Packet authentication and encryption in virtual networks

US 9,876,773 B1
Filed: 11/23/2015
Issued: 01/23/2018
Est. Priority Date: 12/29/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a host computing system configured to host one or more virtual computing nodes of a virtual network and from a mapping server for the virtual network that maintains mapping information associating virtual network addresses of the virtual network with physical network addresses, a cryptographic key;

receiving, by the configured host computing system, a communication from a first of the virtual computing nodes that is intended for a destination virtual computing node in the virtual network other than the first virtual computing node;

generating, by the configured host computing system based at least in part on the communication and on the cryptographic key received from the mapping server, a hash value for the communication; and

forwarding, by the configured host computing system and based at least in part on the mapping information maintained by the mapping server, the communication and the generated hash value to the destination virtual computing node.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide logic for distributing cryptographic keys in a physical network comprising a plurality of physical nodes. In one implementation, a computer-implemented method is provided for distributing cryptographic keys in a physical network. The method includes receiving information mapping a virtual network address of a virtual node to a physical network address of a physical node. The virtual node may be associated with a virtual network hosted by the physical node, and the received mapping information identifies a virtual network address of the node and the physical network address of the node. The mapping service transmits a current version of a cryptographic key and an identifier of the current version to the physical node.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, by a host computing system configured to host one or more virtual computing nodes of a virtual network and from a mapping server for the virtual network that maintains mapping information associating virtual network addresses of the virtual network with physical network addresses, a cryptographic key;
  
  receiving, by the configured host computing system, a communication from a first of the virtual computing nodes that is intended for a destination virtual computing node in the virtual network other than the first virtual computing node;
  
  generating, by the configured host computing system based at least in part on the communication and on the cryptographic key received from the mapping server, a hash value for the communication; and
  
  forwarding, by the configured host computing system and based at least in part on the mapping information maintained by the mapping server, the communication and the generated hash value to the destination virtual computing node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1 further comprising, under control of a second host computing system hosting the destination virtual computing node:
    - receiving information from the configured host computing system that includes the forwarded communication and the forwarded hash value;
      
      based at least in part on the received information, selecting a local cryptographic key;
      
      generating a local hash value based at least in part on the selected local cryptographic key and on the forwarded communication; and
      
      authenticating the forwarded communication if the forwarded hash value matches the generated local hash value, and otherwise not authenticating the forwarded communication.
  - 3. The computer-implemented method of claim 2 wherein the selection of the local cryptographic key is based at least in part on an identifier of a current version of the local cryptographic key.
  - 4. The computer-implemented method of claim 1 wherein the virtual network is a first of multiple distinct virtual networks associated with the mapping server, and wherein the received cryptographic key is specific to the first virtual network.
  - 5. The computer-implemented method of claim 1, further comprising receiving from the mapping server an identifier of a version of the received cryptographic key, and forwarding the received identifier to the destination node with the communication and the generated hash value.
  - 6. The computer-implemented method of claim 1, further comprising:
    - at a first time that is after the forwarding of the communication, receiving an updated version of the cryptographic key from the mapping server; and
      
      after the first time, receiving an additional communication from a computing node of the virtual network, and using the updated version of the cryptographic key to generate an additional hash value for the additional communication before forwarding the additional communication and the additional hash value to a destination node indicated by the additional communication.
  - 7. The computer-implemented method of claim 1 further comprising, prior to the forwarding of the communication, encrypting at least a portion of the received communication using the received cryptographic key.
  - 8. The computer-implemented method of claim 7 wherein the communication includes a data packet having a header and a payload, and wherein encrypting at least a portion of the received communication includes encrypting the payload of the data packet of the communication.
  - 9. The computer-implemented method of claim 7 wherein encrypting at least a portion of the received communication includes encrypting at least one of a network address associated with the first virtual computing node and a network address associated with the destination virtual computing node.

10. A non-transitory computer-readable medium having stored contents that configure a computing device to perform a method, the method comprising:
- receiving, by a host computing system configured to host one or more virtual computing nodes of a first virtual network, a communication indicating a first of the virtual computing nodes hosted by the configured host computing system as a destination and further indicating a remote computing node of the first virtual network as a source, wherein receiving the communication includes receiving a hash value associated with the received communication;
  
  selecting, by the configured host computing system and based at least in part on the indicated source remote computing node and on information received from a mapping server for the first virtual network, one of multiple local cryptographic keys;
  
  generating, by the configured host computing system and based at least in part on the selected local cryptographic key, a local hash value for the received communication; and
  
  authenticating, by the configured host computing system, the communication only if the generated local hash value matches the received hash value associated with the communication.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The non-transitory computer-readable medium of claim 10 wherein the stored contents further configure the computing device to, prior to receiving the communication, receive an identifier of a version of a cryptographic key from the mapping server for the virtual network, and wherein selecting the one local cryptographic key includes selecting the one local cryptographic key based on the received identifier.
  - 12. The non-transitory computer-readable medium of claim 11 wherein the identifier includes at least one of a date associated with the version of the cryptographic key and a version number associated with the version of the cryptographic key.
  - 13. The non-transitory computer-readable medium of claim 10 wherein receiving the communication further includes receiving an identifier of a version of a cryptographic key, and wherein selecting the one local cryptographic key includes selecting the one local cryptographic key based on the received identifier.
  - 14. The non-transitory computer-readable medium of claim 10 wherein each of at least some of the multiple local cryptographic keys is associated with a virtual network, and wherein the selecting of the one local cryptographic key is based at least in part on the indicated source remote computing node being associated with the first virtual network.
  - 15. The non-transitory computer-readable medium of claim 10 wherein the first virtual network is one of multiple distinct virtual networks associated with the mapping server, and wherein the selected local cryptographic key is specific to the first virtual network.
  - 16. The non-transitory computer-readable medium of claim 10 further comprising, under control of a second host computing system hosting the indicated source virtual computing node:
    - receiving a first cryptographic key from the mapping server;
      
      receiving a source communication from the source virtual computing node;
      
      generating, based at least in part on the first cryptographic key and on the received source communication, a source hash value for the source communication; and
      
      forwarding the source communication and source hash value to the destination first virtual computing node.

17. A system, comprising:
- one or more processors of a mapping server; and
  
  one or more memories of the mapping server including instructions that, upon execution by at least one of the one or more processors, cause the mapping server to manage one or more virtual networks and to;
  
  receive information associating a physical network address with a virtual network address for a node of a first of the one or more virtual networks;
  
  based at least in part on the received information, update mapping information maintained by the mapping server for the first virtual network;
  
  provide, to one or more physical host machines that each hosts one or more nodes of the first virtual network, at least some of the updated mapping information; and
  
  transmit, to the one or more physical host machines, a cryptographic key associated with the first virtual network for use in authentication of communications within the first virtual network.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17 wherein transmitting the cryptographic key associated with the first virtual network to the physical host machine includes transmitting an identifier of a version of the cryptographic key.
  - 19. The system of claim 17, further comprising multiple of the physical host machines, wherein in operation a first of the physical host machines hosts a first computing node of the first virtual network and:
    - receives the transmitted cryptographic key from the mapping server;
      
      receives a communication from the first computing node that is intended for a destination other computing node of the first virtual network;
      
      generates, based at least in part on the received communication and on the transmitted cryptographic key, a hash value for the communication; and
      
      forwards, based at least in part on the mapping information from the mapping server, the communication and the generated hash value to the destination other computing node.
  - 20. The system of claim 19, wherein in operation a second of the physical host machines hosts a second computing node of the first virtual network and:
    - receives the transmitted cryptographic key from the mapping server;
      
      receives the forwarded communication and the forwarded hash value from the first physical host machine;
      
      selects, based at least in part on the forwarded communication and on the first computing node, the transmitted cryptographic key from the mapping server for use in authenticating the forwarded communication;
      
      generates, based at least in part on the selected cryptographic key, a local hash value for the forwarded communication; and
      
      authenticates the forwarded communication only if the generated local hash value matches the forwarded hash value from the first physical host machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Searle, Ian R.
Primary Examiner(s)
Le, David

Application Number

US14/949,225
Time in Patent Office

792 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/45   Network directories; Name-t...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/123   received data contents, e.g...

Packet authentication and encryption in virtual networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Packet authentication and encryption in virtual networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links