EP3563513A1 - Techniques d'échange de clé pour établir une connexion sécurisée dans un environnement de virtualisation de fonction de réseau - Google Patents

Techniques d'échange de clé pour établir une connexion sécurisée dans un environnement de virtualisation de fonction de réseau

Info

Publication number
EP3563513A1
EP3563513A1 EP16925910.8A EP16925910A EP3563513A1 EP 3563513 A1 EP3563513 A1 EP 3563513A1 EP 16925910 A EP16925910 A EP 16925910A EP 3563513 A1 EP3563513 A1 EP 3563513A1
Authority
EP
European Patent Office
Prior art keywords
vnf
encrypted
fingerprint
session key
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP16925910.8A
Other languages
German (de)
English (en)
Inventor
Weigang Li
Danny Yigang ZHOU
Changzheng WEI
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corp filed Critical Intel Corp
Publication of EP3563513A1 publication Critical patent/EP3563513A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • Examples described herein are generally related to a key exchanged for use in encrypting/decrypting data and for protecting the key exchanged.
  • NFV network function virtualization
  • VMs virtual machines
  • VNFs virtual network functions
  • a given VNF executed by one or more VMs may fulfill a function that may have been previously implemented using dedicated hardware devices (e.g., firewalling, network address translation, etc. ) .
  • FIG. 1 illustrates an example system
  • FIG. 2 illustrate an example scheme for fingerprint encryption.
  • FIG. 3 illustrates an example scheme for fingerprint decryption.
  • FIG. 4 illustrates an example process
  • FIG. 5 illustrates an example first logic flow
  • FIG. 6 illustrates an example scheme for data or packet encryption.
  • FIG. 7 illustrates an example scheme for data or packet decryption.
  • FIG. 8 illustrates an example block diagram for a first apparatus.
  • FIG. 9 illustrates an example of a second logic flow.
  • FIG. 10 illustrates an example of a first storage medium.
  • FIG. 11 illustrates an example block diagram for a second apparatus.
  • FIG. 12 illustrates an example of a third logic flow.
  • FIG. 13 illustrates an example of a second storage medium.
  • FIG. 14 illustrates an example computing platform.
  • FIG. 15 illustrates an example hardware security module.
  • multiple VMs may be hosted by a host computing system.
  • the multiple VMs may separately execute one or more VNFs.
  • a hypervisor or virtual machine manager (VMM) implemented by an operating system (OS) of a host computing platform may allocate memory or storage resources to VMs to enable input/output (I/O) access to allocated portions of these memory or storage devices by the VMs.
  • OS operating system
  • a secure connection (e.g., transport layer security) between VNFs executed by VMs either hosted by a same or different computing platform may be established.
  • a way to establish the secure connection may include exchange of a session key for use in encryption/decryption of data or packets transmitted/received via the secure connection.
  • a common method for session key exchange may be based on Public Key Infrastructure (PKI) using such asymmetric cryptographic algorithms as Rivest, Shamir, and Adelman (RSA) or Diffie Hellman (DH) .
  • PKI Public Key Infrastructure
  • RSA Rivest, Shamir, and Adelman
  • DH Diffie Hellman
  • Establishment of a secure connection between VNFs based on PKI and use of asymmetric cryptographic algorithms such as RSA or DH algorithms may be problematic.
  • use of asymmetric cryptographic algorithms such as RSA or DH to establish the secure connection may be computation-intensive and relatively slow.
  • symmetric cryptographic algorithms such as, but not limited to, data encryption standard (DES) cryptographic algorithms
  • encryption/decryption using RSA algorithms may be around 1,000 times slower than encryption/decryption using DES algorithms.
  • use of these computation-intensive and relatively slow asymmetric cryptographic algorithms may cause a significantly negative performance impact when VNFs attempt to exchange data or packets via this type of secure connection.
  • the session key may be stored in plaintext form in memory allocated to respective VMs executing the VNFs that established the secure connection.
  • the plaintext form of the session key may create a security risk as the session key could be intercepted by a hacker or spoofing VNF. It is with respect to these challenges that the examples described herein are needed.
  • FIG. 1 illustrates an example system 100.
  • system 100 includes a processor 110 coupled with a system memory 120 and a hardware security module (HSM) 150 via respective links 130 and 140.
  • HSM hardware security module
  • processor 110 may be capable of supporting a plurality of virtual machines (VMs) including VM 160-1 to 160-N, where “N” as used for VMs 160-1 to 160-N and other elements of system hereinafter refers to any whole positive integer greater than 2.
  • VMs virtual machines
  • system memory 120, processor 110 and HSM 150 may be physical elements arranged as part of NFV infrastructure that supports virtual elements such as VMs 160-1 to 160-N that may execute applications associated with VNFs.
  • VMs 160-1, 160-2 and VM 160-N may respectively execute one or more applications associated with respective VNFs shown in FIG. 1 as VNF-A, VNF-B and VNF-C.
  • VNF-A, VNF-B or VNF-C may fulfill a function, task or service that may include, but is not limited to, firewalling, domain name service (DNS) , caching or network address translation (NAT) .
  • DNS domain name service
  • NAT network address translation
  • technologies including, but not limited to, technologies for an input/output memory management unit (IOMMU) or a single root input/output virtualization (SR-IOV) may be utilized by hardware elements of system 100 to support VNF-to-VNF communication between VNFs hosted by a same or different computing platform.
  • VNF-to-VNF communications may be facilitated via use of isolated virtual functions (VFs) executed at the hardware elements of system 100.
  • VFs isolated virtual functions
  • Each isolated VF may be directly assigned to a given VNF executed by a respective VM.
  • a hypervisor (not shown) arranged to manage VMs may directly assign isolated VFs for respective VNFs.
  • secure VNF-to-VNF communications and/or data exchange may be facilitated by these isolated VFs that may be executed or supported by an HSM such as HSM 150 to facilitate establishment of a secure connection for the VNF-to-VNF communications and/or data exchange.
  • HSM HSM 150
  • a secure connection may be established between VNFs A-C executed by respective VMs 160-1 to 160-N or may be established between VNFs executed by VMs hosted by a separate computing platform. This establishment of a secure connection may be facilitated by respective VFs 161-1 to 161-N.
  • VFs 161-1 to 161-N may be executed or supported by logic and/or features of HSM 150 such as HSM logic 156.
  • VFs 161-1 to 161-N may be directly assigned to respective VNF-A, VNF-B and VNF-C to serve as a lightweight encryption/decryption function to support SR-IOV for secure VNF-to-VNF communications and/or data exchange.
  • VFs 161-1 to 161-N may be driven/controlled via respective VF drivers 162-1 to 162-N associated with VNF-Ato VNF-C to allow these VNFs to directly interact with VFs 161-1 to 161-N.
  • direct interaction between a VNF and a VF at HSM 150 may be through a root complex 111 included in an integrated I/O 112 for processor 110 that may couple with HSM 150 via link 140.
  • root complex 111 and logic and/or features of HSM 150 may utilize communication protocols and interfaces according to the Peripheral Component Interconnect (PCI) Express Base Specification, revision 3.1a, published in December 2015 ( "PCI Express specification” or "PCIe specification” ) to enable VF drivers 162-1 to 162-N to directly interact with VFs 161-1 to 161-N via link 140.
  • PCI Peripheral Component Interconnect
  • This direct interaction may establish a passthrough connection between VNFs A-C and HSM 150 that may not involve management/control software such as a VMM or hypervisor after these VNFs have been directly assigned to respective VFs 161-1 to 161-N.
  • Direct interaction may include exchanging information to determine physical memory addresses in system memory 120 allocated to respective VMs executing VNFs A-C for use in encrypting/decrypting data/packets as described more below.
  • processor 110 may include processing element (s) 119.
  • Processing element (s) 119 may include one or more processing cores.
  • VMs 160-1 to 160-N may be supported by separate processing cores or may be supported by combination of processing cores.
  • Processor 110 may also include a ring bus 117 arranged to facilitate communications between processing element (s) 119, memory controller 118 and elements of integrated I/O 112 to further the support of VNFs A-C executed by VMs 160-1 to 160-N.
  • memory controller 118 may manage read or write requests to system memory 120 via link 130 in support of VNFs A-C executed by VMs 160-1 to 160-N.
  • integrated I/O 112 may facilitate communications with HSM 150 via link 140 in support of VNFs A-C executed by VMs 160-1 to 160-N.
  • integrated I/O 112 may also include a direct memory access (DMA) engine 114 and an input/output memory management unit (IOMMU) 115. These elements of integrated I/O 112 may be coupled via an integrated I/O (IIO) bus 116. These elements of integrated I/O 112 may include logic and/or features capable of facilitating efficient movement of data associated with session keys, network packets or data that may be encrypted or decrypted for VNFs executed by VMs supported by processor 110. VMs such as VMS 160-1 to 160-N may have allocated portions or regions of system memory 120.
  • DMA direct memory access
  • IOMMU input/output memory management unit
  • Lookup DMA remapping table 109 maintained at IOMMU 115 that may be utilized to translate GPAs used by VMs/VNFs to host physical addresses (HPAs) used by DMA engine 114 for DMA of data to allocated memory regions of system memory 120.
  • Data for a given DMA to an allocated memory region may be associated with session keys, network packets /data to be encrypted or decrypted for VNFs.
  • portions or regions of physical memory included in system memory 120 may be separately allocated or assigned to VMs 160-1 to 160-N.
  • memory region 122-1 may be a portion of physical memory allocated to VM 160-1
  • memory region 122-2 may be allocated or assigned to VM 160-2
  • memory region 122-N may be allocated or assigned to VM 160-3.
  • allocated portions of system memory 120 may be utilized as part of establishing and maintaining a secure connection between VNFs.
  • system memory 120 may be used to at least temporarily store encrypted/ciphertext session key (s) , encrypted/ciphertext data/packets as well as plaintext data/packets.
  • HSM logic 156 of HSM 150 may be capable of facilitating establishment and maintaining of secure connections between VNFs executed by VMs such as VMs 160-1 to 160-N hosted by a first computing platform.
  • HSM logic similar to HSM logic 156 for another HSM hosted by a second computing platform may be capable of facilitating establishment and maintaining of secure connections between VNFs executed by VMs hosted by the first computing platform and VNFs executed by VMs hosted by the second computing platform.
  • HSMs may securely maintain a same or common root key, e.g., stored/protected by on-chip memory that cannot be accessed by any software outside of the HSMs.
  • the same or common root key may be associated with HSMs hosted by computing platform (s) from a same organization that may be, but is not limited to, a same data center, a same service provider or a same intra network.
  • logic and/or features of a given HSM may be part of an application specific integrated circuit (ASIC) , field programmable gate array (FPGA) or chipset designed to operate according to QuickAssist Technology (QAT) , Platform Trust Technology /Trusted Platform Module (PTT/TPM) or other types of security-related technologies.
  • ASICs, FPGAs or chipsets may be configured as a type of cryptographic accelerator or offload engine supporting establishment and maintaining of secure connections between VNFs executed by VMs.
  • HSM logic 156 of HSM 150 may be capable of creating a fingerprint that is unique to the given VNF.
  • fingerprint-A, fingerprint-B and fingerprint-C may be created by HSM logic 156 for respective VNF-A, VNF-B and VNF-C responsive to startup of these respective VNFs at VMs 160-1 to 160-N.
  • unencrypted or plaintext versions of these fingerprints may be stored/protected inside HSM 150, e.g., stored/protected by on-chip memory that cannot be accessed by any software outside of the HSM 150.
  • a process to establish a secure connection between VNFs may use fingerprints encrypted with a root key to enable VNFs to securely exchange a session key.
  • the session key may be encrypted and stored as ciphertext in memory allocated to respective VMs executing the VNFs having the established secure connection (e.g., memory region 122-1 for VNF-A executed by VM 160-1) .
  • HSM logic 156 may be capable of decrypting an encypted/ciphertext session key and then use the raw or plaintext session key to encrypt or decrypt data or data packets sent or received over the secure connection.
  • system memory 120, processor 110 and HSM 150 may be hosted by a host computing platform that may include, but is not limited to, a server, a server array or server farm, a web server, a network server, an Internet server, a work station, a mini-computer, a main frame computer, a supercomputer, a network appliance, a web appliance, a distributed computing system, multiprocessor systems, processor-based systems, or combination thereof.
  • a host computing platform may include, but is not limited to, a server, a server array or server farm, a web server, a network server, an Internet server, a work station, a mini-computer, a main frame computer, a supercomputer, a network appliance, a web appliance, a distributed computing system, multiprocessor systems, processor-based systems, or combination thereof.
  • processor 110 may include various commercially available processors, including without limitation an and processors; application, embedded and secure processors; and and processors; IBM and Cell processors; Core (2) Core i3, Core i5, Core i7, or Xeon processors; and similar processors.
  • system memory 120 may be composed of one or more memory devices or dies which may include various types of volatile and/or non-volatile memory.
  • on-die memory at HSM 150 that may be arranged to store/protect root keys or fingerprints may include one or more memory devices or dies.
  • the one or more memory devises or dies may include various types of volatile and/or non-volatile memory.
  • Volatile memory may include, but is not limited to, random-access memory (RAM) , Dynamic RAM (D-RAM) , double data rate synchronous dynamic RAM (DDR SDRAM) , static random-access memory (SRAM) , thyristor RAM (T-RAM) or zero-capacitor RAM (Z-RAM) .
  • Non-volatile memory may include, but is not limited to, non-volatile types of memory such as 3-D cross-point memory that may be byte or block addressable. These byte or block addressable non-volatile types of memory may include, but are not limited to, memory that uses chalcogenide phase change material (e.g., chalcogenide glass) , multi-threshold level NAND flash memory, NOR flash memory, single or multi-level phase change memory (PCM) , resistive memory, nanowire memory, ferroelectric transistor random access memory (FeTRAM) , magnetoresistive random access memory (MRAM) that incorporates memristor technology, spin transfer torque MRAM (STT-MRAM) , or a combination of any of the above, or other non-volatile memory types.
  • chalcogenide phase change material e.g., chalcogenide glass
  • multi-threshold level NAND flash memory NOR flash memory
  • PCM single or multi-level phase change memory
  • FIG. 2 illustrates an example scheme 200 for fingerprint encryption.
  • scheme 200 includes encrypting a plaintext fingerprint 210 to generate an encrypted fingerprint 220.
  • a plaintext or raw fingerprint may be generated for each VNF directly assigned to VFs supported by an HSM such as HSM 150 shown in FIG. 1.
  • HSM 150 shown in FIG. 1.
  • fingerprints A-C for VNFs A-C executed by respective VMs 160-1 to 160-N.
  • Each unique fingerprint may be generated by logic and/or features of an HSM such as HSM logic 156 for HSM 150 responsive to startup of a VNF executed by a respective VM.
  • the unique fingerprint may be in the format of plaintext fingerprint 210 and as shown in FIG.
  • VNF identification (ID) 212 may include a VNF identification (ID) 212, a random #214 and a tag 216.
  • plaintext fingerprint 210 may be encrypted using a root_key 230 to generate an encrypted fingerprint 220.
  • a process to establish a secure connection between VNFs may use encrypted fingerprints such as fingerprint 220 to enable VNFs to securely exchange a session key.
  • VNF ID 212 may be any kind of information to identify a VNF for which the plaintext fingerprint 210 was generated.
  • a given VNF ID may be assigned by a VMM, hypervisor or service provider utilizing the VNF.
  • An example VNF ID may be related to a type of function the VNF may be performing that may include, but is not limited to, a firewall service function, a virtual router function, a network address translation function, a session border controller function, a video-optimizer function or a content distribution network function.
  • a first VNF ID may be an identification number assigned to a firewall
  • a second VNF ID may be an identification number assigned to a virtual router
  • a third VNF ID may be an identification number assigned to a network address translation
  • a fourth VNF ID may be an identification number assigned to a session border controller
  • a fifth VNF ID may be an identification number assigned to a video-optimizer
  • a sixth VNF ID may be an identification number assigned to a content distribution network.
  • random #214 may be a random number generated by logic and/or features of an HRM such as HRM logic 156 of HRM 150 as part of the generation of plaintext fingerprint 210. Also, part of the generation of plaintext fingerprint 210 may involve formation or generation of tag 216.
  • Tag 216 may be a value associated with a message authentication code (MAC) algorithm that is formed or generated by generating a value for tag 216 using root_key 230 in combination with VNF ID 212 and random #214 as inputs to the MAC algorithm.
  • MAC message authentication code
  • Example equation 1 illustrates an example generation of a MAC value for tag 216.
  • Tag MAC (VNF ID
  • tag 216 may be used in a verification process to verify whether tag 216 had been modified following generation of encrypted fingerprint 220, transmitting of encrypted fingerprint 220 and subsequent decryption of encrypted fingerprint 220 following receipt of encrypted fingerprint 220. Also, as a further form of verification, a plaintext version of VNF ID 212 may be added to encrypted fingerprint 220 to verify the sending VNF’s authenticity to a receiving VNF.
  • FIG. 3 illustrates an example scheme 300 for fingerprint decryption and verification.
  • scheme 300 includes decrypting encrypted fingerprint 220 using root_key 230 to result in plaintext fingerprint 210.
  • the resulting decrypted VNF ID 212 may be compared to a plaintext version of VNF ID 212 that was received with encrypted fingerprint 220 to verify the authenticity of the VNF that sent encrypted fingerprint 220.
  • scheme 300 may include further verification steps to verify tag 216 included in plaintext fingerprint 210.
  • MAC 310 may include use of the MAC algorithm to generate a tag’ 312 that results in a regenerated version of tag 126.
  • the MAC algorithm using root_key 230 in combination with VNF-C ID and random #214 as inputs may generate tag’ 312.
  • Tag’ 312 may be compared to tag 216 to verify the authenticity of plaintext fingerprint 210. If tag’ 312 does not match tag 216, then plaintext fingerprint 210 fails verification and attempts to establish a secure connection using plaintext fingerprint 210 may be aborted and/or a message may be relayed to the sending VNF that verification failed.
  • FIG. 4 illustrates an example process 400.
  • process 400 may be for initiating a key exchange process to establish a secure connection between VNFs hosted by separate computing platforms.
  • elements of system 100 as shown in FIG. 1 may be related to process 400.
  • These elements of system 100 may include, but are not limited to, logic and/or features of HSM 150 in communication with VF drivers 162-1 to 161-N for respective VNFs A-C executed by VMs hosted by a first computing platform (not shown) , the VMs managed/controlled by hypervisor 401. Also, as shown in FIG.
  • example schemes 200 and 300 as shown in FIGS. 2-3 may also be related to process 400.
  • example process 400 is not limited to implementations using elements of system 100 shown in FIG. 1 or example schemes 200 or 300 shown in FIGS. 2-3.
  • VNF-C may initiate a secure connection with VNF-D via a message such as, but not limited to, “client hello” message used in establishing a secure socket layer (SSL) connection.
  • the secure connection may be established to enable VNF-C to securely exchange data and/or packets with VNF-D.
  • Initiation may occur via a client hello message sent via a network connection maintained between the first and second computing platforms.
  • VNF-D may utilize VF driver 462-1 to request, via a passthrough connection with VF 461-1, that HSM 450 provide an encrypted fingerprint-D.
  • a unique fingerprint may be generated responsive to startup of a VNF.
  • Fingerprint-D may have been generated by HSM logic 456 responsive to startup of VNF-D and then stored in an unencrypted or plaintext version inside HSM 450 (e.g., in on-chip memory) .
  • HSM logic 456 may encrypt fingerprint-D according to scheme 200 as shown in FIG. 2 that uses a shared root key 405 and then provide the encrypted fingerprint-D to VNF-D.
  • VNF-D may send the encrypted fingerprint-D via a message, such as but not limited to, an SSL “server hello” message.
  • the message may be sent via the network connection maintained between the first and second computing platforms.
  • the encrypted fingerprint-D may also include an attached plaintext version of VNF-D’s ID for later use in authenticating VNF-D.
  • VF driver 162-N for VNF-C may send the encrypted fingerprint-D with the attached plaintext version of VNF-D’s ID to HSM 150 via use of a passthrough connection with VF 161-N and request that HSM 150 generate a session key to facilitate establishment of a secure connection.
  • HSM logic 156 may decrypt the encrypted fingerprint-D using root key 405 and then verify both the authenticity of VNF-D as well as the authenticity of decrypted fingerprint-D according to scheme 300 as shown in FIG. 3.
  • Fingerprint-D may be stored or maintained at HSM 150 (e.g., in on-chip memory) .
  • HSM logic 156 may then generate a random number for use as a session key 410 and then encrypt session key 410 via an example first encryption scheme that includes root key 405 being XOR’ d with plaintext fingerprint-D now maintained at HSM 150. Examples are not limited to the example first encryption scheme to encrypt session key 410. Other encryption schemes are contemplated to encrypt session key 410.
  • Encrypted session key 410 is then provided to VNF-C via use of the passthrough connection between VF-driver 162-N and VF 161-N.
  • VNF-C may provide encrypted session key 410 to VNF-D.
  • session key 410 due to session key 410’s encryption, any interception by a rogue or bad actor prevents access to the plaintext session key.
  • VNF-D may receive encrypted session key 410 and may cause encrypted session key 410 to be at least temporarily stored to memory allocated to the VM executing VNF-D.
  • VNF-D may need to encrypt data or packets to be sent to VNF-C.
  • VNF-D may utilize the passthrough connection between VF-driver 462-1 and VF 461-1 to enable logic and/or features of HSM 450 to access the stored encrypted session key 410 for use in encrypting data or packets to be sent to VNF-C.
  • HSM 450 such as HSM 456 may use an example first decryption scheme that includes decrypting the obtained encrypted session key 410 by root key 405 being XOR’ d with plaintext fingerprint-D maintained at HSM 450. Examples are not limited to the example first decryption scheme to decrypt the encrypted session key 410. Other decryption schemes are contemplated to decrypt encrypted session key 410.
  • the plaintext version of session key 410 may then be used to encrypt data or packets to be sent to VNF-C. The protection of session key 410 is thus maintained and this establishes a secure connection between VNF-C and VNF-D. Process 400 may then come to an end.
  • a similar process to process 400 may be implemented between VNFs executed by VMs hosted by a same computing platform.
  • a secure connection may be established through internal network connections routed between VMs executing respective VNFs.
  • examples are not limited to initiating a key exchange process and then establishing a secure connection between VNFs executed by respective VMs hosted by separate computing platforms.
  • FIG. 5 illustrates an example logic flow 500.
  • logic flow 500 may be implemented by logic and/or features at VNF-C executed by VM 162-N and at VNF-D executed by VM 462-1 as shown in FIG. 4.
  • logic flow 500 depicts a flow of actions from a perspective of VNF-C and VNF-D for initiation of a key exchange process to establish a secure connection between VNF-C and VNF-D.
  • initiation and establishment of the secure connection may be in a similar manner to process 400 shown in FIG. 4 and described above.
  • VNF-C may initiate or start a key exchange with VNF-D.
  • initiation of the key exchange may include sending a message to VNF-D such as an SSL “client hello” message.
  • the client hello message may include an indication that VNF-C requests that a secure connection be established with VNF-D.
  • the client hello message may be sent via a network connection maintained between first and second computing platforms separately hosting respective VMs executing VNF-C and VNF-D.
  • VNF-D may receive the client hello message from VNF-C that indicates VNF-C’s request to establish a secure connection with VNF-D.
  • logic flow 500 moves to block 510 from VNF-D’s perspective and to block 512 from VNF-C’s perspective.
  • lack of support may include no direct assignment of VNF-C or VNF-D to respective VF 161-N and VF 461-1 at respective HSM 150 and HSM 450. No direct assignment, in some examples, may be due to a lack of an HSM at either computing platform hosting the VMs executing VNFs C-D. Otherwise, if not supporting a key exchange process utilizing an HSM, logic flow 500 moves to block 508
  • a normal key exchange process between VNF-C and VNF-D may be completed.
  • the normal key exchange may include a session key exchange based on PKI using asymmetric cryptographic algorithms such as RSA or DH.
  • the normal key exchange may complete establishment of a secure connection from a perspective of both VNF-C and VNF-D when either of these VNFs lack support of an HSM exchange process.
  • logic and/or features at VNF-D may send a request to logic and/or features of HSM 450 to encrypt fingerprint-D.
  • Logic and/or features of HSM 450 may encrypt fingerprint-D according to scheme 200 as shown in FIG. 2 and then provide the encrypted fingerprint-D to VNF-D.
  • Logic and/or features of VNF-D may then cause encrypted fingerprint-D to be sent to VNF-C.
  • logic and/or features of VNF-C may receive the encrypted fingerprint-D and provide encrypted fingerprint-D to HSM 150 and request that HSM 150 decrypt and verify fingerprint-D and once verified, generate a session key.
  • HSM 150 such as HSM logic 156 may verify fingerprint-D according to scheme 300 shown in FIG. 3 and once verified may generate a session key, encrypt the session key and then provide the encrypted session key to VNF-C.
  • the encrypted session key may be provided via VF 162-1.
  • VF 162-1 may cause the encrypted session key to be stored in memory allocated to VM 160-N executing VNF-C. For example, memory region 122-N as shown in FIG. 1.
  • logic and/or features of VNF-C may cause the encrypted session key to be sent to VNF-D.
  • this sending of the encrypted session key completes establishment of a secure connection from the perspective of VNF-C.
  • VNF-D may receive the encrypted session key and then provide the encrypted session key to HSM 450.
  • the encrypted session key may be provided to HSM 450 for use in encrypting/decrypting data /packets to be sent to or received from VNF-C.
  • Providing the encrypted session key may include VNF-D first causing the encrypted session key to be stored to memory allocated to the VM executing VNF-D.
  • VNF-D may then utilize VF driver 462-1 to coordinate with VF 461-1 at HSM 450 to obtain the encrypted session key from the allocated memory.
  • HSM 450 may decrypt the encrypted session key for encrypting/decrypting data /packets.
  • HSM 456 may decrypt the encrypted session key using a shared root key and plaintext fingerprint-D. Obtaining and then decrypting the encrypted session key may complete establishment of a secure connection from the perspective of VNF-D.
  • FIG. 6 illustrates an example scheme 600 for data or packet encryption.
  • scheme 600 may be implemented by logic and/or features at an HSM such as HSM logic 156 of HSM 150 as shown in FIG. 6.
  • data or packet encryption may be responsive to a request to encrypt data or packets to be sent to VNF-D via an established secure connection (e.g., session key 410 has been exchanged) .
  • the request may be made by logic and/or features of VNF-C.
  • VNF-C is executed by VM 160-N.
  • memory region 122-N may be a portion of memory allocated to VM 160-N.
  • HSM logic 156 may begin scheme 600 by obtaining encrypted/ciphertext session key 410 from memory region 122-N and then perform a symmetric decryption via XOR of root key 405 and plaintext fingerprint-D to result in plaintext session key 410.
  • plaintext data/packet 605 may be obtained from memory region 122-N by HSM logic 156.
  • Plaintext data/packet 605 may then be encrypted via a symmetric encryption that uses plaintext session key 410 and a symmetric cryptographic algorithm such as, but not limited to, advance encryption standard (AES) or data encryption standard (DES) cryptographic algorithms.
  • AES advance encryption standard
  • DES data encryption standard
  • encrypted/ciphertext data/packet 605 may be stored in memory region 122-N.
  • VNF-C may then cause encrypted/ciphertext data/packet 605 to be sent to VNF-D.
  • FIG. 7 illustrates an example scheme 700 for data or packet decryption.
  • scheme 700 may be implemented by logic and/or features at an HSM such as HSM logic 456 of HSM 450 as shown in FIG. 6.
  • data or packet encryption may be responsive to a request to decrypt encrypted data or packets received from VNF-C via an established secure connection (e.g., session key 410 has been exchanged) .
  • the request may be made by logic and/or features of VNF-D. Similar to VNF-C, VNF-D may be executed by a VM having allocated memory. Memory region 422-1 may represent the portion of memory allocated to this VM.
  • HSM logic 456 may begin scheme 600 by obtaining encrypted/ciphertext session key 410 from memory region 422-1 and then perform a symmetric decryption via XOR of root key 405 and plaintext fingerprint-D to result in plaintext session key 410.
  • encrypted/ciphertext data/packet 605 may be obtained from memory region 422-1 by HSM logic 456. Encrypted/ciphertext data/packet 605 may then be decrypted via a symmetric decryption that uses plaintext session key 410 and the same symmetric cryptographic algorithm used by HSM 156 to encrypt data/packet 605. Following decryption, plaintext data/packet 605 may be stored in memory region 422-1 for subsequent access by VNF-D.
  • VNFs do not have access to plaintext versions of session key 410.
  • packet processing related to encryption/decryption may be carried out without exposing this type of packet processing to software such an OS, a VMM or a hypervisor at each hosting computing platform.
  • FIG. 8 illustrates an example block diagram for apparatus 800.
  • apparatus 800 shown in FIG. 8 has a limited number of elements in a certain topology, it may be appreciated that the apparatus 800 may include more or less elements in alternate topologies as desired for a given implementation.
  • apparatus 800 may be supported by circuitry 820.
  • circuitry 820 may be at a processor for a computing system, e.g., processor 110 as shown in FIG. 1.
  • the processor may support one or more VMs that may separately execute a respective VNF, e.g., VMs 160-1 to 160-N executing VNFs A-C as shown in FIG. 1.
  • Circuitry 820 may be arranged to execute one or more software or firmware implemented modules, components or logic 822-a (module, component or logic may be used interchangeably in this context) . It is worthy to note that “a” and “b” and “c” and similar designators as used herein are intended to be variables representing any positive integer.
  • a complete set of software or firmware for modules, components or logic 822-a may include logic 822-1, 822-2, 822-3 or 822-4.
  • logic 822-1, 822-2, 822-3 or 822-4 may represent the same or different integer values.
  • logic , “module” or “component” may also include software/firmware stored in computer-readable media, and although types of logic are shown in FIG. 8 as discrete boxes, this does not limit these types of logic to storage in distinct computer-readable media components (e.g., a separate memory, etc. ) .
  • circuitry 820 may include a processor, processor circuit or processor circuitry. Circuitry 820 may be generally arranged to execute one or more software components 822-a. Circuitry 820 may be any of various commercially available processors, including without limitation an and processors; application, embedded and secure processors; and and processors; IBM and Cell processors; Core (2) Core i3, Core i5, Core i7, Xeon and processors; and similar processors. According to some examples circuitry 820 may also include an application specific integrated circuit (ASIC) and at least some logic 822-amay be implemented as hardware elements of the ASIC. According to some examples, circuitry 820 may also include a field programmable gate array (FPGA) and at least some logic 822-amay be implemented as hardware elements of the FPGA.
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • apparatus 800 may include in initiation logic 822-1.
  • Initiation logic 822-1 may be executed by circuitry 820 to initiate a key exchange between a first VNF executed by a first VM supported by the processor and a second VNF executed by a second VM.
  • client hello message 805 may indicate initiation of the key exchange between the first and second VNFs via an indication of a request to establish a secure connection over a network connection.
  • apparatus 800 may include a receive logic 822-2.
  • Receive logic 822-2 may be executed by circuitry 820 to receive from the second VNF an encrypted fingerprint, the encrypted fingerprint encrypted via use of a root key, a plaintext of the fingerprint to include an identification of the second VNF, a randomly generated number, and a MAC.
  • the encrypted fingerprint may be included in server hello message 810 sent from the second VNF.
  • apparatus 800 may also include a provide logic 822-3.
  • Provide logic 822-3 may be executed by circuitry 820 to provide the encrypted fingerprint to an HSM coupled with the processor, the HSM to decrypt the encrypted fingerprint via use of the root key, generate a session key, encrypt the session key via use of the decrypted fingerprint and the root key, and provide the encrypted session key to the first VNF.
  • provide logic 822-3 may provide the encrypted fingerprint by causing the encrypted fingerprint to be stored in a portion of system memory at a first GPA, the system memory for a computing platform hosting the processor arranged to support the first VM, the portion of memory allocated to the first VM and then sending the first GPA to a virtual function at the HSM.
  • the virtual function may be directly assigned to the first VNF and capable of accessing the portion of memory allocated to the first VM based on the direct assignment. According to some examples, the virtual function may send a request message to the processor that includes the first GPA in order to obtain the encrypted fingerprint.
  • the first GPA may be included in GPA (s) for encrypted fingerprint 830. Also, subsequent to decryption of the fingerprint, the decrypted fingerprint may be maintained in on-chip memory at the HSM.
  • apparatus 800 may also include a send logic 822-4.
  • Send logic 822-4 may be executed by circuitry 820 to send the encrypted session key to the second VNF for the second VNF to cause the encrypted session key to be decrypted via use of the plaintext of the fingerprint and the root key, the session key may be for use to encrypt data sent to the first VNF from the second VNF over the network connection for which the secure connection was requested.
  • provide logic 822-3 may cause the encrypted session key that was provided by the HSM to the first VNF to be stored at a second GPA in the portion of memory allocated to the first VM. Subsequently, receive logic 822-2 may receive encrypted data from the second VNF over the network connection, the encrypted data encrypted via use of the session key. The encrypted data may be included in encrypted data 815. Provide logic 822-3 may then cause the encrypted data to be stored at a third GPA in the portion of memory allocated to the first VM and send the second GPA to the directly assigned virtual function to provide the encrypted session key to the HSM, the HSM to decrypt the encrypted session key via use of the decrypted fingerprint and the root key.
  • the second GPA may be included in GPA (s) for encrypted session key 840.
  • Provide logic 822-3 may then send the third GPA to the directly assigned virtual function to provide the encrypted data received from the second VNF to the HSM.
  • the third GPA may be included in GPA (s) for encrypted data 850.
  • the HSM may then decrypt the encrypted data via use of the session key and then cause the decrypted or plaintext data to be stored at a fourth GPA in the portion of memory allocated to the first VM.
  • the fourth GPA may be included in GPA (s) for decrypted data 860.
  • Various components of apparatus 800 and a device or node implementing apparatus 800 may be communicatively coupled to each other by various types of communications media to coordinate operations.
  • the coordination may involve the uni-directional or bi-directional exchange of information.
  • the components may communicate information in the form of signals communicated over the communications media.
  • the information can be implemented as signals allocated to various signal lines. In such allocations, each message is a signal.
  • Further embodiments, however, may alternatively employ data messages. Such data messages may be sent across various connections.
  • Example connections include parallel interfaces, serial interfaces, and bus interfaces.
  • a logic flow may be implemented in software, firmware, and/or hardware.
  • a logic flow may be implemented by computer executable instructions stored on at least one non-transitory computer readable medium or machine readable medium, such as an optical, magnetic or semiconductor storage. The embodiments are not limited in this context.
  • FIG. 9 illustrates an example logic flow 900.
  • Logic flow 900 may be representative of some or all of the operations executed by one or more logic, features, or devices described herein, such as apparatus 900. More particularly, logic flow 900 may be implemented by at least initiation logic 822-1, receive logic 822-2, provide logic 822-3 or send logic 822-4.
  • logic flow 900 at block 902 may initiate, at a first VNF executed by a first VM, a key exchange with a second VNF executed by a second VM.
  • initiation logic 822-1 may initiate the key exchange.
  • logic flow 900 at block 904 may receive from the second VNF an encrypted fingerprint, the encrypted fingerprint encrypted using a root key, a plaintext of the fingerprint to include an identification of the second VNF, a randomly generated number, and a MAC value.
  • receive logic 822-2 may receive the encrypted fingerprint.
  • logic flow 900 at block 906 may provide the encrypted fingerprint to an HSM coupled with a processor arranged to support the first VM, the HSM to decrypt the encrypted fingerprint via use of the root key, generate a session key, encrypt the session key via use of the decrypted fingerprint and the root key, and provide the encrypted session key to the first VNF.
  • provide logic 822-3 may provide the encrypted fingerprint to the HSM.
  • logic flow 900 at block 908 may send the encrypted session key to the second VNF for the second VNF to cause the encrypted session key to be decrypted via use of the plaintext of the fingerprint and the root key, the session key for use to encrypt data sent to the first VNF from the second VNF over a network connection.
  • send logic 822-4 may cause the encrypted session key to be sent to the second VNF.
  • FIG. 10 illustrates an example storage medium 1000.
  • the first storage medium includes a storage medium 1000.
  • the storage medium 1000 may comprise an article of manufacture.
  • storage medium 1000 may include any non-transitory computer readable medium or machine readable medium, such as an optical, magnetic or semiconductor storage.
  • Storage medium 1000 may store various types of computer executable instructions, such as instructions to implement logic flow 900.
  • Examples of a computer readable or machine readable storage medium may include any tangible media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth.
  • Examples of computer executable instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, object-oriented code, visual code, and the like. The examples are not limited in this context.
  • FIG. 11 illustrates an example block diagram for apparatus 1100.
  • apparatus 1100 shown in FIG. 11 has a limited number of elements in a certain topology, it may be appreciated that the apparatus 1100 may include more or less elements in alternate topologies as desired for a given implementation.
  • apparatus 1100 may be supported by circuitry 1120 at an HSM coupled with a processor, e.g., HSM 150 coupled with processor 110 as shown in FIG. 1.
  • Circuitry 1120 may be arranged to execute one or more software or firmware implemented modules, components or logic 1122-a (module, component or logic may be used interchangeably in this context) .
  • logic may also include software/firmware stored in computer-readable media, and although types of logic are shown in FIG. 11 as discrete boxes, this does not limit these types of logic to storage in distinct computer-readable media components (e.g., a separate memory, etc. ) .
  • circuitry 1120 may include a processor, processor circuit or processor circuitry. Circuitry 1120 may be generally arranged to execute one or more software components 1122-a. Circuity 1120 can be any of various commercially available processors to include but not limited to the processors mentioned above for apparatus 1100. Also, according to some examples, circuitry 1120 may also be an ASIC and at least some logic 1122-amay be implemented as hardware elements of the ASIC. According to some examples, circuitry 1120 may also include an FPGA and at least some logic 1122-amay be implemented as hardware elements of the FPGA.
  • apparatus 1100 may include a fingerprint logic 1122-1.
  • Fingerprint logic 1122-1 may be executed by circuitry 1120 to generate a fingerprint for a first VNF executed by a first VM supported by the processor coupled with the HSM.
  • the fingerprint may include an identification of the second VNF, a randomly generated number and a MAC value.
  • the fingerprint may be generated responsive to initial startup of the first VNF executed by the first VM.
  • apparatus 1100 may include a request logic 1122-2.
  • Request logic 1122-2 may be executed by circuitry 1120 to receive a request to encrypt the fingerprint and to provide the encrypted fingerprint to the first VNF.
  • the request may be included in request 1105
  • apparatus 1100 may also include an encrypt logic 1122-3.
  • Encrypt logic 1122-3 may be executed by circuitry 1120 to encrypt the fingerprint via use a root key and provide the encrypted fingerprint to the first VNF.
  • the encrypt logic to provide the encrypted fingerprint to the first VNF may include encrypt logic causing a virtual function at the HSM to store the encrypted fingerprint in a portion of system memory at a first GPA.
  • the system memory may be for a computing platform hosting the processor that supports the first VM.
  • the portion of memory may have been allocated to the first VM.
  • the virtual function may have been directly assigned to the first VNF and may be capable of accessing the portion of memory allocated to the first VM based on the direct assignment.
  • the virtual function may send a request message to the processor that includes the encrypted fingerprint and the first GPA to cause the encrypted fingerprint to be stored in the portion of system memory.
  • Encrypt logic 1122-3 may indicate the first GPA to the first VNF in order to provide the encrypted fingerprint to the first VNF.
  • the indicated first GPA may be included in GPA (s) for encrypted fingerprint 1110.
  • apparatus 1100 may also include a receive logic 1122-4.
  • Receive logic 1122-4 may be executed by circuitry 1120 to receive an indication from the first VNF that an encrypted session key has been received by the first VNF as part of a key exchange with a second VNF executed by a second VM.
  • apparatus 1100 may also include a decrypt logic 1122-5.
  • Decrypt logic 1122-5 may be executed by circuitry 1120 to obtain the encrypted session key and decrypt the encrypted session key via use of the fingerprint and the root key.
  • the session key (once decrypted) may be for use to encrypt data sent to the second VNF from the first VNF over a network connection.
  • request logic 1122-2 may receive an indication that data stored at a second GPA in the portion of memory allocated to the first VM is to be encrypted via use of the session key.
  • the second GPA may be included in GPA (s) for plaintext data 1130.
  • Receive logic 1122-2 may also receive an indication from the first VNF that the encrypted session key has been stored at a third GPA in the portion of memory allocated to the first VM.
  • the third GPA may be included in GPA (s) for encrypted session key 1115.
  • decrypt logic 1122-5 may obtain the encrypted session key from the third GPA and decrypt the encrypted session key via use of the fingerprint and the root key.
  • Encrypt logic 1122-5 may obtain the data stored at the second GPA and encrypt the data via use of the session key and cause the encrypted data to be stored at a fourth GPA in the portion of memory allocated to the first VM. Encrypt logic 1122-5 may then indicate the fourth GPA to the first VNF for the first VNF to access the encrypted data. The fourth GPA may be included in GPA (s) for encrypted data 1150.
  • Various components of apparatus 1100 and a device implementing apparatus 1100 may be communicatively coupled to each other by various types of communications media to coordinate operations.
  • the coordination may involve the uni-directional or bi-directional exchange of information.
  • the components may communicate information in the form of signals communicated over the communications media.
  • the information can be implemented as signals allocated to various signal lines. In such allocations, each message is a signal.
  • Further embodiments, however, may alternatively employ data messages. Such data messages may be sent across various connections.
  • Example connections include parallel interfaces, serial interfaces, and bus interfaces.
  • FIG. 12 illustrates an example logic flow 1200.
  • Logic flow 1200 may be representative of some or all of the operations executed by one or more logic, features, or devices described herein, such as apparatus 1200. More particularly, logic flow 1200 may be implemented by at least fingerprint logic 1122-1, request logic 1022-2, encrypt logic 1022-3, receive logic 1022-4 or decrypt logic 1122-5.
  • logic flow 1200 at block 1202 may generate, at an HSM coupled with a processor, a fingerprint for a first VNF executed by a first VM supported by the processor, the fingerprint including an identification of the second VNF, a randomly generated number and a MAC value.
  • fingerprint logic 1122-5 may generate the fingerprint.
  • logic flow 1200 at block 1204 may receive a request to encrypt the fingerprint and to provide the encrypted fingerprint to the first VNF.
  • request logic 1122-2 may receive the request.
  • logic flow 1200 at block 1206 may encrypt the fingerprint via use of a root key and provide the encrypted fingerprint to the first VNF.
  • encrypt logic 1122-3 may encrypt the fingerprint.
  • logic flow 1200 at block 1208 may receive an indication from the first VNF that an encrypted session key has been received by the first VNF as part of a key exchange with a second VNF executed by a second VM.
  • receive logic 1122-4 may receive the indication.
  • logic flow 1200 at block 1210 may obtain the encrypted session key and decrypt the encrypted session key via use of the fingerprint and the root key, the session key for use to encrypt data sent to the second VNF from the first VNF over a network connection.
  • decrypt logic 1122-5 may obtain and decrypt the encrypted session key.
  • Encrypt logic 1122-3 may then use the session key to encrypt data sent to the second VNF.
  • FIG. 13 illustrates an example storage medium 1300.
  • the first storage medium includes a storage medium 1300.
  • the storage medium 1300 may comprise an article of manufacture.
  • storage medium 1300 may include any non-transitory computer readable medium or machine readable medium, such as an optical, magnetic or semiconductor storage.
  • Storage medium 1300 may store various types of computer executable instructions, such as instructions to implement logic flow 1300.
  • Examples of a computer readable or machine readable storage medium may include any tangible media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth.
  • Examples of computer executable instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, object-oriented code, visual code, and the like. The examples are not limited in this context.
  • FIG. 14 illustrates an example computing platform 1400.
  • computing platform 1400 may include a processing component 1440, other platform components 1450 or a communications interface 1460.
  • processing component 1440 may execute processing operations or logic for apparatus 800 and/or storage medium 1000.
  • Processing component 1440 may include various hardware elements, software elements, or a combination of both.
  • hardware elements may include devices, logic devices, components, processors, microprocessors, circuits, processor circuits, circuit elements (e.g., transistors, resistors, capacitors, inductors, and so forth) , integrated circuits, ASICs, programmable logic devices (PLDs) , digital signal processors (DSPs) , FPGAs, memory units, logic gates, registers, semiconductor device, chips, microchips, chip sets, and so forth.
  • PLDs programmable logic devices
  • DSPs digital signal processors
  • FPGAs field-programmable gate arrays
  • Examples of software elements may include software components, programs, applications, computer programs, application programs, device drivers, system programs, software development programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, application program interfaces (APIs) , instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. Determining whether an example is implemented using hardware elements and/or software elements may vary in accordance with any number of factors, such as desired computational rate, power levels, heat tolerances, processing cycle budget, input data rates, output data rates, memory resources, data bus speeds and other design or performance constraints, as desired for a given example.
  • platform components 1450 may include common computing elements, memory units, chipsets, controllers, peripherals, interfaces, oscillators, timing devices, video cards, audio cards, multimedia input/output (I/O) components (e.g., digital displays) , power supplies, and so forth.
  • I/O multimedia input/output
  • Examples of memory units or memory devices may include without limitation various types of computer readable and machine readable storage media in the form of one or more higher speed memory units, such as read-only memory (ROM) , random-access memory (RAM) , dynamic RAM (DRAM) , Double-Data-Rate DRAM (DDRAM) , synchronous DRAM (SDRAM) , static RAM (SRAM) , programmable ROM (PROM) , erasable programmable ROM (EPROM) , electrically erasable programmable ROM (EEPROM) , flash memory, polymer memory such as ferroelectric polymer memory, ovonic memory, phase change or ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS) memory, magnetic or optical cards, an array of devices such as Redundant Array of Independent Disks (RAID) drives, solid state memory devices (e.g., USB memory) , solid state drives (SSD) and any other type of storage media suitable for storing information.
  • ROM
  • communications interface 1460 may include logic and/or features to support a communication interface.
  • communications interface 1460 may include one or more communication interfaces that operate according to various communication protocols or standards to communicate over direct or network communication links.
  • Direct communications may occur via use of communication protocols or standards described in one or more industry standards (including progenies and variants) such as those associated with the PCIe specification.
  • Network communications may occur via use of communication protocols or standards such those described in one or more Ethernet standards promulgated by the Institute of Electrical and Electronics Engineers (IEEE) .
  • IEEE Institute of Electrical and Electronics Engineers
  • Ethernet standard promulgated by IEEE may include, but is not limited to, IEEE 802.3-2012, Carrier sense Multiple access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications, Published in December 2012 (hereinafter “IEEE 802.3 specification” ) .
  • Network communication may also occur according to one or more OpenFlow specifications such as the OpenFlow Hardware Abstraction API Specification.
  • Network communications may also occur according to Infiniband Architecture specification.
  • Computing platform 1400 may be implemented in a server or client computing device. Accordingly, functions and/or specific configurations of computing platform 1400 described herein, may be included or omitted in various embodiments of computing platform 1400, as suitably desired for a server or client computing device.
  • computing platform 1400 may be implemented using any combination of discrete circuitry, application specific integrated circuits (ASICs) , logic gates and/or single chip architectures. Further, the features of computing platform 1400 may be implemented using microcontrollers, programmable logic arrays and/or microprocessors or any combination of the foregoing where suitably appropriate. It is noted that hardware, firmware and/or software elements may be collectively or individually referred to herein as “logic” or “circuit. ”
  • exemplary computing platform 1400 shown in the block diagram of FIG. 14 may represent one functionally descriptive example of many potential implementations. Accordingly, division, omission or inclusion of block functions depicted in the accompanying figures does not infer that the hardware components, circuits, software and/or elements for implementing these functions would necessarily be divided, omitted, or included in embodiments.
  • FIG. 15 illustrates an example hardware security module (HSM) 1500.
  • HSM 1500 may include a processing component 1540, other platform components or a communications interface 1560.
  • HSM 1500 may be implemented in a HSM coupled to a processor similar to HSM 150 coupled to processor 110 as shown in FIG. 1 and described above.
  • processing component 1540 may execute processing operations or logic for apparatus 1100 and/or storage medium 1300.
  • Processing component 1540 may include various hardware elements, software elements, or a combination of both.
  • hardware elements may include devices, logic devices, components, processors, microprocessors, circuits, processor circuits, circuit elements (e.g., transistors, resistors, capacitors, inductors, and so forth) , integrated circuits, ASIC, PLDs, DSPs, FPGAs, memory units, logic gates, registers, semiconductor device, chips, microchips, chip sets, and so forth.
  • Examples of software elements may include software components, programs, applications, computer programs, application programs, device drivers, system programs, software development programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, APIs, instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. Determining whether an example is implemented using hardware elements and/or software elements may vary in accordance with any number of factors, such as desired computational rate, power levels, heat tolerances, processing cycle budget, input data rates, output data rates, memory resources, data bus speeds and other design or performance constraints, as desired for a given example.
  • other platform components 1550 may include common computing elements, such as one or more processors, multi-core processors, co-processors, memory units, chipsets, controllers, peripherals, interfaces, oscillators, timing devices, and so forth.
  • Examples of memory units may include without limitation various types of computer readable and machine readable storage media in the form of one or more higher speed memory units, such as ROM, RAM, DRAM, DDRAM, SDRAM, SRAM, PROM, T-RAM, Z-RAM, EPROM, EEPROM, block addressable or byte addressable non-volatile types of memory that may include, but is not limited to, memory that uses chalcogenide phase change material (e.g., chalcogenide glass) , multi-threshold level NAND flash memory, NOR flash memory, single or multi-level PCM, resistive memory, nanowire memory, FeTRAM, MRAM that incorporates memristor technology, STT-MRAM, or any other type of storage media suitable for storing information.
  • communications interface 1560 may include logic and/or features to support a communication interface.
  • communications interface 1560 may include one or more communication interfaces that operate according to various communication protocols or standards to communicate over direct or network communication links. Direct communications may occur via use of communication protocols or standards described in one or more industry standards (including progenies and variants) such as those associated with the PCIe specification.
  • HSM 1500 may be implemented using any combination of discrete circuitry, ASICs, logic gates and/or single chip architectures. Further, the features of HSM 1500 may be implemented using microcontrollers, programmable logic arrays and/or microprocessors or any combination of the foregoing where suitably appropriate. It is noted that hardware, firmware and/or software elements may be collectively or individually referred to herein as “logic” or “circuit” .
  • the exemplary HSM 1500 shown in the block diagram of FIG. 15 may represent one functionally descriptive example of many potential implementations. Accordingly, division, omission or inclusion of block functions depicted in the accompanying figures does not infer that the hardware components, circuits, software and/or elements for implementing these functions would necessarily be divided, omitted, or included in embodiments.
  • IP cores may be stored on a tangible, machine readable medium and supplied to various customers or manufacturing facilities to load into the fabrication machines that actually make the logic or processor.
  • hardware elements may include devices, components, processors, microprocessors, circuits, circuit elements (e.g., transistors, resistors, capacitors, inductors, and so forth) , integrated circuits, ASICs, PLDs, DSPs, FPGAs, memory units, logic gates, registers, semiconductor device, chips, microchips, chip sets, and so forth.
  • software elements may include software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, APIs, instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. Determining whether an example is implemented using hardware elements and/or software elements may vary in accordance with any number of factors, such as desired computational rate, power levels, heat tolerances, processing cycle budget, input data rates, output data rates, memory resources, data bus speeds and other design or performance constraints, as desired for a given implementation.
  • a computer-readable medium may include a non-transitory storage medium to store logic.
  • the non-transitory storage medium may include one or more types of computer-readable storage media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth.
  • the logic may include various software elements, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, API, instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof.
  • a computer-readable medium may include a non-transitory storage medium to store or maintain instructions that when executed by a machine, computing device or system, cause the machine, computing device or system to perform methods and/or operations in accordance with the described examples.
  • the instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like.
  • the instructions may be implemented according to a predefined computer language, manner or syntax, for instructing a machine, computing device or system to perform a certain function.
  • the instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language.
  • Coupled and “connected” along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, descriptions using the terms “connected” and/or “coupled” may indicate that two or more elements are in direct physical or electrical contact with each other. The term “coupled” or “coupled with” , however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.
  • An example apparatus may include circuitry at a processor for a computing system.
  • the processor may be arranged to support a first VM arranged to execute a first VNF.
  • the apparatus may also include initiation logic for execution by the circuitry to initiate a key exchange between the first VNF and a second VNF executed by a second VM.
  • the apparatus may also include receive logic for execution by the circuitry to receive from the second VNF an encrypted fingerprint, the encrypted fingerprint encrypted via use of a root key.
  • a plaintext of the fingerprint may include an identification of the second VNF, a randomly generated number, and a MAC value.
  • the apparatus may also include provide logic for execution by the circuitry to provide the encrypted fingerprint to an HSM coupled with the processor, the HSM to decrypt the encrypted fingerprint via use of the root key, generate a session key, encrypt the session key via use of the decrypted fingerprint and the root key, and provide the encrypted session key to the first VNF.
  • the apparatus may also include send logic for execution by the circuitry to send the encrypted session key to the second VNF for the second VNF to cause the encrypted session key to be decrypted via use of the plaintext of the fingerprint and the root key.
  • the session key may be for use to encrypt data sent to the first VNF from the second VNF over a network connection.
  • Example 2 The apparatus of example 1, the encrypted fingerprint received from the second VNF may also include a first plaintext identification of the second VNF.
  • the HSM may verify authenticity of the second VNF based on a comparison of the first plaintext identification of the second VNF with a second plaintext identification of the second VNF included in the decrypted fingerprint.
  • the MAC value included in the plaintext of the fingerprint may be based on a MAC algorithm that includes use of the root key in combination with the identification of the second VNF and the randomly generated number as inputs to generate the MAC value.
  • the HSM may verify authenticity of the decrypted fingerprint based on a comparison of the MAC value with a regenerated MAC value.
  • the regenerated MAC value may be based on use of the root key in combination with a decrypted identification of the second VNF and a decrypted randomly generated number as inputs to the MAC algorithm to generate the regenerated MAC value.
  • Example 4 The apparatus of example 1, the initiate logic to initiate the key exchange between the first VNF and the second VNF may include the initiate logic to cause a first message to be sent to the second VNF over the network connection.
  • the message may indicate that a secure connection with the second VNF over the network connection is requested by the first VNF.
  • Example 5 The apparatus of example 4 may also include the receive logic to receive the encrypted fingerprint with a second message from the second VNF over the network connection.
  • the first message may be a client hello message and the second message may be a server hello message.
  • Example 6 The apparatus of example 1, the first VNF or the second VNF may be arranged for a type of function that includes a firewall service function, a virtual router function, a network address translation function, a session border controller function, a video-optimizer function or a content distribution network function.
  • Example 7 The apparatus of example 6, the identification of the second VNF may be associated with the type of function.
  • the provide logic to provide the encrypted fingerprint to the HSM may include the provide logic to cause the encrypted fingerprint to be stored in a portion of system memory at a first GPA.
  • the system memory may be for a computing platform hosting the processor arranged to support the first VM, the portion of memory allocated to the first VM.
  • the provide logic may also send the first GPA to a virtual function at the HSM.
  • the virtual function may be directly assigned to the first VNF and capable of accessing the portion of memory allocated to the first VM based on the direct assignment.
  • the virtual function may send a request message to the processor that includes the first GPA to obtain the encrypted fingerprint.
  • the decrypted fingerprint may be maintained in on-chip memory at the HSM.
  • Example 9 The apparatus of example 8 may also include the provide logic to cause the encrypted session key to be stored at a second GPA in the portion of memory allocated to the first VM.
  • the receive logic may receive encrypted data from the second VNF over the network connection.
  • the encrypted data may be encrypted via use of the session key.
  • the provide logic may cause the encrypted data to be stored at a third GPA in the portion of memory allocated to the first VM and send the second GPA to the directly assigned virtual function to provide the encrypted session key to the HSM.
  • the HSM may decrypt the encrypted session key via use of the decrypted fingerprint and the root key.
  • the provide logic may send the third GPA to the directly assigned virtual function to provide the encrypted data received from the second VNF to the HSM.
  • the HSM may decrypt the encrypted data via use of the session key.
  • Example 10 The apparatus of example 1 may also include the first VNF executed by the first VM being hosted by a first computing platform coupled with a second computing platform through the network connection.
  • the second VNF executed by the second VM may be hosted by the second computing platform.
  • Example 11 The apparatus of example 1 may also include the first VNF executed by the first VM being hosted by a computing platform and the second VNF executed by the second VM also being hosted by the computing platform.
  • the first and second VMs may be coupled through the network connection.
  • Example 12 The apparatus of example 1 may also include the HSM as ASIC or FPGA configured as a cryptographic accelerator for the processor.
  • An example method may include initiating, at a first VNF executed by a first VM, a key exchange with a second VNF executed by a second VM.
  • the method may also include receiving from the second VNF an encrypted fingerprint.
  • the encrypted fingerprint may be encrypted using a root key.
  • a plaintext of the fingerprint may include an identification of the second VNF, a randomly generated number, and a MAC value.
  • the method may also include providing the encrypted fingerprint to an HSM coupled with a processor supporting the first VM.
  • the HSM may decrypt the encrypted fingerprint using the root key, generate a session key, encrypt the session key using the decrypted fingerprint and the root key, and provide the encrypted session key to the first VNF.
  • the method may also include sending the encrypted session key to the second VNF for the second VNF to cause the encrypted session key to be decrypted using the plaintext of the fingerprint and the root key.
  • the session key may be for use in encrypting data sent to the first VNF from the second VNF over a network connection.
  • Example 14 The method of example 13, the encrypted fingerprint to received from the second VNF may also include a first plaintext identification of the second VNF.
  • the HSM may verify authenticity of the second VNF based on comparing the first plaintext identification of the second VNF with a second plaintext identification of the second VNF included in the decrypted fingerprint.
  • the MAC value included in the plaintext of the fingerprint may be based on a MAC algorithm that includes use of the root key in combination with the identification of the second VNF and the randomly generated number as inputs to generate the MAC value.
  • the HSM may verify authenticity of the decrypted fingerprint based on comparing the MAC value with a regenerated MAC value.
  • the regenerated MAC value may be based on using the root key in combination with a decrypted identification of the second VNF and a decrypted randomly generated number as inputs to the MAC algorithm to generate the regenerated MAC value.
  • Example 16 The method of example 13, initiating the key exchange with the second VNF may include sending a first message to the second VNF over the network connection.
  • the message may indicate that a secure connection with the second VNF over the network connection is requested by the first VNF.
  • Example 17 The method of example 16 may also include receiving the encrypted fingerprint with a second message from the second VNF over the network connection.
  • the first message may be a client hello message and the second message may be a server hello message.
  • Example 18 The method of example 13 may also include the first VNF or the second VNF arranged for a type of function including a firewall service function, a virtual router function, a network address translation function, a session border controller function, a video-optimizer function or a content distribution network function.
  • Example 19 The method of example 18, the identification of the second VNF may be associated with the type of function.
  • Example 20 The method of example 13, providing the encrypted fingerprint to the HSM may include causing the encrypted fingerprint to be stored in a portion of system memory at a first GPA.
  • the system memory may be for a computing platform hosting the processor supporting the first VM.
  • the portion of memory may be allocated to the first VM.
  • Providing the encrypted fingerprint to the HSM may also include sending the first GPA to a virtual function at the HSM.
  • the virtual function may be directly assigned to the first VNF and capable of accessing the portion of memory allocated to the first VM based on the direct assignment.
  • the virtual function may send a request message to the processor that includes the first GPA to obtain the encrypted fingerprint. For these examples, following decryption of the fingerprint, the decrypted fingerprint is to be maintained in on-chip memory at the HSM.
  • Example 21 The method of example 20 may also include causing the encrypted session key to be stored at a second GPA in the portion of memory allocated to the first VM.
  • the method may also include receiving encrypted data from the second VNF over the network connection, the encrypted data encrypted via use of the session key.
  • the method may also include causing the encrypted data to be stored at a third GPA in the portion of memory allocated to the first VM.
  • the method may also include sending the second GPA to the directly assigned virtual function to provide the encrypted session key to the HSM.
  • the HSM may decrypt the encrypted session key using the decrypted fingerprint and the root key.
  • the method may also include sending the third GPA to the directly assigned virtual function to provide the encrypted data received from the second VNF to the HSM.
  • the HSM may decrypt the encrypted data using the session key.
  • Example 22 The method of example 13 may also include the first VNF executed by the first VM being hosted by a first computing platform coupled with a second computing platform through the network connection.
  • the second VNF executed by the second VM may be hosted by the second computing platform.
  • Example 23 The method of example 13, the first VNF executed by the first VM being hosted by a computing platform and the second VNF executed by the second VM may also be hosted by the computing platform.
  • the first and second VMs are coupled through the network connection.
  • Example 24 The method of example 13, the HSM may be an ASIC or FPGA configured as a cryptographic accelerator for the processor.
  • Example 25 An example at least one machine readable medium may include a plurality of instructions that in response to being executed by a system may cause the system to carry out a method according to any one of examples 13 to 24.
  • Example 26 An example apparatus may include means for performing the methods of any one of examples 13 to 24.
  • An example at least one machine readable medium may include a plurality of instructions that in response to being executed by a system cause the system to initiate, at a first VNF executed by a first VM, a key exchange with a second VNF executed by a second VM.
  • the instructions may also cause the system to receive from the second VNF an encrypted fingerprint.
  • the encrypted fingerprint may be encrypted using a root key.
  • a plaintext of the fingerprint may include an identification of the second VNF, a randomly generated number, and a MAC value.
  • the instructions may also cause the system to provide the encrypted fingerprint to an HSM coupled with a processor arranged to support the first VM.
  • the HSM may decrypt the encrypted fingerprint via use of the root key, generate a session key, encrypt the session key via use of the decrypted fingerprint and the root key, and provide the encrypted session key to the first VNF.
  • the instructions may also cause the system to send the encrypted session key to the second VNF for the second VNF to cause the encrypted session key to be decrypted via use of the plaintext of the fingerprint and the root key.
  • the session key may be for use to encrypt data sent to the first VNF from the second VNF over a network connection.
  • Example 28 The at least one machine readable medium of example 27, the encrypted fingerprint received from the second VNF may also include a first plaintext identification of the second VNF.
  • the HSM may verify authenticity of the second VNF based on a comparison of the first plaintext identification of the second VNF with a second plaintext identification of the second VNF included in the decrypted fingerprint.
  • Example 30 The at least one machine readable medium of example 27, the MAC value included in the plaintext of the fingerprint may be based on a MAC algorithm that includes use of the root key in combination with the identification of the second VNF and the randomly generated number as inputs to generate the MAC value.
  • the HSM may verify authenticity of the decrypted fingerprint based on a comparison of the MAC value with a regenerated MAC value.
  • the regenerated MAC value may be based on use of the root key in combination with a decrypted identification of the second VNF and a decrypted randomly generated number as inputs to the MAC algorithm to generate the regenerated MAC value.
  • Example 30 The at least one machine readable medium of example 27, the instructions to cause the system to initiate the key exchange between the first VNF and the second VNF may include the system to send a first message to the second VNF over the network connection.
  • the message may indicate that a secure connection with the second VNF over the network connection is requested by the first VNF.
  • Example 31 The at least one machine readable medium of example 30, the instruction to further cause the system to receive the encrypted fingerprint with a second message from the second VNF over the network connection.
  • the first message may be a client hello message and the second message may be a server hello message.
  • Example 32 The at least one machine readable medium of example 27, the first VNF or the second VNF may be arranged for a type of function that includes a firewall service function, a virtual router function, a network address translation function, a session border controller function, a video-optimizer function or a content distribution network function.
  • Example 33 The at least one machine readable medium of example 32, the identification of the second VNF may be associated with the type of function.
  • Example 34 The at least one machine readable medium of example 27, the instructions to cause the system to provide the encrypted fingerprint to the HSM may include the system to store the encrypted fingerprint in a portion of system memory at a first GPA.
  • the system memory may be for a computing platform hosting the processor arranged to support the first VM.
  • the portion of memory may be allocated to the first VM.
  • the instructions may also cause the system to send the first GPA to a virtual function at the HSM.
  • the virtual function may be directly assigned to the first VNF and capable of accessing the portion of memory allocated to the first VM based on the direct assignment.
  • the virtual function may send a request message to the processor that includes the first GPA to obtain the encrypted fingerprint.
  • the decrypted fingerprint may be maintained in on-chip memory at the HSM.
  • Example 35 The at least one machine readable medium of example 34, the instructions may also cause the system to store the encrypted session key at a second GPA in the portion of memory allocated to the first VM.
  • the instructions may also cause the system to receive encrypted data from the second VNF over the network connection, the encrypted data encrypted via use of the session key.
  • the instructions may also cause the system to store the encrypted data at a third GPA in the portion of memory allocated to the first VM and send the second GPA to the directly assigned virtual function to provide the encrypted session key to the HSM.
  • the HSM may decrypt the encrypted session key via use of the decrypted fingerprint and the root key.
  • the instructions may also cause the system to send the third GPA to the directly assigned virtual function to provide the encrypted data received from the second VNF to the HSM, the HSM to decrypt the encrypted data via use of the session key.
  • Example 36 The at least one machine readable medium of example 27, the first VNF executed by the first VM being hosted by a first computing platform coupled with a second computing platform through the network connection.
  • the second VNF executed by the second VM may be hosted by the second computing platform.
  • Example 37 The at least one machine readable medium of example 27, the first VNF executed by the first VM being hosted by a computing platform and the second VNF executed by the second VM may also be hosted by the computing platform.
  • the first and second VMs may be coupled through the network connection.
  • Example 38 The at least one machine readable medium of example 27, the HSM may be an ASIC or FPGA configured as a cryptographic accelerator for the processor.
  • An example apparatus may include circuitry at an HSM coupled with a processor.
  • the apparatus may also include fingerprint logic for execution by the circuitry to generate a fingerprint for a first VNF executed by a first VM supported by the processor.
  • the fingerprint may include an identification of the second VNF, a randomly generated number and a MAC value.
  • the apparatus may also include request logic for execution by the circuitry to receive a request to encrypt the fingerprint and to provide the encrypted fingerprint to the first VNF.
  • the apparatus may also include encrypt logic for execution by the circuitry to encrypt the fingerprint via use a root key and provide the encrypted fingerprint to the first VNF.
  • the apparatus may also include receive logic for execution by the circuitry to receive an indication from the first VNF that an encrypted session key has been received by the first VNF as part of a key exchange with a second VNF executed by a second VM.
  • receive logic for execution by the circuitry to obtain an encrypted session key and decrypt the encrypted session key via use of the fingerprint and the root key, the session key for use to encrypt data sent to the second VNF from the first VNF over a network connection.
  • Example 40 The apparatus of example 39, the MAC value included in the fingerprint may be based on a MAC algorithm that includes use of the root key in combination with the identification of the first VNF and the randomly generated number as inputs to generate the MAC value.
  • Example 41 The apparatus of example 39, the first VNF or the second VNF may be arranged for a type of function that includes a firewall service function, a virtual router function, a network address translation function, a session border controller function, a video-optimizer function or a content distribution network function.
  • Example 42 The apparatus of example 41, the identification of the first VNF may be associated with the type of function.
  • Example 43 The apparatus of example 39, the session key for use to encrypt data may include the encrypt logic to use the session key with a symmetric cryptographic algorithm to encrypt data sent to the second VNF.
  • Example 44 The apparatus of example 39, the fingerprint logic may maintain a plaintext fingerprint for the first VNF in on-chip memory at the HSM.
  • the encrypt logic to provide the encrypted fingerprint to the first VNF may include the encrypt logic to cause a virtual function at the HSM to store the encrypted fingerprint in a portion of system memory at a first GPA.
  • the system memory may be for a computing platform hosting the processor that supports the first VM.
  • the portion of memory may be allocated to the first VM.
  • the virtual function may be directly assigned to the first VNF and capable of accessing the portion of memory allocated to the first VM based on the direct assignment.
  • the virtual function may send a request message to the processor that includes the encrypted fingerprint and the first GPA to cause the encrypted fingerprint to be stored in the portion of system memory.
  • the encrypt logic may also indicate the first GPA to the first VNF in order to provide the encrypted fingerprint to the first VNF.
  • Example 46 The apparatus of example 45 may also include the request logic to receive an indication that data stored at a second GPA in the portion of memory allocated to the first VM is to be encrypted via use of the session key.
  • the receive logic may receive an indication from the first VNF that the encrypted session key has been stored at a third GPA in the portion of memory allocated to the first VM.
  • the decrypt logic may obtain the encrypted session key from the third GPA and decrypt the encrypted session key via use of the fingerprint and the root key.
  • the encrypt logic may obtain the data stored at the second GPA and encrypt the data via use of the session key and cause the encrypted data to be stored at a fourth GPA in the portion of memory allocated to the first VM.
  • the encrypt logic may indicate the fourth GPA to the first VNF for the first VNF to access the encrypted data.
  • Example 47 The apparatus of example 39, the first VNF executed by the first VM may be hosted by a first computing platform coupled with a second computing platform through the network connection.
  • the second VNF may be executed by the second VM hosted by the second computing platform.
  • Example 48 The apparatus of example 39, the first VNF executed by the first VM may be hosted by a computing platform and the second VNF executed by the second VM may also be hosted by the computing platform.
  • the first and second VMs may be coupled through the network connection.
  • Example 49 The apparatus of example 39, the HSM may be an ASIC or FPGA configured as a cryptographic accelerator for the processor.
  • An example method may include generating, at an HSM coupled with a processor, a fingerprint for a first VNF executed by a first VM supported by the processor.
  • the fingerprint may include an identification of the second VNF, a randomly generated number and a MAC value.
  • the method may also include receiving a request to encrypt the fingerprint and to provide the encrypted fingerprint to the first VNF.
  • the method may also include encrypting the fingerprint using a root key and providing the encrypted fingerprint to the first VNF.
  • the method may also include receiving an indication from the first VNF that an encrypted session key has been received by the first VNF as part of a key exchange with a second VNF executed by a second VM.
  • the method may also include obtaining the encrypted session key and decrypting the encrypted session key using the fingerprint and the root key.
  • the session key for using in encrypting data may be sent to the second VNF from the first VNF over a network connection.
  • Example 51 The method of example 50, the MAC value included in the fingerprint may be based on a MAC algorithm that includes use of the root key in combination with the identification of the first VNF and the randomly generated number as inputs to generate the MAC value.
  • Example 52 The method of example 50, comprising the first VNF or the second VNF arranged for a type of function including a firewall service function, a virtual router function, a network address translation function, a session border controller function, a video-optimizer function or a content distribution network function.
  • Example 53 The method of example 51, the identification of the first VNF may be associated with the type of function.
  • Example 54 The method of example 50, using the session key in encrypting data may include using the session key with a symmetric cryptographic algorithm for encrypting data sent to the second VNF.
  • Example 55 The method of example 50 may include maintaining a plaintext fingerprint for the first VNF in on-chip memory at the HSM.
  • Example 56 The method of example 50, providing the encrypted fingerprint to the first VNF may include causing a virtual function at the HSM to store the encrypted fingerprint in a portion of system memory at a first GPA.
  • the system memory may be for a computing platform hosting the processor supporting the first VM.
  • the portion of memory may be allocated to the first VM.
  • the virtual function may be directly assigned to the first VNF and may be capable of accessing the portion of memory allocated to the first VM based on the direct assignment.
  • the virtual function may send a request message to the processor that includes the encrypted fingerprint and the first GPA to cause the encrypted fingerprint to be stored in the portion of system memory.
  • Providing the encrypted fingerprint to the first VNF may also include indicating the first GPA to the first VNF in order to provide the encrypted fingerprint to the first VNF.
  • Example 57 The method of example 56 may also include receiving an indication that data stored at a second GPA in the portion of memory allocated to the first VM is to be encrypted using the session key.
  • the method may also include receiving an indication from the first VNF that the encrypted session key has been stored at a third GPA in the portion of memory allocated to the first VM.
  • the method may also include obtaining the encrypted session key from the third GPA and decrypting the encrypted session key using the fingerprint and the root key.
  • the method may also include obtaining the data stored at the second GPA and encrypting the data using the session key.
  • the method may also include causing the encrypted data to be stored at a fourth GPA in the portion of memory allocated to the first VM.
  • the method may also include indicating the fourth GPA to the first VNF for the first VNF to access the encrypted data.
  • Example 58 The method of example 50, the first VNF may be executed by the first VM hosted by a first computing platform coupled with a second computing platform through the network connection.
  • the second VNF may be executed by the second VM hosted by the second computing platform.
  • Example 59 The method of example 50, the first VNF executed by the first VM may be hosted by a computing platform.
  • the second VNF executed by the second VM may also be hosted by the computing platform.
  • the first and second VMs may be coupled through the network connection.
  • Example 60 The method of example 50, the HSM may be an ASIC or FPGA configured as a cryptographic accelerator for the processor.
  • Example 61 An example at least one machine readable medium may include a plurality of instructions that in response to being executed by a system may cause the system to carry out a method according to any one of examples 50 to 60.
  • Example 62 An apparatus may include means for performing the methods of any one of examples 50 to 60.
  • Example 63 At least one machine readable medium comprising a plurality of instructions that in response to being executed by a system at an HSM coupled with a processor may cause the system to generate a fingerprint for a first VNF executed by a first VM supported by the processor coupled with the HSM.
  • the fingerprint may include an identification of the second VNF, a randomly generated number and a MAC value.
  • the instructions may also cause the system to encrypt the fingerprint and to provide the encrypted fingerprint to the first VNF.
  • the instructions may also cause the system to receive a request to encrypt the fingerprint via use of a root key and provide the encrypted fingerprint to the first VNF.
  • the instructions may also cause the system to receive an indication from the first VNF that an encrypted session key has been received by the first VNF as part of a key exchange with a second VNF executed by a second VM.
  • the instructions may also cause the system to obtain the encrypted session key and decrypt the encrypted session key via use of the fingerprint and the root key.
  • the session key may be for use to encrypt data sent to the second VNF from the first VNF over a network connection.
  • Example 64 The at least one machine readable medium of example 63, the MAC value included in the fingerprint may be based on a MAC algorithm that includes use of the root key in combination with the identification of the first VNF and the randomly generated number as inputs to generate the MAC value.
  • Example 65 The at least one machine readable medium of example 63, the first VNF or the second VNF may be arranged for a type of function that includes a firewall service function, a virtual router function, a network address translation function, a session border controller function, a video-optimizer function or a content distribution network function.
  • Example 66 The at least one machine readable medium of example 56, the identification of the first VNF may be associated with the type of function.
  • Example 67 The at least one machine readable medium of example 63, the session key may be for use to encrypt data comprises the instruction to cause the system to use the session key with a symmetric cryptographic algorithm to encrypt data sent to the second VNF.
  • Example 68 The apparatus of example 63, the instructions may further cause the system to maintain a plaintext fingerprint for the first VNF in on-chip memory at the HSM.
  • Example 69 The at least one machine readable medium of example 63, the instructions to cause the system to provide the encrypted fingerprint to the first VNF may include the system to cause a virtual function at the HSM to store the encrypted fingerprint in a portion of system memory at a first GPA, the system memory for a computing platform hosting the processor that supports the first VM.
  • the portion of memory may be allocated to the first VM.
  • the virtual function may be directly assigned to the first VNF and capable of accessing the portion of memory allocated to the first VM based on the direct assignment.
  • the virtual function may send a request message to the processor that includes the encrypted fingerprint and the first GPA to cause the encrypted fingerprint to be stored in the portion of system memory.
  • the instructions may also cause the system to indicate the first GPA to the first VNF in order to provide the encrypted fingerprint to the first VNF.
  • Example 70 The at least one machine readable medium of example 69, the instructions may further cause the system to receive an indication that data stored at a second GPA in the portion of memory allocated to the first VM is to be encrypted via use of the session key.
  • the instructions may also cause the system to receive an indication from the first VNF that the encrypted session key has been stored at a third GPA in the portion of memory allocated to the first VM.
  • the instructions may also cause the system to obtain the encrypted session key from the third GPA and decrypt the encrypted session key via use of the fingerprint and the root key;
  • the instructions may also cause the system to indicate the fourth GPA to the first VNF for the first VNF to access the encrypted data.
  • Example 71 The at least one machine readable medium of example 63, the first VNF executed by the first VM may be hosted by a first computing platform coupled with a second computing platform through the network connection.
  • the second VNF executed by the second VM may be hosted by the second computing platform.
  • Example 72 The at least one machine readable medium of example 63, the first VNF executed by the first VM may be hosted by a computing platform and the second VNF executed by the second VM may also be hosted by the computing platform.
  • the first and second VMs may be coupled through the network connection.
  • Example 73 The at least one machine readable medium of example 63, the HSM may be an ASIC or FPGA configured as a cryptographic accelerator for the processor.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Un appareil (800) conçu pour un échange de clé permet d'établir une connexion sécurisée dans un environnement de virtualisation de fonction de réseau. L'appareil (800) échange une clé de session chiffrée (410) entre des fonctions de réseau virtuel (VNF-A, VNF-B, VNF-C) exécutées par des machines virtuelles respectives (160-1 à 160-N) pour établir la connexion sécurisée sur une connexion réseau, et utilise un module de sécurité matériel (150) couplé à un processeur (110) qui prend en charge au moins l'une des machines virtuelles respectives (160-1 à 160-N). Le module de sécurité matériel (150) facilite le chiffrement et le déchiffrement de la clé de session chiffrée échangée (410) au moyen de l'utilisation d'une empreinte de fonction de réseau virtuel (210, 220) pour au moins l'une des fonctions de réseau virtuel (VNF-A, VNF-B, VNF-C).
EP16925910.8A 2016-12-30 2016-12-30 Techniques d'échange de clé pour établir une connexion sécurisée dans un environnement de virtualisation de fonction de réseau Withdrawn EP3563513A1 (fr)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/113494 WO2018120017A1 (fr) 2016-12-30 2016-12-30 Techniques d'échange de clé pour établir une connexion sécurisée dans un environnement de virtualisation de fonction de réseau

Publications (1)

Publication Number Publication Date
EP3563513A1 true EP3563513A1 (fr) 2019-11-06

Family

ID=62706545

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16925910.8A Withdrawn EP3563513A1 (fr) 2016-12-30 2016-12-30 Techniques d'échange de clé pour établir une connexion sécurisée dans un environnement de virtualisation de fonction de réseau

Country Status (3)

Country Link
EP (1) EP3563513A1 (fr)
CN (1) CN110089070B (fr)
WO (1) WO2018120017A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9560078B2 (en) * 2015-02-04 2017-01-31 Intel Corporation Technologies for scalable security architecture of virtualized networks
US11405336B2 (en) * 2019-11-22 2022-08-02 Baidu Usa Llc Method for key sharing between accelerators in virtual channel with switch
CN111753318B (zh) * 2020-06-04 2024-04-26 上海蚂蚁创将信息技术有限公司 私有数据的多方安全计算方法、装置及系统
CN111966468B (zh) * 2020-08-28 2021-10-26 海光信息技术股份有限公司 用于直通设备的方法、系统、安全处理器和存储介质

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061790A (en) * 1996-11-20 2000-05-09 Starfish Software, Inc. Network computer system with remote user data encipher methodology
CN101789861A (zh) * 2009-01-22 2010-07-28 深圳市文鼎创数据科技有限公司 信息安全传输方法
CN102045210B (zh) * 2009-10-10 2014-05-28 中兴通讯股份有限公司 一种支持合法监听的端到端会话密钥协商方法和系统
US8566952B1 (en) * 2009-12-24 2013-10-22 Intuit Inc. System and method for encrypting data and providing controlled access to encrypted data with limited additional access
US8694781B1 (en) * 2012-03-30 2014-04-08 Emc Corporation Techniques for providing hardware security module operability
US9940446B2 (en) * 2013-07-25 2018-04-10 Siemens Healthcare Diagnostics Inc. Anti-piracy protection for software
FR3011654B1 (fr) * 2013-10-08 2016-12-23 Commissariat Energie Atomique Procede et dispositif d'authentification et d'execution securisee de programmes
US20160149877A1 (en) * 2014-06-05 2016-05-26 Cavium, Inc. Systems and methods for cloud-based web service security management basedon hardware security module
CN104185176B (zh) * 2014-08-28 2017-10-20 中国联合网络通信集团有限公司 一种物联网虚拟用户识别模块卡远程初始化方法及系统
US9338147B1 (en) * 2015-04-24 2016-05-10 Extrahop Networks, Inc. Secure communication secret sharing
EP3094058B1 (fr) * 2015-05-13 2018-03-21 ADVA Optical Networking SE Participation d'un dispositif de réseau intermédiaire entre une passerelle de sécurité de communication et une station de base

Also Published As

Publication number Publication date
CN110089070A (zh) 2019-08-02
WO2018120017A1 (fr) 2018-07-05
CN110089070B (zh) 2022-08-02

Similar Documents

Publication Publication Date Title
US11347857B2 (en) Key and certificate distribution method, identity information processing method, device, and medium
JP7416775B2 (ja) 周辺デバイス
US11088846B2 (en) Key rotating trees with split counters for efficient hardware replay protection
CN107851163B (zh) 用于i/o数据的完整性、防重放和真实性保证的技术
CN109936626B (zh) 区块链中实现隐私保护的方法、节点和存储介质
EP3326103B1 (fr) Technologies d'e/s de confiance pour environnements multiples d'exécution de confiance coexistant sous contrôle d'isa
US10404674B1 (en) Efficient memory management in multi-tenant virtualized environment
US8856504B2 (en) Secure virtual machine bootstrap in untrusted cloud infrastructures
CN110020549B (zh) 区块链中实现隐私保护的方法、节点和存储介质
US20170026171A1 (en) Cryptographic protection of i/o data for dma capable i/o controllers
US11841985B2 (en) Method and system for implementing security operations in an input/output device
WO2018120017A1 (fr) Techniques d'échange de clé pour établir une connexion sécurisée dans un environnement de virtualisation de fonction de réseau
US20160026799A1 (en) Security device having indirect access to external non-volatile memory
US10691619B1 (en) Combined integrity protection, encryption and authentication
US20200127850A1 (en) Certifying a trusted platform module without privacy certification authority infrastructure
WO2022132184A1 (fr) Système, procédé et appareil pour chiffrement de stockage total
TW201933169A (zh) 在一加密系統中管理密碼密鑰之一集合
US11126567B1 (en) Combined integrity protection, encryption and authentication
US10310990B2 (en) Direct memory access encryption with application provided keys
CN110033265B (zh) 区块链中实现隐私保护的方法、节点和存储介质
US20210328779A1 (en) Method and apparatus for fast symmetric authentication and session key establishment
TW202107285A (zh) 安全記憶體方案
US20190044710A1 (en) Technologies for establishing device locality
WO2019183980A1 (fr) Technologies permettant de sécuriser des images de virtualisation de fonction de réseau
US11997192B2 (en) Technologies for establishing device locality

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20190529

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20191112