WO2019155257A1 - Secure communication in a cluster of virtual machines - Google Patents
Secure communication in a cluster of virtual machines Download PDFInfo
- Publication number
- WO2019155257A1 WO2019155257A1 PCT/IB2018/050796 IB2018050796W WO2019155257A1 WO 2019155257 A1 WO2019155257 A1 WO 2019155257A1 IB 2018050796 W IB2018050796 W IB 2018050796W WO 2019155257 A1 WO2019155257 A1 WO 2019155257A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- virtual machine
- key
- cluster
- leader
- data packet
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Definitions
- n number of virtual machines connected (we assume reliable connections using protocols like Transmission Control Protocol, etc.) to each other.
- the leader of cluster of virtual machines receives the public key of all other virtual machines in the cluster.
- the leader virtual machine secretly chooses a key which will be used to encrypt data packets for communication between any of the virtual machines in the cluster and we call such a cluster of virtual machines using the above secretly chosen key for communication in the cluster as Ring Of Trust.
- the leader virtual machine then sends the secretly chosen key to each of the virtual machines in the cluster by encrypting the data packet containing the secretly chosen key using the recipient virtual machine’s public key.
- the recipient virtual machine then decrypts the data packet containing the secret key for communication in the cluster using its own private key. Also all virtual machines in the cluster maintain a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as send counter and receive counter for that virtual machine. Each of the virtual machine sending the data packet encrypts it by using the secretly chosen key and the data packet begins with x number of bytes containing the send sequence number for the recipient virtual machine and the rest is data bytes. Just before sending the data packet the sender virtual machine atomically increments the send counter in the table with recipient virtual machine’s Internet Protocol(IP) address as the key.
- IP Internet Protocol
- the recipient virtual machine checks if the received sequence number from the sender virtual machine is just one more than the receive counter it has in the table with sender virtual machine’s Internet Protocol(IP) address as the key. If the above check is successful the recipient virtual machine accepts the data packet and atomically increments the receive counter in the table with sender virtual machine’s Internet Protocol(IP) address as the key or if the above check fails the recipient virtual machine drops the data packet.
- the leader virtual machine maintains a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as its properties like virtual machine’s public key and other details, etc. Also a process in the leader virtual machine subscribes to the above table for any notification of changes in the table. For example when a new entry is inserted in the table for a new virtual machine with its public key and other properties, then the leader virtual machine send the secretly chosen key to the new virtual machine in the cluster by encrypting the data packet containing the secretly chosen key using the new virtual machine’s public key. Similarly when a virtual machine leaves the cluster which results in deletion of an entry in the table, then on notification of the same the leader virtual machine may change the secretly chosen key for security purposes.
- IP Internet Protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The leader of cluster of virtual machines receives the public key of all other machines in the cluster. Then the leader machine secretly chooses a key for communication in the cluster. The leader machine then sends the key to each of the virtual machines in the cluster by encrypting the packet using the recipient virtual machine's public key. All machines in the cluster maintain a table with IP address as the key and, value as send counter and receive counter for that address.
Description
SECURE COMMUNICATION IN A CLUSTER OF VIRTUAL MACHINES
In this invention we have n number of virtual machines connected (we assume reliable connections using protocols like Transmission Control Protocol, etc.) to each other. Out of the cluster of n virtual machines we choose a leader. The leader of cluster of virtual machines receives the public key of all other virtual machines in the cluster. Then the leader virtual machine secretly chooses a key which will be used to encrypt data packets for communication between any of the virtual machines in the cluster and we call such a cluster of virtual machines using the above secretly chosen key for communication in the cluster as Ring Of Trust. The leader virtual machine then sends the secretly chosen key to each of the virtual machines in the cluster by encrypting the data packet containing the secretly chosen key using the recipient virtual machine’s public key. The recipient virtual machine then decrypts the data packet containing the secret key for communication in the cluster using its own private key. Also all virtual machines in the cluster maintain a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as send counter and receive counter for that virtual machine. Each of the virtual machine sending the data packet encrypts it by using the secretly chosen key and the data packet begins with x number of bytes containing the send sequence number for the recipient virtual machine and the rest is data bytes. Just before sending the data packet the sender virtual machine atomically increments the send counter in the table with recipient virtual machine’s Internet Protocol(IP) address as the key. The recipient virtual machine on the other hand checks if the received sequence number from the sender virtual machine is just one more than the receive counter it has in the table with sender virtual machine’s Internet Protocol(IP) address as the key. If the above check is successful the recipient virtual machine accepts the data packet and atomically increments the receive counter in the table with sender virtual machine’s Internet Protocol(IP) address as the key or if the above check fails the recipient virtual machine drops the data packet.
In addition to this, the leader virtual machine maintains a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as its properties like virtual machine’s public key and other details, etc. Also a process in the leader virtual machine subscribes to the above table for any notification of changes in the table. For example when a new entry is inserted in the table for a new virtual machine with its public key and other properties, then the leader virtual machine send the secretly chosen key to the new virtual machine in the cluster by encrypting the data packet containing the secretly chosen key using the new virtual machine’s public key. Similarly when a virtual machine leaves the cluster which results in deletion of an entry in the table, then on notification of the same the leader virtual machine may change the secretly chosen key for security purposes.
Claims
WO 2019/155257 ClailTLS PCT/IB2018/050796
Following is the claim for this invention: -
1> In this invention we have n number of virtual machines connected (we assume reliable connections using protocols like Transmission Control Protocol, etc.) to each other. Out of the cluster of n virtual machines we choose a leader. The leader of cluster of virtual machines receives the public key of all other virtual machines in the cluster. Then the leader virtual machine secretly chooses a key which will be used to encrypt data packets for communication between any of the virtual machines in the cluster and we call such a cluster of virtual machines using the above secretly chosen key for communication in the cluster as Ring Of Trust. The leader virtual machine then sends the secretly chosen key to each of the virtual machines in the cluster by encrypting the data packet containing the secretly chosen key using the recipient virtual machine’s public key. The recipient virtual machine then decrypts the data packet containing the secret key for communication in the cluster using its own private key. Also all virtual machines in the cluster maintain a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as send counter and receive counter for that virtual machine. Each of the virtual machine sending the data packet encrypts it by using the secretly chosen key and the data packet begins with x number of bytes containing the send sequence number for the recipient virtual machine and the rest is data bytes. Just before sending the data packet the sender virtual machine atomically increments the send counter in the table with recipient virtual machine’s Internet Protocol(IP) address as the key. The recipient virtual machine on the other hand checks if the received sequence number from the sender virtual machine is just one more than the receive counter it has in the table with sender virtual machine’s Internet Protocol(IP) address as the key. If the above check is successful the recipient virtual machine accepts the data packet and atomically increments the receive counter in the table with sender virtual machine’s Internet Protocol(IP) address as the key or if the above check fails the recipient virtual machine drops the data packet. In addition to this, the leader virtual machine maintains a table consisting of the virtual machine’s Internet Protocol(IP) address as the key and, value as its properties like virtual machine’s public key and other details, etc. Also a process in the leader virtual machine subscribes to the above table for any notification of changes in the table. For example when a new entry is inserted in the table for a new virtual machine with its public key and other properties, then the leader virtual machine send the secretly chosen key to the new virtual machine in the cluster by encrypting the data packet containing the secretly chosen key using the new virtual machine’s public key. Similarly when a virtual machine leaves the cluster which results in deletion of an entry in the table, then on notification of the same the leader virtual machine may change the secretly chosen key for security purposes. The above novel technique by which secure and encrypted information is exchanged in a ring or cluster of virtual machines is the claim for this invention.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IB2018/050796 WO2019155257A1 (en) | 2018-02-08 | 2018-02-08 | Secure communication in a cluster of virtual machines |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IB2018/050796 WO2019155257A1 (en) | 2018-02-08 | 2018-02-08 | Secure communication in a cluster of virtual machines |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019155257A1 true WO2019155257A1 (en) | 2019-08-15 |
Family
ID=67549298
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2018/050796 WO2019155257A1 (en) | 2018-02-08 | 2018-02-08 | Secure communication in a cluster of virtual machines |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2019155257A1 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120054486A1 (en) * | 2010-08-31 | 2012-03-01 | MindTree Limited | Securing A Virtual Environment And Virtual Machines |
US8966581B1 (en) * | 2011-04-07 | 2015-02-24 | Vmware, Inc. | Decrypting an encrypted virtual machine using asymmetric key encryption |
-
2018
- 2018-02-08 WO PCT/IB2018/050796 patent/WO2019155257A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120054486A1 (en) * | 2010-08-31 | 2012-03-01 | MindTree Limited | Securing A Virtual Environment And Virtual Machines |
US8966581B1 (en) * | 2011-04-07 | 2015-02-24 | Vmware, Inc. | Decrypting an encrypted virtual machine using asymmetric key encryption |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11575660B2 (en) | End-to-end encryption for personal communication nodes | |
US9008312B2 (en) | System and method of creating and sending broadcast and multicast data | |
US10135618B2 (en) | Method for using dynamic Public Key Infrastructure to send and receive encrypted messages between software applications | |
US9992177B2 (en) | Method and system for modifying an authenticated and/or encrypted message | |
EP0906677A2 (en) | Cryptographic communication system | |
CN1234662A (en) | Enciphered ignition treatment method and apparatus thereof | |
US20150229621A1 (en) | One-time-pad data encryption in communication channels | |
CN101529805A (en) | Relay device | |
US9130744B1 (en) | Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary | |
CN102088352B (en) | Data encryption transmission method and system for message-oriented middleware | |
US11722466B2 (en) | Methods for communicating data utilizing sessionless dynamic encryption | |
CN106549858A (en) | A kind of instant messaging encryption method based on id password | |
CN103685181A (en) | Key negotiation method based on SRTP | |
CN112702332B (en) | Chain key exchange method, client, server and system | |
JP2000031957A (en) | Communication system | |
WO2019155257A1 (en) | Secure communication in a cluster of virtual machines | |
CN115150076A (en) | Encryption system and method based on quantum random number | |
JP2007512743A (en) | A system to increase the security of e-mail transmission in the Internet network | |
Black et al. | Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3 | |
CN112073370B (en) | Client encryption communication method | |
CN107864123A (en) | A kind of network talkback machine safe transmission method and system | |
WO2023228623A1 (en) | Encryption system and encryption method | |
CN113890733A (en) | Gateway system based on safety communication | |
US20150127944A1 (en) | Method for secure and anonymous electronic communication via cryptography-facilitated delivery | |
JP2001094600A (en) | Message transfer node and network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18905544 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18905544 Country of ref document: EP Kind code of ref document: A1 |