virtual networks is associated with a distinct second user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric J., Searle, Ian R.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Le, David

Application Number

US12/654,706
Time in Patent Office

1,414 Days
Field of Search

380277-279, 370/396, 370/398
US Class Current

726/15
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/45   Network directories; Name-t...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/123   received data contents, e.g...

Packet authentication and encryption in virtual networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Packet authentication and encryption in virtual networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links