Distribution of cryptographic host keys in a cloud computing environment

US 8,909,939 B1
Filed: 04/04/2012
Issued: 12/09/2014
Est. Priority Date: 04/04/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, using one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization;

for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine;

for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and

providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatuses, including computer programs encoded on a computer storage medium, for distribution of cryptographic keys. In one aspect, a method includes receiving a plurality of requests, each request being received by a different respective virtual machine of a plurality of virtual machines; generating, by each of the virtual machines, a different host key pair, wherein each of the host key pairs comprises an encryption key and a decryption key that are associated with the virtual machine that generated it; providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine; and sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system.

Citations

30 Claims

1. A method comprising:
- receiving, using one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization;
  
  for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine;
  
  for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and
  
  providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein a particular request of the plurality of requests is generated by a virtual machine of the plurality of virtual machines or by the client device.
  - 3. The method of claim 1 wherein the one or more data processing apparatuses are one or more servers that provides an application programming interface and is configured to communicate with the client device using a secure protocol.
  - 4. The method of claim 1 wherein the host key pair is generated during bootup of the respective virtual machine.

5. A method performed by one or more data processing apparatuses, the method comprising:
- receiving a plurality of requests for an encryption key pair, each request being received by a different respective virtual machine of a plurality of virtual machines, wherein the virtual machines are hardware virtualizations, and wherein the virtual machines execute on the one or more data processing apparatuses;
  
  generating, by each of the virtual machines, a host key pair for the virtual machine, wherein each of the host key pairs comprises an encryption key and a decryption key for encrypting and decrypting communications between the virtual machine that generated the host key pair and a client device that is separate from the each of the virtual machines;
  
  providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine and that is configured to communicate with the virtual machine but not with other virtual machines of the plurality of virtual machines; and
  
  sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The method of claim 5 wherein the request is generated by a virtual machine or by a client device.
  - 7. The method of claim 5 wherein the metadata server is configured to communicate with the virtual machine using a secure protocol.
  - 8. The method of claim 5 wherein the host key pair is generated during bootup of the virtual machine.
  - 9. The method of claim 5 wherein the application programming interface system includes data processing apparatuses that are configured to process client requests.
  - 10. The method of claim 9 wherein the client requests include requests for the encryption key associated with the virtual machine, status of the virtual machine, or load of the virtual machine.

11. A system comprising:
- one or more data processing apparatus; and
  
  computer-readable medium coupled to the one or more data processing apparatus and having instructions stored thereon, which, when executed by the one or more data processing apparatus, cause the one or more data processing apparatus to perform operations comprising;
  
  receiving, using one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization;
  
  for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine;
  
  for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and
  
  providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11 wherein a particular request of the plurality of requests is generated by a virtual machine of the plurality of virtual machines or by the client device.
  - 13. The system of claim 11 wherein the one or more data processing apparatuses are one or more servers that provides an application programming interface and is configured to communicate with the client device using a secure protocol.
  - 14. The system of claim 11 wherein the host key pair is generated during bootup of the respective virtual machine.

15. A system comprising:
- one or more data processing apparatus; and
  
  computer-readable medium coupled to the one or more data processing apparatus and having instructions stored thereon, which, when executed by the one or more data processing apparatus, cause the one or more data processing apparatus to perform operations comprising;
  
  receiving a plurality of requests for an encryption key pair, each request being received by a different respective virtual machine of a plurality of virtual machines, wherein the virtual machines are hardware virtualizations, and wherein the virtual machines execute on the one or more data processing apparatuses;
  
  generating, by each of the virtual machines, a host key pair for the virtual machine, wherein each of the host key pairs comprises an encryption key and a decryption key for encrypting and decrypting communications between the virtual machine that generated the host key pair and a client device that is separate from the each of the virtual machines;
  
  providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine and that is configured to communicate with the virtual machine but not with other virtual machines of the plurality of virtual machines; and
  
  sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15 wherein the request is generated by a virtual machine or by a client device.
  - 17. The system of claim 15 wherein the metadata server is configured to communicate with the virtual machine using a secure protocol.
  - 18. The system of claim 15 wherein the host key pair is generated during bootup of the virtual machine.
  - 19. The system of claim 15 wherein the application programming interface system includes data processing apparatuses that are configured to process client requests.
  - 20. The system of claim 19 wherein the client requests include requests for the encryption key associated with the virtual machine, status of the virtual machine, or load of the virtual machine.

21. A non-transitory computer-readable medium having instructions stored thereon, which, when executed by a one or more data processing apparatus, cause the one or more data processing apparatus to perform operations comprising:
- receiving, using the one or more data processing apparatuses, a plurality of different requests for an encryption key pair from a plurality of different virtual machines, wherein each virtual machine is a hardware virtualization;
  
  for each request, generating, using the one or more data processing apparatuses, a host key pair, the host key pair comprising an encryption key and a decryption key for encrypting and decrypting communications between a respective virtual machine that sent the request and a client device that is separate from the respective virtual machine;
  
  for each request, sending, using the one or more data processing apparatuses, the host key pair to a metadata server for the respective virtual machine that sent the request, wherein the metadata server is configured to exchange metadata with the respective virtual machine, and wherein each host key pair is sent to the respective virtual machine using a different metadata server for each host key pair; and
  
  providing, using the one or more data processing apparatuses, the encryption key of the host key pair to the client device upon a client request from the client device.
- View Dependent Claims (22, 23, 24)
- - 22. The computer-readable medium of claim 21 wherein a particular request of the plurality of requests is generated by a virtual machine of the plurality of virtual machines or by the client device.
  - 23. The computer-readable medium of claim 21 wherein the one or more data processing apparatuses are one or more servers that provides an application programming interface and is configured to communicate with the client device using a secure protocol.
  - 24. The computer-readable medium of claim 21 wherein the host key pair is generated during bootup of the respective virtual machine.

25. A non-transitory computer-readable medium having instructions stored thereon, which, when executed by a processor, cause the processor to perform operations comprising:
- receiving a plurality of requests for an encryption key pair, each request being received by a different respective virtual machine of a plurality of virtual machines, wherein the virtual machines are hardware virtualizations, and wherein the virtual machines execute on the one or more data processing apparatuses;
  
  generating, by each of the virtual machines, a host key pair for the virtual machine, wherein each of the host key pairs comprises an encryption key and a decryption key for encrypting and decrypting communications between the virtual machine that generated the host key pair and a client device that is separate from the each of the virtual machines;
  
  providing, by each of the virtual machines, the encryption key generated by the virtual machine to a distinct metadata server that stores parameters of the virtual machine and that is configured to communicate with the virtual machine but not with other virtual machines of the plurality of virtual machines; and
  
  sending, from each of the metadata servers, the encryption key generated by the virtual machine that the metadata server is configured to communicate with to an application programming interface system.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The computer-readable medium of claim 25 wherein the request is generated by a virtual machine or by a client device.
  - 27. The computer-readable medium of claim 25 wherein the metadata server is configured to communicate with the virtual machine using a secure protocol.
  - 28. The computer-readable medium of claim 25 wherein the host key pair is generated during bootup of the virtual machine.
  - 29. The computer-readable medium of claim 25 wherein the application programming interface system includes data processing apparatuses that are configured to process client requests.
  - 30. The computer-readable medium of claim 29 wherein the client requests include requests for the encryption key associated with the virtual machine, status of the virtual machine, or load of the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Beda, Joseph S. III, Baker, Brandon S.
Primary Examiner(s)
Nguyen, Tu

Application Number

US13/439,256
Time in Patent Office

979 Days
Field of Search

713/189
US Class Current

713/189
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/606 by securing the transmissio...

Distribution of cryptographic host keys in a cloud computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Distribution of cryptographic host keys in a cloud computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links