What technology area does this patent fall under?

Primary CPC classification G06F9/45558. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Sep 15 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Performing context-rich attribute-based encryption on a host

US10778651B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10778651-B2
Application number	US-201815896099-A
Country	US
Kind code	B2
Filing date	Feb 14, 2018
Priority date	Nov 15, 2017
Publication date	Sep 15, 2020
Grant date	Sep 15, 2020

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Some embodiments provide a context engine that supplies contextual-attributes to several context-based service engines on its host computer. Different embodiments use different types of context-based service engines. For instance, in some embodiments, the attribute-based service engines include an encryption engine that performs context-based encryption or decryption operations to encrypt data messages from the machines, or to decrypt data messages received for the machines.

First claim

Opening claim text (preview).

What is claimed is: 1. A method of encrypting data messages sent by a first machine executing on a first host computer with a plurality of other machines, the method comprising: at an encryption module executing on the first host computer independently of the first machine, receiving a data message sent by the first machine addressed to a second machine executing on a second host computer; identifying a set of attributes associated with the first machine, the set of attributes including attributes other than layer 2 (L2), layer 3 (L3), and layer 4 (L4) data-message header values; using the identified set of attributes to identify an encryption rule; encrypting the data message based on the encryption rule; and sending, separately from the data message, an out-of-band message to the second host computer, the out-of-band message comprising an identifier for identifying the data message and a key identifier for identifying a key for decrypting the encrypted data message. 2. The method of claim 1 , wherein the identified set of attributes includes an application identifier that identifies a traffic type for a payload data contained within a data message flow of the data message. 3. The method of claim 1 , wherein the identified set of attributes includes an identifier of a user logged on to the first machine. 4. The method of claim 3 , wherein the user identifier is a group identifier. 5. The method of claim 3 , wherein the user identifier is an identifier that identifies a single individual. 6. The method of claim 1 , wherein the identified set of attributes includes a threat level associated with an application that executes on the first machine. 7. The method of claim 6 , wherein the application is an application that sent the data message. 8. The method of claim 6 , wherein the application is not an application that sent the data message. 9. A non-transitory machine readable medium storing a program for encrypting data messages sent by a first machine executing on a first host computer with a plurality of other machines, the program comprising sets of instructions for: receiving a data message sent by the first machine addressed to a second machine executing on a second host computer; identifying a set of attributes associated with the first machine, the set of attributes including attributes other than layer 2 (L2), layer 3 (L3), and layer 4 (L4) data-message header values; using the identified set of attributes to identify an encryption rule; encrypting the data message based on the encryption rule; and sending, separately from the data message, an out-of-band message to the second host computer, the out-of-band message comprising an identifier for identifying the data message and a key identifier for identifying a key for decrypting the encrypted data message. 10. The non-transitory machine readable medium of claim 9 , wherein the set of instructions for identifying the set of attributes comprises a set of instructions for providing an identifier contained within the data message to a context-resolving engine to obtain at least a subset of the attributes that includes non-L2-L4 header values. 11. The non-transitory machine readable medium of claim 10 , wherein the identifier provided to the context-resolving engine comprises source IP (Internet Protocol) address, destination IP address, source port, destination port, and protocol header values of the data message. 12. The non-transitory machine readable medium of claim 10 , wherein the identifier provided to the context-resolving engine comprises a service tag embedded in the header values of the data message. 13. The non-transitory machine readable medium of claim 9 , wherein the first machine is a virtual machine (VM). 14. The non-transitory machine readable medium of claim 9 , wherein the first machine is a container. 15. The non-transitory machine readable medium of claim 9 , wherein the encryption rule comprises the key identifier that is used to identify the key for encrypting the data message. 16. The non-transitory machine readable medium of claim 9 , wherein the identified set of attributes includes an identifier of a user logged on to the first machine. 17. The non-transitory machine readable medium of claim 16 , wherein the user identifier is a group identifier.

Assignees

Nicira Inc

Inventors

Classifications

G06F9/45558Primary
Hypervisor-specific management and integration aspects · CPC title
H04L69/322
Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions · CPC title
H04L9/0836
using tree structure or hierarchical structure · CPC title
H04L9/0643
Hash functions, e.g. MD5, SHA, HMAC or f9 MAC · CPC title
H04L69/22
Parsing or analysis of headers · CPC title

Patent family

Related publications grouped by family.

View patent family 66431494

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10778651B2 cover?: Some embodiments provide a context engine that supplies contextual-attributes to several context-based service engines on its host computer. Different embodiments use different types of context-based service engines. For instance, in some embodiments, the attribute-based service engines include an encryption engine that performs context-based encryption or decryption operations to encrypt data …
Who is the assignee on this patent?: Nicira Inc
What technology area does this patent fall under?: Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Sep 15 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).