Method and apparatus for differently encrypting different flows

US 9,792,447 B2
Filed: 06/30/2014
Issued: 10/17/2017
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. For a computer that executes a virtual machine (VM), an encryption method comprising:

detecting starts of different data message flows from the VM;

identifying, at an introspection agent on the VM, attribute values of the detected data message flows;

based on detecting a start of a first data message flow, analyzing a set of encryption policies based on the identified attribute values of the first data message flow to generate a first encryption rule for the first data message flow that identifies a first encryption key, and providing the first encryption rule to an encryptor that receives data messages intercepted along an egress datapath that the VM'"'"'s data messages employ to exit the computer, in order (i) to encrypt, using the first encryption key, messages in the first data message flow that the VM sends unencrypted and (ii) to return the encrypted messages to the egress datapath for transmission out of the computer; and

based on detecting a start of a second data message flow, analyzing a set of encryption policies based on the identified attribute values of the second data message flow to generate a second encryption rule for the second data message flow that identifies a second encryption key, and providing the second encryption rule to the encryptor that receives data messages intercepted along the VM'"'"'s egress datapath in order (i) to encrypt, using the second encryption key, messages in the second data message flow that the VM sends unencrypted and (ii) to return the encrypted messages to the egress datapath for transmission out of the computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.

110 Citations

View as Search Results

21 Claims

1. For a computer that executes a virtual machine (VM), an encryption method comprising:
- detecting starts of different data message flows from the VM;
  
  identifying, at an introspection agent on the VM, attribute values of the detected data message flows;
  
  based on detecting a start of a first data message flow, analyzing a set of encryption policies based on the identified attribute values of the first data message flow to generate a first encryption rule for the first data message flow that identifies a first encryption key, and providing the first encryption rule to an encryptor that receives data messages intercepted along an egress datapath that the VM'"'"'s data messages employ to exit the computer, in order (i) to encrypt, using the first encryption key, messages in the first data message flow that the VM sends unencrypted and (ii) to return the encrypted messages to the egress datapath for transmission out of the computer; and
  
  based on detecting a start of a second data message flow, analyzing a set of encryption policies based on the identified attribute values of the second data message flow to generate a second encryption rule for the second data message flow that identifies a second encryption key, and providing the second encryption rule to the encryptor that receives data messages intercepted along the VM'"'"'s egress datapath in order (i) to encrypt, using the second encryption key, messages in the second data message flow that the VM sends unencrypted and (ii) to return the encrypted messages to the egress datapath for transmission out of the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein encrypting the data messages in the first and second flows further comprises encrypting the data messages in the first flow using a first encryption process, while encrypting the data messages in the second flow using a second encryption process.
  - 3. The method of claim 1, wherein a particular data message is intercepted along an egress datapath when the particular data message is associated with a data message flow for which an encryption rule was generated.
  - 4. The method of claim 1, wherein encrypting the data messages in the first and second flows further comprises encrypting a first portion of each data message in the first flow, while encrypting a second portion of each data message in the second flow, wherein the first and second portions are different portions of their respective data messages.
  - 5. The method of claim 1, wherein the first data message flow is directed to a first destination machine that operates outside of the computer and the second data message flow is directed to a second destination machine that operates outside of the computer.
  - 6. The method of claim 5, wherein the first and second destination machines are the same destination machine.
  - 7. The method of claim 5, wherein the first and second destination machines are VMs.

8. For a computer that executes a virtual machine (VM), an encryption method comprising:
- detecting, at an introspection agent on the VM, a start of a first data message flow from the VM, and in response, analyzing a set of encryption policies based on a set of attributes of the first data message flow, in order (i) to generate a first encryption rule for the first data message flow, and (ii) to provide the first encryption rule to an encryptor on the computer in order to encrypt messages in the first data message flow;
  
  detecting, at the introspection agent on the VM, a start of a second data message flow from the VM, and in response, analyzing the set of encryption policies based on a set of attributes of the second data message flow, in order to determine that no encryption rule needs to be provided to the encryptor for the second data message flow because the second data message flow does not need to be encrypted, wherein the messages of the second data message flow are not provided to the encryptor and are sent from the computer in an unencrypted format, while the messages of the first data message flow are sent from the computer in an encrypted format.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8 further comprising inserting in each encrypted data message an encryption identifier, said encryption identifier for allowing a destination of the data message to decrypt the encrypted data message.
  - 10. The method of claim 9, wherein the encryption identifier is a key identifier that identifies an encryption key that was used to encrypt the data message.
  - 11. The method of claim 9, wherein the encryption identifier is a key identifier that identifies a decryption key that is needed to decrypt the data message.
  - 12. The method of claim 9, wherein the encryption identifier is an encryption identifier that identifies an encryption process that was used to encrypt the data message.
  - 13. The method of claim 9, wherein the encryption identifier is a decryption identifier that identifies a decryption process that is needed to decrypt the data message.
  - 14. The method of claim 9, wherein the encryption identifier is inserted in a header field of the data message.
  - 15. The method of claim 8, wherein the encryptor (i) receives, from the VM'"'"'s egress datapath, unencrypted data messages belonging to data message flows that require encryption (ii) encrypts the unencrypted data messages, and (iii) returns the data messages to the VM'"'"'s egress datapath.

16. A non-transitory machine readable medium storing a program for encrypting messages from a virtual machine (VM) that executes on a computer, the program comprising sets of instructions for:
- detecting starts of different data message flows from the VM;
  
  receiving from an introspection agent on the VM, identification of attribute values of the detected data message flows;
  
  based on detecting a start of a first data message flow, analyzing a set of encryption policies based on the identified attribute values of the first data message flow to generate a first encryption rule for the first data message flow that identifies a first encryption key, and providing the first encryption rule to an encryptor that receives data messages intercepted along an egress datapath that the VM'"'"'s data messages employ to exit the computer, in order (i) to encrypt, using the first encryption key, messages in the first data message flow that the VM sends unencrypted and (ii) to return the encrypted messages to the egress datapath for transmission out of the computer; and
  
  based on detecting a start of a second data message flow, analyzing a set of encryption policies based on the identified attribute values of the second data message flow to generate a second encryption rule for the second data message flow that identifies a second encryption key, and providing the second encryption rule to the encryptor that receives data messages intercepted along the VM'"'"'s egress datapath in order (i) to encrypt, using the second encryption key, messages in the second data message flow that the VM sends unencrypted and (ii) to return the encrypted messages to the egress datapath for transmission out of the computer.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The non-transitory machine readable medium of claim 16, wherein encrypting the data messages in the first and second flows further comprises encrypting the data messages in the first flow by using a first encryption process, while encrypting the data messages in the second flow by using a second encryption process.
  - 18. The non-transitory machine readable medium of claim 16, wherein encrypting the data messages in the first and second flows further comprises encrypting a first portion of each data message in the first flow, while encrypting a second portion of each data message in the second flow, wherein the first and second portions are different portions of their respective data messages.
  - 19. The non-transitory machine readable medium of claim 16, wherein a particular data message is intercepted along an egress datapath when the particular data message is associated with a data message flow for which an encryption rule was generated.
  - 20. The method of claim 16, wherein the first data message flow is directed to a first destination machine that operates outside of the computer and the second data message flow is directed to a second destination machine that operates outside of the computer.
  - 21. The non-transitory machine readable medium of claim 16 further comprising sets of instructions for:
    - based on the detection of a third data message flow, determining, based on an analysis of a set of encryption policies that a third encryption rule (i) does not need to be generated for the third data message flow and (ii) does not need to be provided to the encryptor, wherein data messages of the third data message flow are not received by the encryptor for encryption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Thota, Kiran Kumar, Feroz, Azeem, Wiese, James C.
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US14/320,578
Publication Number

US 20150379278A1
Time in Patent Office

1,205 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/56   Computer malware detection ...

G06F 21/568   eliminating virus, restorin...

G06F 21/602   Providing cryptographic fac...

G06F 21/6236   between heterogeneous systems

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/542   Event management; Broadcast...

G09C 1/00   Apparatus or methods whereb...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 9/14   using a plurality of keys o...

Method and apparatus for differently encrypting different flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

110 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for differently encrypting different flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links