Encryption system in a virtualized environment

US 9,613,218 B2
Filed: 06/30/2014
Issued: 04/04/2017
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. An encryption system comprising:

a plurality of computing devices;

a set of computers for (i) providing to the computing devices encryption configuration data that specifies how data messages from the computing devices have to be encrypted, (ii) collecting key-usage statistics from a set of the computing devices, (iii) determining whether the set of computing devices needs to use at least one new key based on the collected key-usage statistics from the set of computing devices, and (iv) directing the computing devices to use new keys based on the determination that the set of computing devices needs to use at least one new key; and

a set of key managers for the computing devices to access to retrieve encryption keys for encrypting data messages sent by the computing devices;

wherein the set of computers does not store any encryption key used by the computing devices to encrypt data messages sent by the computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.

72 Citations

View as Search Results

20 Claims

1. An encryption system comprising:
- a plurality of computing devices;
  
  a set of computers for (i) providing to the computing devices encryption configuration data that specifies how data messages from the computing devices have to be encrypted, (ii) collecting key-usage statistics from a set of the computing devices, (iii) determining whether the set of computing devices needs to use at least one new key based on the collected key-usage statistics from the set of computing devices, and (iv) directing the computing devices to use new keys based on the determination that the set of computing devices needs to use at least one new key; and
  
  a set of key managers for the computing devices to access to retrieve encryption keys for encrypting data messages sent by the computing devices;
  
  wherein the set of computers does not store any encryption key used by the computing devices to encrypt data messages sent by the computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The encryption system of claim 1, wherein the encryption configuration data comprises identity information of at least one key manager to contact in order to retrieve encryption keys.
  - 3. The encryption system of claim 2, wherein the encryption configuration data further comprises encryption key identifiers of the encryption keys that need to be retrieved.
  - 4. The encryption system of claim 1, wherein the encryption configuration data comprises encryption key identifiers of the encryption keys that need to be retrieved.
  - 5. The encryption system of claim 1, wherein the encryption configuration data comprises encryption policies that the computing devices need to resolve in order to generate encryption rules for the computing device to enforce.
  - 6. The encryption system of claim 5, wherein the generated encryption rules are a first set of encryption rules, wherein the encryption configuration data further comprises a second set of encryption rules for the computing device to enforce.
  - 7. The encryption system of claim 1, wherein the encryption configuration data comprises encryption rules that the computing devices need to enforce.
  - 8. The encryption system of claim 1, wherein the set of computers is further for generating the encryption configuration data from encryption policies that are defined for the encryption system.
  - 9. The encryption system of claim 8,wherein the set of computers includes a set of management computers and a set of controller computers;
    - wherein the set of management computers is for receiving input for defining the encryption policies and for supplying the received encryption policies to the set of controller computers; and
      
      wherein the set of controller computers is for generating the encryption configuration data from the received encryption policies and for distributing the encryption configuration data to the computing devices.
  - 10. The encryption system of claim 9, wherein the set of management computers is further for obtaining key manager credentials and supplying the key manager credentials to the set of controller computers, wherein the encryption configuration data includes the key manager credentials for the computing devices to use when contacting the key manager set to obtain the encryption keys.
  - 11. The encryption system of claim 10,wherein the computing devices are host computers for executing virtual machines for one or more tenants;
    - wherein the set of key managers comprises different key managers for different tenants; and
      
      wherein the controller computer set supplies to each particular host computer key manager credentials for key managers of the tenants which have a virtual machine executing on the particular host computer.
  - 12. The encryption system of claim 9, wherein the set of management computers is further for directing the key manager set to generate the encryption keys.
  - 13. The encryption system of claim 9, wherein the set of controller computers is further for directing a particular computing device to destroy a set of keys that the particular computing device has obtained from the key manager set.
  - 14. The encryption system of claim 13, wherein the set of controller computers directs the particular computing device to destroy the set of keys in response to a determination that the particular computing device might have been infected by malware.
  - 15. The encryption system of claim 1, wherein the encryption configuration data includes key manager credentials for the computing devices to use when contacting the key manager set to obtain the encryption keys.
  - 16. The encryption system of claim 1, wherein the set of computers includes one or more computers, and the set of key managers includes one or more key managers.

17. For a system that comprises a plurality of computer devices, an encryption method comprising:
- to a computing device, providing encryption configuration data that specifies how data messages from the computing device have to be encrypted;
  
  to the computing device, providing credentials for accessing a set of key managers to access to retrieve encryption keys for encrypting data messages sent by the computing device;
  
  collecting key-usage statistics from a set of computing devices;
  
  determining whether the set of computing devices needs to use at least one new key based on collected key-usage statistics from the plurality of computing devices; and
  
  directing the set of computing devices to use new keys based on the determination that the set of computing devices needs to use at least one new key,wherein the plurality of computer devices does not store any encryption key used by the computing device to encrypt data messages sent by the computing device.
- View Dependent Claims (18, 19, 20)
- - 18. The encryption method of claim 17 further comprising:
    - creating encryption keys on the set of key managers; and
      
      wherein the encryption configuration data comprises identities of the created encryption keys and the identity information of at least one key manager to contact to retrieve the identified encryption keys.
  - 19. The encryption method of claim 18 further comprising:
    - directing the set of computing devices to discard at least a set of the encryption keys that the computing device retrieved from the set of key managers, said computing device discarding the set of keys from a memory of the computing device and not storing the discarded set of keys in any storage of the computing device.
  - 20. The encryption method of claim 19 further comprising:
    - detecting a condition related to the computing device that requires the computing device to discard the set of keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Thota, Kiran Kumar, Feroz, Azeem, Wiese, James C.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US14/320,584
Publication Number

US 20150379282A1
Time in Patent Office

1,009 Days
Field of Search

713150, 713165, 713168, 713189, 713193, 370419, 380279, 726 23
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/602   Providing cryptographic fac...

G06F 21/6236   between heterogeneous systems

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/542   Event management; Broadcast...

G09C 1/00   Apparatus or methods whereb...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 9/14   using a plurality of keys o...

Encryption system in a virtualized environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption system in a virtualized environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links