WO2019155257A1 - Secure communication in a cluster of virtual machines - Google Patents

Secure communication in a cluster of virtual machines Download PDF

Info

Publication number
WO2019155257A1
WO2019155257A1 PCT/IB2018/050796 IB2018050796W WO2019155257A1 WO 2019155257 A1 WO2019155257 A1 WO 2019155257A1 IB 2018050796 W IB2018050796 W IB 2018050796W WO 2019155257 A1 WO2019155257 A1 WO 2019155257A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
key
cluster
leader
data packet
Prior art date
Application number
PCT/IB2018/050796
Other languages
French (fr)
Inventor
Pratik Sharma
Original Assignee
Pratik Sharma
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pratik Sharma filed Critical Pratik Sharma
Priority to PCT/IB2018/050796 priority Critical patent/WO2019155257A1/en
Publication of WO2019155257A1 publication Critical patent/WO2019155257A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Definitions

  • n number of virtual machines connected (we assume reliable connections using protocols like Transmission Control Protocol, etc.) to each other.
  • the leader of cluster of virtual machines receives the public key of all other virtual machines in the cluster.
  • the leader virtual machine secretly chooses a key which will be used to encrypt data packets for communication between any of the virtual machines in the cluster and we call such a cluster of virtual machines using the above secretly chosen key for communication in the cluster as Ring Of Trust.
  • the leader virtual machine then sends the secretly chosen key to each of the virtual machines in the cluster by encrypting the data packet containing the secretly chosen key using the recipient virtual machine’s public key.
  • the recipient virtual machine then decrypts the data packet containing the secret key for communication in the cluster using its own private key. Also all virtual machines in the cluster maintain a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as send counter and receive counter for that virtual machine. Each of the virtual machine sending the data packet encrypts it by using the secretly chosen key and the data packet begins with x number of bytes containing the send sequence number for the recipient virtual machine and the rest is data bytes. Just before sending the data packet the sender virtual machine atomically increments the send counter in the table with recipient virtual machine’s Internet Protocol(IP) address as the key.
  • IP Internet Protocol
  • the recipient virtual machine checks if the received sequence number from the sender virtual machine is just one more than the receive counter it has in the table with sender virtual machine’s Internet Protocol(IP) address as the key. If the above check is successful the recipient virtual machine accepts the data packet and atomically increments the receive counter in the table with sender virtual machine’s Internet Protocol(IP) address as the key or if the above check fails the recipient virtual machine drops the data packet.
  • the leader virtual machine maintains a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as its properties like virtual machine’s public key and other details, etc. Also a process in the leader virtual machine subscribes to the above table for any notification of changes in the table. For example when a new entry is inserted in the table for a new virtual machine with its public key and other properties, then the leader virtual machine send the secretly chosen key to the new virtual machine in the cluster by encrypting the data packet containing the secretly chosen key using the new virtual machine’s public key. Similarly when a virtual machine leaves the cluster which results in deletion of an entry in the table, then on notification of the same the leader virtual machine may change the secretly chosen key for security purposes.
  • IP Internet Protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The leader of cluster of virtual machines receives the public key of all other machines in the cluster. Then the leader machine secretly chooses a key for communication in the cluster. The leader machine then sends the key to each of the virtual machines in the cluster by encrypting the packet using the recipient virtual machine's public key. All machines in the cluster maintain a table with IP address as the key and, value as send counter and receive counter for that address.

Description

SECURE COMMUNICATION IN A CLUSTER OF VIRTUAL MACHINES
In this invention we have n number of virtual machines connected (we assume reliable connections using protocols like Transmission Control Protocol, etc.) to each other. Out of the cluster of n virtual machines we choose a leader. The leader of cluster of virtual machines receives the public key of all other virtual machines in the cluster. Then the leader virtual machine secretly chooses a key which will be used to encrypt data packets for communication between any of the virtual machines in the cluster and we call such a cluster of virtual machines using the above secretly chosen key for communication in the cluster as Ring Of Trust. The leader virtual machine then sends the secretly chosen key to each of the virtual machines in the cluster by encrypting the data packet containing the secretly chosen key using the recipient virtual machine’s public key. The recipient virtual machine then decrypts the data packet containing the secret key for communication in the cluster using its own private key. Also all virtual machines in the cluster maintain a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as send counter and receive counter for that virtual machine. Each of the virtual machine sending the data packet encrypts it by using the secretly chosen key and the data packet begins with x number of bytes containing the send sequence number for the recipient virtual machine and the rest is data bytes. Just before sending the data packet the sender virtual machine atomically increments the send counter in the table with recipient virtual machine’s Internet Protocol(IP) address as the key. The recipient virtual machine on the other hand checks if the received sequence number from the sender virtual machine is just one more than the receive counter it has in the table with sender virtual machine’s Internet Protocol(IP) address as the key. If the above check is successful the recipient virtual machine accepts the data packet and atomically increments the receive counter in the table with sender virtual machine’s Internet Protocol(IP) address as the key or if the above check fails the recipient virtual machine drops the data packet.
In addition to this, the leader virtual machine maintains a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as its properties like virtual machine’s public key and other details, etc. Also a process in the leader virtual machine subscribes to the above table for any notification of changes in the table. For example when a new entry is inserted in the table for a new virtual machine with its public key and other properties, then the leader virtual machine send the secretly chosen key to the new virtual machine in the cluster by encrypting the data packet containing the secretly chosen key using the new virtual machine’s public key. Similarly when a virtual machine leaves the cluster which results in deletion of an entry in the table, then on notification of the same the leader virtual machine may change the secretly chosen key for security purposes.

Claims

WO 2019/155257 ClailTLS PCT/IB2018/050796
Following is the claim for this invention: -
1> In this invention we have n number of virtual machines connected (we assume reliable connections using protocols like Transmission Control Protocol, etc.) to each other. Out of the cluster of n virtual machines we choose a leader. The leader of cluster of virtual machines receives the public key of all other virtual machines in the cluster. Then the leader virtual machine secretly chooses a key which will be used to encrypt data packets for communication between any of the virtual machines in the cluster and we call such a cluster of virtual machines using the above secretly chosen key for communication in the cluster as Ring Of Trust. The leader virtual machine then sends the secretly chosen key to each of the virtual machines in the cluster by encrypting the data packet containing the secretly chosen key using the recipient virtual machine’s public key. The recipient virtual machine then decrypts the data packet containing the secret key for communication in the cluster using its own private key. Also all virtual machines in the cluster maintain a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as send counter and receive counter for that virtual machine. Each of the virtual machine sending the data packet encrypts it by using the secretly chosen key and the data packet begins with x number of bytes containing the send sequence number for the recipient virtual machine and the rest is data bytes. Just before sending the data packet the sender virtual machine atomically increments the send counter in the table with recipient virtual machine’s Internet Protocol(IP) address as the key. The recipient virtual machine on the other hand checks if the received sequence number from the sender virtual machine is just one more than the receive counter it has in the table with sender virtual machine’s Internet Protocol(IP) address as the key. If the above check is successful the recipient virtual machine accepts the data packet and atomically increments the receive counter in the table with sender virtual machine’s Internet Protocol(IP) address as the key or if the above check fails the recipient virtual machine drops the data packet. In addition to this, the leader virtual machine maintains a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as its properties like virtual machine’s public key and other details, etc. Also a process in the leader virtual machine subscribes to the above table for any notification of changes in the table. For example when a new entry is inserted in the table for a new virtual machine with its public key and other properties, then the leader virtual machine send the secretly chosen key to the new virtual machine in the cluster by encrypting the data packet containing the secretly chosen key using the new virtual machine’s public key. Similarly when a virtual machine leaves the cluster which results in deletion of an entry in the table, then on notification of the same the leader virtual machine may change the secretly chosen key for security purposes. The above novel technique by which secure and encrypted information is exchanged in a ring or cluster of virtual machines is the claim for this invention.
PCT/IB2018/050796 2018-02-08 2018-02-08 Secure communication in a cluster of virtual machines WO2019155257A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2018/050796 WO2019155257A1 (en) 2018-02-08 2018-02-08 Secure communication in a cluster of virtual machines

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2018/050796 WO2019155257A1 (en) 2018-02-08 2018-02-08 Secure communication in a cluster of virtual machines

Publications (1)

Publication Number Publication Date
WO2019155257A1 true WO2019155257A1 (en) 2019-08-15

Family

ID=67549298

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2018/050796 WO2019155257A1 (en) 2018-02-08 2018-02-08 Secure communication in a cluster of virtual machines

Country Status (1)

Country Link
WO (1) WO2019155257A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054486A1 (en) * 2010-08-31 2012-03-01 MindTree Limited Securing A Virtual Environment And Virtual Machines
US8966581B1 (en) * 2011-04-07 2015-02-24 Vmware, Inc. Decrypting an encrypted virtual machine using asymmetric key encryption

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120054486A1 (en) * 2010-08-31 2012-03-01 MindTree Limited Securing A Virtual Environment And Virtual Machines
US8966581B1 (en) * 2011-04-07 2015-02-24 Vmware, Inc. Decrypting an encrypted virtual machine using asymmetric key encryption

Similar Documents

Publication Publication Date Title
US11575660B2 (en) End-to-end encryption for personal communication nodes
US9008312B2 (en) System and method of creating and sending broadcast and multicast data
US10135618B2 (en) Method for using dynamic Public Key Infrastructure to send and receive encrypted messages between software applications
US9992177B2 (en) Method and system for modifying an authenticated and/or encrypted message
EP0906677A2 (en) Cryptographic communication system
CN1234662A (en) Enciphered ignition treatment method and apparatus thereof
US20150229621A1 (en) One-time-pad data encryption in communication channels
CN101529805A (en) Relay device
US9130744B1 (en) Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary
CN102088352B (en) Data encryption transmission method and system for message-oriented middleware
US11722466B2 (en) Methods for communicating data utilizing sessionless dynamic encryption
CN106549858A (en) A kind of instant messaging encryption method based on id password
CN103685181A (en) Key negotiation method based on SRTP
CN112702332B (en) Chain key exchange method, client, server and system
JP2000031957A (en) Communication system
WO2019155257A1 (en) Secure communication in a cluster of virtual machines
CN115150076A (en) Encryption system and method based on quantum random number
JP2007512743A (en) A system to increase the security of e-mail transmission in the Internet network
Black et al. Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
CN112073370B (en) Client encryption communication method
CN107864123A (en) A kind of network talkback machine safe transmission method and system
WO2023228623A1 (en) Encryption system and encryption method
CN113890733A (en) Gateway system based on safety communication
US20150127944A1 (en) Method for secure and anonymous electronic communication via cryptography-facilitated delivery
JP2001094600A (en) Message transfer node and network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18905544

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18905544

Country of ref document: EP

Kind code of ref document: A1