IN2014DN09465A - - Google Patents

Info

Publication number
IN2014DN09465A
IN2014DN09465A IN9465DEN2014A IN2014DN09465A IN 2014DN09465 A IN2014DN09465 A IN 2014DN09465A IN 9465DEN2014 A IN9465DEN2014 A IN 9465DEN2014A IN 2014DN09465 A IN2014DN09465 A IN 2014DN09465A
Authority
IN
India
Prior art keywords
key
computing resource
security
computing
provisioner
Prior art date
Application number
Inventor
Fredric Morenius
András Méhes
Christian Gehrmann
Original Assignee
Ericsson Telefon Ab L M
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ericsson Telefon Ab L M filed Critical Ericsson Telefon Ab L M
Publication of IN2014DN09465A publication Critical patent/IN2014DN09465A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

In a method of provisioning a virtual machine (VM) to a computing network (401), a VM manager or provisioner (403, 408) encrypts a virtual machine using a key bound to at least one security profile indicative of one or more security requirements that a computing resource (402) of the computing network (401) must satisfy in order to be able to decrypt the VM. A key for use in decrypting the VM has previously been sealed into multiple (and preferably into all) computing resources (402) in the network into which the VM is to be provisioned, and has been sealed such that a computing resource can obtain the key only if it is in a state that satisfies the security profile, or at least one security, profile to which the key is bound The VM manager or provisioner (403, 408) creates a VM launch package that includes the encrypted VM and that also includes a key that may be used in decrypting the encrypted VM. When the VM launch package is received at a computing resource (402), the computing resource will not be able to recover the key for use in decrypting the VM- and hence will be unable to decrypt the VM- unless the computing resource satisfies the security requirements indicated by the security profile. The VM manager or provisioner can thus be sure that the VM will not be launched on a computing resource that does not meet the desired security profile. Alternatively the VM manager or provisioner (403 , 408) may send a token corresponding to a desired security profile with an encrypted VM. A computing resource uses the token to obtain a key to decrypt the VM but the computing resource will not be able to recover the key unless the computing resource satisfies the security requirements indicated by the token.
IN9465DEN2014 2012-05-24 2012-05-24 IN2014DN09465A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2012/059768 WO2013174437A1 (en) 2012-05-24 2012-05-24 Enhanced secure virtual machine provisioning

Publications (1)

Publication Number Publication Date
IN2014DN09465A true IN2014DN09465A (en) 2015-07-17

Family

ID=46168479

Family Applications (1)

Application Number Title Priority Date Filing Date
IN9465DEN2014 IN2014DN09465A (en) 2012-05-24 2012-05-24

Country Status (4)

Country Link
US (1) US20150134965A1 (en)
EP (1) EP2856386A1 (en)
IN (1) IN2014DN09465A (en)
WO (1) WO2013174437A1 (en)

Families Citing this family (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013093209A1 (en) * 2011-12-21 2013-06-27 Ssh Communications Security Oyj Automated access, key, certificate, and credential management
US8924720B2 (en) * 2012-09-27 2014-12-30 Intel Corporation Method and system to securely migrate and provision virtual machine images and content
US9519498B2 (en) 2013-12-24 2016-12-13 Microsoft Technology Licensing, Llc Virtual machine assurances
US9792427B2 (en) * 2014-02-07 2017-10-17 Microsoft Technology Licensing, Llc Trusted execution within a distributed computing system
EP3108365A1 (en) * 2014-02-20 2016-12-28 Telefonaktiebolaget LM Ericsson (publ) Methods, apparatuses, and computer program products for deploying and managing software containers
US9753768B2 (en) * 2014-03-08 2017-09-05 Vmware, Inc. Instant xvmotion using a private storage virtual appliance
US9652631B2 (en) 2014-05-05 2017-05-16 Microsoft Technology Licensing, Llc Secure transport of encrypted virtual machines with continuous owner access
US9652276B2 (en) * 2014-09-17 2017-05-16 International Business Machines Corporation Hypervisor and virtual machine protection
US9584317B2 (en) 2014-10-13 2017-02-28 Microsoft Technology Licensing, Llc Identifying security boundaries on computing devices
US10229272B2 (en) 2014-10-13 2019-03-12 Microsoft Technology Licensing, Llc Identifying security boundaries on computing devices
US9519787B2 (en) 2014-11-14 2016-12-13 Microsoft Technology Licensing, Llc Secure creation of encrypted virtual machines from encrypted templates
US10129220B2 (en) 2015-06-13 2018-11-13 Avocado Systems Inc. Application and data protection tag
US9952790B2 (en) * 2015-06-13 2018-04-24 Avocado Systems Inc. Application security policy actions based on security profile exchange
US10397277B2 (en) 2015-06-14 2019-08-27 Avocado Systems Inc. Dynamic data socket descriptor mirroring mechanism and use for security analytics
US10270810B2 (en) 2015-06-14 2019-04-23 Avocado Systems Inc. Data socket descriptor based policies for application and data behavior and security
US10193889B2 (en) 2015-06-14 2019-01-29 Avocado Systems Inc. Data socket descriptor attributes for application discovery in data centers
US10148697B2 (en) 2015-06-16 2018-12-04 Avocado Systems Inc. Unified host based security exchange between heterogeneous end point security agents
US10193930B2 (en) 2015-06-29 2019-01-29 Avocado Systems Inc. Application security capability exchange via the application and data protection layer
EP3317875B1 (en) 2015-07-03 2022-10-26 Telefonaktiebolaget LM Ericsson (publ) Keyless signature infrastructure based virtual machine integrity
US10356068B2 (en) 2015-07-14 2019-07-16 Avocado Systems Inc. Security key generator module for security sensitive applications
US10354070B2 (en) 2015-08-22 2019-07-16 Avocado Systems Inc. Thread level access control to socket descriptors and end-to-end thread level policies for thread protection
US10042749B2 (en) 2015-11-10 2018-08-07 International Business Machines Corporation Prefetch insensitive transactional memory
JP6734760B2 (en) 2015-11-10 2020-08-05 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Prefetch insensitive transaction memory
US10339339B2 (en) * 2016-02-10 2019-07-02 Mobileron, Inc. Securely storing and distributing sensitive data in a cloud-based application
CN107133520B (en) * 2016-02-26 2021-05-14 华为技术有限公司 Trust measurement method and device for cloud computing platform
US10684839B2 (en) 2016-06-15 2020-06-16 Red Hat Israel, Ltd. Plugin for software deployment
US10177910B2 (en) * 2016-08-31 2019-01-08 Microsoft Technology Licensing, Llc Preserving protected secrets across a secure boot update
US10467880B2 (en) 2016-09-16 2019-11-05 Nypro Inc. Apparatus, system and method for a portable personal air quality monitor
WO2019147311A1 (en) * 2018-01-24 2019-08-01 Intel Corporation Security profiles for ocf devices and trusted platforms
US11270193B2 (en) 2016-09-30 2022-03-08 International Business Machines Corporation Scalable stream synaptic supercomputer for extreme throughput neural networks
US10528746B2 (en) * 2016-12-27 2020-01-07 Intel Corporation System, apparatus and method for trusted channel creation using execute-only code
US10228965B2 (en) * 2017-05-15 2019-03-12 Synopsys, Inc. Architecture, system and method for creating and employing trusted virtual appliances
US10958424B1 (en) * 2017-11-02 2021-03-23 Amazon Technologies, Inc. Mechanism to allow third party to use a shared secret between two parties without revealing the secret
US10686891B2 (en) * 2017-11-14 2020-06-16 International Business Machines Corporation Migration of applications to a computing environment
US11036532B2 (en) * 2017-11-29 2021-06-15 Microsoft Technology Licensing, Llc Fast join and leave virtual network
CN108599936A (en) * 2018-04-20 2018-09-28 西安电子科技大学 A kind of OpenStack increases income the safety certifying method of cloud user
CN108737171B (en) * 2018-05-10 2021-08-27 网宿科技股份有限公司 Method and system for managing cloud service cluster
US11044238B2 (en) 2018-10-19 2021-06-22 International Business Machines Corporation Secure communications among tenant virtual machines in a cloud networking environment
US12079640B1 (en) * 2019-03-12 2024-09-03 Pivotal Software, Inc. Platform verified add-on resources
CN110012076B (en) * 2019-03-12 2022-07-01 新华三技术有限公司 Connection establishing method and device
US11210128B2 (en) * 2019-09-26 2021-12-28 At&T Intellectual Property I, L.P. Device virtualization security layer
EP4094171A1 (en) * 2020-01-22 2022-11-30 Telefonaktiebolaget LM Ericsson (publ) Container with encrypted software packages
US11575513B2 (en) * 2020-04-18 2023-02-07 Cisco Technology, Inc. Applying attestation tokens to multicast routing protocols
US12437118B2 (en) 2020-12-22 2025-10-07 International Business Machines Corporation Provisioning secure/encrypted virtual machines in a cloud infrastructure
JP7805067B2 (en) * 2020-12-22 2026-01-23 インターナショナル・ビジネス・マシーンズ・コーポレーション Method, system, and computer program for generating computations to be executed in a target trusted execution environment (TEE) (Provisioning secure/encrypted virtual machines in cloud infrastructure)
WO2023272419A1 (en) * 2021-06-28 2023-01-05 Microsoft Technology Licensing, Llc Virtual machine provisioning and directory service management

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9606821B2 (en) * 2004-12-17 2017-03-28 Intel Corporation Virtual environment manager for creating and managing virtual machine environments
US8468230B2 (en) * 2007-10-18 2013-06-18 Fujitsu Limited Method, apparatus and recording medium for migrating a virtual machine
US20090133097A1 (en) * 2007-11-15 2009-05-21 Ned Smith Device, system, and method for provisioning trusted platform module policies to a virtual machine monitor
WO2011075484A2 (en) * 2009-12-14 2011-06-23 Citrix Systems, Inc. A secure virtualization environment bootable from an external media device
EP2577539B1 (en) * 2010-06-02 2018-12-19 VMware, Inc. Securing customer virtual machines in a multi-tenant cloud
US8856504B2 (en) * 2010-06-07 2014-10-07 Cisco Technology, Inc. Secure virtual machine bootstrap in untrusted cloud infrastructures

Also Published As

Publication number Publication date
EP2856386A1 (en) 2015-04-08
WO2013174437A1 (en) 2013-11-28
US20150134965A1 (en) 2015-05-14

Similar Documents

Publication Publication Date Title
IN2014DN09465A (en)
AU2018256568A1 (en) Systems and methods for software based encryption
WO2017034642A3 (en) Optimizable full-path encryption in a virtualization environment
WO2016126332A3 (en) Data security operations with expectations
RU2016143088A (en) SAFE TRANSPORT OF ENCRYPTED VIRTUAL MACHINES WITH CONTINUOUS OWNER ACCESS
GB2496354B (en) A method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors
MX2015014636A (en) File security method and apparatus for same.
GB2512249A (en) Secure peer discovery and authentication using a shared secret
BR112017020675A2 (en) authentication agreement and key with perfect issuance secrecy
SG10201901366WA (en) Key exchange through partially trusted third party
WO2014070134A3 (en) Quorum-based virtual machine security
WO2016057086A3 (en) Common modulus rsa key pairs for signature generation and encryption/decryption
GB2533727A (en) Registry apparatus, agent device, application providing apparatus and corresponding methods
WO2014182727A3 (en) Selectively performing man in the middle decryption
WO2014207581A3 (en) Processing guest event in hypervisor-controlled system
NZ746653A (en) Access control for encrypted data in machine-readable identifiers
HK1212524A1 (en) Data security management system
BR112017002747A2 (en) computer implemented method, and, computer system.
HK1219160A1 (en) Systems and methods for a cryptographic file system layer
BR112015030544A2 (en) electronic authentication systems
BR112017003018A2 (en) secure provision of an authentication credential
WO2014027263A3 (en) Attribute-based encryption
GB2526240A (en) Key management in multi-tenant environments
MX356293B (en) Systems and methods with cryptography and tamper resistance software security.
WO2014047135A3 (en) Method and device for a generalized cryptographic framework