Dynamic key management

US 9,178,698 B1
Filed: 12/21/2012
Issued: 11/03/2015
Est. Priority Date: 12/21/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a request for key-value metadata associated with a project at a first server, the first server implementing a management module, from a first client machine in response to a determination, by the first client machine, that a first user has not used the first client machine to connect or exchange data with a first virtual machine;

sending, by the first server, key-value metadata to the first client machine, the key-value metadata including key-value information associated with the project and key-value information of a group of users associated with the project;

receiving updated key-value metadata from the first client machine at the first server, the updated key-value metadata including a first public key associated with the first user from the first client machine, wherein the first public key and a first private key were generated on the first client machine by a first client tool at the first client machine in response to the determination that the first user has not used the first client machine to connect or exchange data with a first virtual machine, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the first user using the first client machine;

receiving a request for key-value metadata associated with the project at the first server from a second client machine in response to a determination, by the second client machine, that a second user has not used the second client machine to connect or exchange data with a second virtual machine, wherein the project includes at least the first virtual machine and the second virtual machine;

sending, by the first server, key-value metadata to the second client machine, the key-value metadata including key-value information associated with the project and key-value information of the group of users associated with the project;

receiving updated key-value metadata from the second client machine at the first server, the updated key-value metadata including a second public key associated with the second user from the second client machine, wherein the second public key and a second private key were generated on the second client machine by a second client tool at the second client machine in response to the determination that the second user has not used the second client machine to connect or exchange data with a second virtual, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the second user using the second client machine; and

providing the updated key-value metadata to a plurality of metadata servers, the plurality of metadata servers including one or more second servers and including a first metadata server and a second metadata server, wherein a first metadata server is dedicated to the first virtual machine and configured to provide the updated key-value metadata to the first virtual machine in response to a request for updated key-value metadata from the first virtual machine and wherein a second metadata server is dedicated to the second virtual machine and configured to provide the updated key-value metadata to the second virtual machine in response to a request for updated key-value metadata from the second virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs, for managing keys for virtual machines (VM). One method includes receiving a first public key associated with a first user from a first client machine (CM), receiving a second public key associated with a second user from a second CM, and updating metadata associated with a project that includes a first VM and a second VM to include the first and the second public keys. The first public key and a corresponding first private key were generated on the first CM in response to a determination that the first CM lacked a private key for communication with the first VM by the first user. The second public key and a corresponding second private key were generated on the second CM in response to a determination that the second CM lacked a private key for communication with the second VM by the second user.

55 Citations

View as Search Results

22 Claims

1. A computer-implemented method comprising:
- receiving a request for key-value metadata associated with a project at a first server, the first server implementing a management module, from a first client machine in response to a determination, by the first client machine, that a first user has not used the first client machine to connect or exchange data with a first virtual machine;
  
  sending, by the first server, key-value metadata to the first client machine, the key-value metadata including key-value information associated with the project and key-value information of a group of users associated with the project;
  
  receiving updated key-value metadata from the first client machine at the first server, the updated key-value metadata including a first public key associated with the first user from the first client machine, wherein the first public key and a first private key were generated on the first client machine by a first client tool at the first client machine in response to the determination that the first user has not used the first client machine to connect or exchange data with a first virtual machine, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the first user using the first client machine;
  
  receiving a request for key-value metadata associated with the project at the first server from a second client machine in response to a determination, by the second client machine, that a second user has not used the second client machine to connect or exchange data with a second virtual machine, wherein the project includes at least the first virtual machine and the second virtual machine;
  
  sending, by the first server, key-value metadata to the second client machine, the key-value metadata including key-value information associated with the project and key-value information of the group of users associated with the project;
  
  receiving updated key-value metadata from the second client machine at the first server, the updated key-value metadata including a second public key associated with the second user from the second client machine, wherein the second public key and a second private key were generated on the second client machine by a second client tool at the second client machine in response to the determination that the second user has not used the second client machine to connect or exchange data with a second virtual, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the second user using the second client machine; and
  
  providing the updated key-value metadata to a plurality of metadata servers, the plurality of metadata servers including one or more second servers and including a first metadata server and a second metadata server, wherein a first metadata server is dedicated to the first virtual machine and configured to provide the updated key-value metadata to the first virtual machine in response to a request for updated key-value metadata from the first virtual machine and wherein a second metadata server is dedicated to the second virtual machine and configured to provide the updated key-value metadata to the second virtual machine in response to a request for updated key-value metadata from the second virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1 further comprising:
    - receiving a third public key associated with the first user from the second client machine,wherein the third public key and a third private key were generated on the second client machine in response to a determination that the second client machine lacked the third private key and in response to an attempt to communicate with the second virtual machine from the second client machine, andupdating key-value metadata associated with the project to include the third public key; and
      
      providing the updated key-value metadata to the plurality of metadata servers including the first metadata server and the second metadata server, wherein the second client machine exchanges data with the second virtual machine after the second metadata server receives the updated key-value metadata.
  - 3. The computer-implemented method of claim 1 wherein the first client machine establishes a connection to the first virtual machine after the first virtual machine updates the key-value metadata and wherein the second client machine establishes a connection to the second virtual machine after the second virtual machine updates the key-value metadata.
  - 4. The computer-implemented method of claim 1 wherein the first public key and first private key are associated with a first secure shell key.
  - 5. The computer-implemented method of claim 1 wherein the requests for updated key-value metadata comprises periodic requests for updated key-value metadata.
  - 6. The computer-implemented method of claim 1 wherein the first metadata server is configured to provide updated key-value metadata to only the first virtual machine and wherein the second metadata server is configured to provide updated key-value metadata to only the second virtual machine.
  - 7. The computer-implemented method of claim 1 wherein the project is associated with a billable entity, wherein the first and second users are associated with the billable entity.
  - 8. The computer-implemented method of claim 1 wherein the first virtual machine and the second virtual machine are hosted on one or more physical machines different than a physical machine performing the computer-implemented method.

9. A system comprising:
- memory storing instructions; and
  
  one or more processors configured to execute the instructions that cause the one or more processors to perform operations comprising;
  
  receiving a request for key-value metadata associated with a project at a first server, the first server implementing a management module, from a first client machine in response to a determination, by the first client machine, that a first user has not used the first client machine to connect or exchange data with a first virtual machine;
  
  sending, by the first server, key-value metadata to the first client machine, the key-value metadata including key-value information associated with the project and key-value information of a group of users associated with the project;
  
  receiving updated key-value metadata from the first client machine at the first server, the updated key-value metadata including a first public key associated with the first user from the first client machine, wherein the first public key and a first private key were generated on the first client machine by a first client tool at the first client machine in response to the determination that the first user has not used the first client machine to connect or exchange data with a first virtual machine, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the first user using the first client machine;
  
  receiving a request for key-value metadata associated with the project at the first server from a second client machine in response to a determination, by the second client machine, that a second user has not used the second client machine to connect or exchange data with a second virtual machine, wherein the project includes at least the first virtual machine and the second virtual machine;
  
  sending, by the first server, key-value metadata to the second client machine, the key-value metadata including key-value information associated with the project and key-value information of the group of users associated with the project;
  
  receiving updated key-value metadata from the second client machine at the first server, the updated key-value metadata including a second public key associated with the second user from the second client machine, wherein the second public key and a second private key were generated on the second client machine by a second client tool at the second client machine in response to the determination that the second user has not used the second client machine to connect or exchange data with a second virtual, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the second user using the second client machine; and
  
  providing the updated key-value metadata to a plurality of metadata servers, the plurality of metadata servers including one or more second servers and including a first metadata server and a second metadata server, wherein a first metadata server is dedicated to the first virtual machine and configured to provide the updated key-value metadata to the first virtual machine in response to a request for updated key-value metadata from the first virtual machine and wherein a second metadata server is dedicated to the second virtual machine and configured to provide the updated key-value metadata to the second virtual machine in response to a request for updated key-value metadata from the second virtual machine.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9 wherein the operations further comprise:
    - receiving a third public key associated with the first user from the second client machine,wherein the third public key and a third private key were generated on the second client machine in response to a determination that the second client machine lacked the third private key and in response to an attempt to communicate with the second virtual machine from the second client machine, andupdating key-value metadata associated with the project to include the third public key; and
      
      providing the updated key-value metadata to the plurality of metadata servers including the first metadata server and the second metadata server, wherein the second client machine exchanges data with the second virtual machine after the second metadata server receives the updated key-value metadata.
  - 11. The system of claim 9 wherein the first client machine establishes a connection to the first virtual machine after the first virtual machine updates the key-value metadata and wherein the second client machine establishes a connection to the second virtual machine after the second virtual machine updates the key-value metadata.
  - 12. The system of claim 9 wherein the first public key and first private key are associated with a first secure shell key.
  - 13. The system of claim 9 wherein the requests for updated key-value metadata comprises periodic requests for updated key-value metadata.
  - 14. The system of claim 9 wherein the first metadata server is configured to provide updated key-value metadata to only the first virtual machine and wherein the second metadata server is configured to provide updated key-value metadata to only the second virtual machine.
  - 15. The system of claim 9 wherein the first virtual machine and the second virtual machine are hosted one or more physical machines other than the system.

16. A non-transitory computer-readable medium storing instructions that upon execution by a processing device cause the processing device to perform operations, comprising:
- receiving a request for key-value metadata associated with a project at a first server, the first server implementing a management module, from a first client machine in response to a determination, by the first client machine, that a first user has not used the first client machine to connect or exchange data with a first virtual machine;
  
  sending, by the first server, key-value metadata to the first client machine, the key-value metadata including key-value information associated with the project and key-value information of a group of users associated with the project;
  
  receiving updated key-value metadata from the first client machine at the first server, the updated key-value metadata including a first public key associated with the first user from the first client machine, wherein the first public key and a first private key were generated on the first client machine by a first client tool at the first client machine in response to the determination that the first user has not used the first client machine to connect or exchange data with a first virtual machine, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the first user using the first client machine;
  
  receiving a request for key-value metadata associated with the project at the first server from a second client machine in response to a determination, by the second client machine, that a second user has not used the second client machine to connect or exchange data with a second virtual machine, wherein the project includes at least the first virtual machine and the second virtual machine;
  
  sending, by the first server, key-value metadata to the second client machine, the key-value metadata including key-value information associated with the project and key-value information of the group of users associated with the project;
  
  receiving updated key-value metadata from the second client machine at the first server, the updated key-value metadata including a second public key associated with the second user from the second client machine, wherein the second public key and a second private key were generated on the second client machine by a second client tool at the second client machine in response to the determination that the second user has not used the second client machine to connect or exchange data with a second virtual, the updated key-value metadata updating the group of users associated with the project by including the key-value information of the second user using the second client machine; and
  
  providing the updated key-value metadata to a plurality of metadata servers, the plurality of metadata servers including one or more second servers and including a first metadata server and a second metadata server, wherein a first metadata server is dedicated to the first virtual machine and configured to provide the updated key-value metadata to the first virtual machine in response to a request for updated key-value metadata from the first virtual machine and wherein a second metadata server is dedicated to the second virtual machine and configured to provide the updated key-value metadata to the second virtual machine in response to a request for updated key-value metadata from the second virtual machine.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer-readable medium of claim 16 wherein the operations further comprise:
    - receiving a third public key associated with the first user from the second client machine,wherein the third public key and a third private key were generated on the second client machine in response to a determination that the second client machine lacked the third private key and in response to an attempt to communicate with the second virtual machine from the second client machine, andupdating key-value metadata associated with the project to include the third public key; and
      
      providing the updated key-value metadata to the plurality of metadata servers including the first metadata server and the second metadata server, wherein the second client machine exchanges data with the second virtual machine after the second metadata server receives the updated key-value metadata.
  - 18. The computer-readable medium of claim 16 wherein the first client machine establishes a connection to the first virtual machine after the first virtual machine updates the key-value metadata and wherein the second client machine establishes a connection to the second virtual machine after the second virtual machine updates the key-value metadata.
  - 19. The computer-readable medium of claim 16 wherein the first public key and first private key are associated with a first secure shell key.
  - 20. The computer-readable medium of claim 16 wherein the requests for updated key-value metadata comprises periodic requests for updated key-value metadata.
  - 21. The computer-readable medium of claim 16 wherein the first metadata server is configured to provide updated key-value metadata to only the first virtual machine and wherein the second metadata server is configured to provide updated key-value metadata to only the second virtual machine.
  - 22. The computer-readable medium of claim 16 wherein the project is associated with a billable entity, wherein the first and second users are associated with the billable entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Anderson, Evan K., Jarjur, Omar S.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
CHIANG, JASON

Application Number

US13/725,071
Time in Patent Office

1,047 Days
Field of Search

713/168
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

Dynamic key management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Dynamic key management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others