Event management in distributed computing system
US-12155753-B2 · Nov 26, 2024 · US
Techniques for encryption key rollover synchronization in a network
US10873455B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10873455-B2 |
| Application number | US-201816005990-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 12, 2018 |
| Priority date | Mar 15, 2018 |
| Publication date | Dec 22, 2020 |
| Grant date | Dec 22, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are presented for encryption key rollover synchronization in a network. In one embodiment, a method includes generating a new set of public-key encryption keys for a first network element. Based on the new set of public-key encryption keys, a set of new security associations between the first network element and each other network element in the network is generated. The method includes providing a new public key from the new set of public-key encryption keys to a network controller and using security associations associated with a previous set of public-key encryption keys for encrypted communication between the first network element and each other network element. Upon obtaining, from a second network element, traffic protected by a security association from the set of new security associations, the method includes using the new security associations for subsequent encrypted communication between the first network element and the second network element.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: generating a new set of public key encryption keys for a first network element in a network comprising a plurality of network elements; based on the new set of public-key encryption keys, generating a set of new security associations between the first network element and each other network element of the plurality of network elements in the network; providing a new public key from the new set of public-key encryption keys for the first network element to a network controller in communication with the plurality of network elements; using security associations associated with a previous set of public-key encryption keys to protect traffic for encrypted communication between the first network element and each other network element in the network; and upon obtaining, from a second network element of the plurality of network elements, traffic protected by a security association from the set of new security associations, using security associations from the set of new security associations for subsequent encrypted communication between the first network element and the second network element, wherein the first network element and the second network element exchange peer-to-peer encrypted communication directly without passing through the controller, and only the network controller distributes public key cryptographic material on behalf of the first network element to the second network element. 2. The method of claim 1 , further comprising: obtaining from the network controller, at the first network element, a new public key from a new set of public-key encryption keys for one or more network elements of the plurality of network elements; based on the new public key for the one or more network elements, generating another set of new security associations between the first network element and each of the one or more network elements; and using security associations from the another set of new security associations to protect traffic for subsequent encrypted communication between the first network element and each of the one or more network elements. 3. The method of claim 2 , further comprising: upon obtaining encrypted communication, at the first network element, from the one or more network elements using a security association from the another set of new security associations, deactivating security associations associated with previous public keys for each of the one or more network elements. 4. The method of claim 1 , further comprising: obtaining encrypted communication, at the first network element, from at least one network element of the plurality of network elements, wherein the encrypted communication uses a security association from the set of new security associations; and using security associations from the set of new security associations to protect traffic for subsequent encrypted communication between the first network element and the at least one network element. 5. The method of claim 4 , further comprising: deactivating, at the first network element, security associations associated with the previous set of public-key encryption keys for the first network element for subsequent encrypted communication between the first network element and the at least one network element. 6. The method of claim 4 , further comprising: setting a timer, at the first network element, upon obtaining the encrypted communication that uses a security association from the set of new security associations; and upon expiration of the timer, deleting the security associations associated with the previous set of public-key encryption keys for the first network element. 7. The method of claim 1 , further comprising: obtaining from the network controller, at the first network element, a new public key from a new set of public-key encryption keys for the second network element; and wherein the set of new security associations comprises: a first set of new security associations between the first network element and the second network element based on the new set of public-key encryption keys for the first network element and the new public key for the second network element; and a second set of new security associations between the first network element and the second network element based on the previous set of public-key encryption keys for the first network element and the new public key for the second network element. 8. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a first network element in a network comprising a plurality of network elements, cause the processor to: generate a new set of public-key encryption keys for the first network element; based on the new set of public-key encryption keys, generate a set of new security associations between the first network element and each other network element of the plurality of network elements in the network; provide a new public key from the new set of public-key encryption keys for the first network element to a network controller in communication with the plurality of network elements; use security associations associated with a previous set of public-key encryption keys to protect traffic for encrypted communication between the first network element and each other network element in the network; and upon obtaining, from a second network element of the plurality of network elements, traffic protected by a security association from the set of new security associations, use security associations from the set of new security associations for subsequent encrypted communication between the first network element and the second network element, wherein the first network element and the second network element exchange peer-to-peer encrypted communication directly without passing through the controller, and only the network controller distributes public key cryptographic material on behalf of the first network element to the second network element. 9. The one or more non-transitory computer readable storage media of claim 8 , further comprising instructions to cause the processor to: obtain from the network controller a new public key from a new set of public-key encryption keys for one or more network elements of the plurality of network elements; based on the new public key for the one or more network elements, generate another set of new security associations between the first network element and each of the one or more network elements; and use security associations from the another set of new security associations to protect traffic for subsequent encrypted communication between the first network element and each of the one or more network elements. 10. The one or more non-transitory computer readable storage media of claim 9 , further comprising instructions to cause the processor to: upon obtaining encrypted communication from the one or more network elements using a security association from the another set of new security associations, deactivate security associations associated with previous public keys for each of the one or more network elements. 11. The one or more non-transitory computer readable storage media of claim 8 , further comprising instructions to cause the processor to: obtain encrypted communication from at least one network element of the plurality of network elements, wherein the encrypted communication uses a security association from the set of new security associations; and use security associations from the set of new security associations to protect traffic for subsequent encrypted communication between the first network element and the at least one network element.
Assignees
Inventors
Classifications
Implementing security features at a particular protocol layer · CPC title
using time-dependent keys, e.g. periodically changing keys (cryptographic mechanisms or cryptographic arrangements for controlling usage of secret information H04L9/088) · CPC title
- H04L63/062Primary
for key distribution, e.g. centrally by trusted party (cryptographic mechanisms or cryptographic arrangements for key distribution involving a central third party H04L9/0819) · CPC title
at the network layer · CPC title
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10873455B2 cover?
- Techniques are presented for encryption key rollover synchronization in a network. In one embodiment, a method includes generating a new set of public-key encryption keys for a first network element. Based on the new set of public-key encryption keys, a set of new security associations between the first network element and each other network element in the network is generated. The method inclu…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/062. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 22 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).