What technology area does this patent fall under?

Primary CPC classification H04L9/0838. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jul 27 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Systems and methods for allocating SPI values

US11075949B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11075949-B2
Application number	US-201715423063-A
Country	US
Kind code	B2
Filing date	Feb 2, 2017
Priority date	Feb 2, 2017
Publication date	Jul 27, 2021
Grant date	Jul 27, 2021

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Certain embodiments described herein are generally directed to allocating security parameter index (“SPI”) values to a plurality of endpoints in a network. The SPI values may be derived using an SPI derivation formula and a plurality of parameters. In some embodiments, the SPI values may be derived by an endpoint and in other embodiments by a server. Using the SPI derivation formula and the plurality of parameters enables endpoints and servers to instantaneously derive SPI values without the need for servers to store them.

First claim

Opening claim text (preview).

We claim: 1. A method for allocating security parameter index (“SPI”) values to a plurality of endpoints comprising computing devices in a computer network including a first endpoint and a second endpoint, the method comprising: deriving, independently at the first endpoint, an SPI value using a global SPI derivation formula, “GSDF,” that takes as input parameters including: (1) a source endpoint ID number corresponding to the first endpoint, (2) a key policy number corresponding to a key policy assigned to the first endpoint for generating an encryption key for establishing a secured communication channel, (3) a shift factor that changes in response to each restart of the first endpoint, (4) a maximum endpoint ID number corresponding to a maximum number of endpoints that the computer network supports, and (5) a maximum key policy number corresponding to a maximum number of key policies that the computer network supports, wherein the deriving is performed independently such that SPI values allocated to the plurality of endpoints do not have to be calculated and distributed to the plurality of endpoints by a central unit; establishing the secured communication channel between the first endpoint and the second endpoint using the SPI value; and communicating, by the first endpoint, with the second endpoint over the secured communication channel. 2. The method of claim 1 , wherein the SPI derivation formula is: SPI( K i ,EP, S j )=EP max *[( K i −S j +K max )% K max ]+EP j +1; and wherein SPI represents a binary value corresponding to the SPI value, K i , corresponds to the key policy number, EP max corresponds to the maximum endpoint ID number, EP max is a constant, K max corresponds to the maximum key policy number, EP j corresponds to the source endpoint ID number, and S j corresponds to the shift factor. 3. The method of claim 1 , wherein establishing the secured communication channel comprises establishing an outbound security association using the SPI value for securing outgoing traffic at the first endpoint, and wherein the SPI value is different from any of the SPI values used for any other outbound security association established for securing outgoing traffic at any other one of the plurality of endpoints in the computer network. 4. The method of claim 1 , wherein the second endpoint is configured to independently derive a second SPI value using the SPI derivation formula and a second set of one or more parameters, and wherein the establishing the secured communication channel between the first endpoint and the second endpoint comprises establishing a first security association for communication from the first endpoint to the second endpoint using the SPI value and establishing a second security association for communication from the second endpoint to the first endpoint using the second SPI value. 5. The method of claim 1 , wherein the communicating, by the first endpoint, comprises encrypting data using the SPI value and transmitting the encrypted data to the second endpoint over the secured communication channel, wherein the second endpoint is configured to independently derive the SPI value using the SPI derivation formula and the one or more parameters, and wherein the second endpoint is configured to receive and decrypt the encrypted data based on the SPI value. 6. A computer system comprising one or more processors configured to execute a method for allocating security parameter index (“SPI”) values to a plurality of endpoints comprising computing devices in a computer network including a first endpoint and a second endpoint, the method comprising: deriving, independently at the first endpoint, an SPI value using a global SPI derivation formula, “GSDF,” that takes as input parameters including: (1) a source endpoint ID number corresponding to the first endpoint (2) a key policy number corresponding to a key policy assigned to the first endpoint for generating an encryption key for establishing a secured communication channel, (3) a shift factor that changes in response to each restart of the first endpoint, (4) a maximum endpoint ID number corresponding to a maximum number of endpoints that the computer network supports, and (5) a maximum key policy number corresponding to a maximum number of key policies that the computer network supports, wherein the deriving is performed independently such that SPI values allocated to the plurality of endpoints do not have to be calculated and distributed to the plurality of endpoints by a central unit; establishing the secured communication channel between the first endpoint and the second endpoint using the SPI value; and communicating, by the first endpoint, with the second endpoint over the secured communication channel. 7. The computer system of claim 6 , wherein the SPI derivation formula is: SPI( K i ,EP, S j )=EP max *[( K i −S j +K max )% K max ]+EP j +1; and wherein SPI represents a binary value corresponding to the SPI value, K i corresponds to the key policy number, EP max corresponds to the maximum endpoint ID number, K max corresponds to the maximum key policy number, EP max is a constant, EP j corresponds to the source endpoint ID number, and S j corresponds to the shift factor. 8. The computer system of claim 6 , wherein establishing the secured communication channel comprises establishing an outbound security association using the SPI value for securing outgoing traffic at the first endpoint, and wherein the SPI value is different from any of the SPI values used for any other outbound security association established for securing outgoing traffic at any other one of the plurality of endpoints in the computer network. 9. The computer system of claim 6 , wherein the second endpoint is configured to independently derive a second SPI value using the SPI derivation formula and a second set of one or more parameters, and wherein the establishing the secured communication channel between the first endpoint and the second endpoint comprises establishing a first security association for communication from the first endpoint to the second endpoint using the SPI value and establishing a second security association for communication from the second endpoint to the first endpoint using the second SPI value. 10. The computer system of claim 6 , wherein the communicating, by the first endpoint, comprises encrypting data using the SPI value and transmitting the encrypted data to the second endpoint over the secured communication channel, wherein the second endpoint is configured to independently derive the SPI value using the SPI derivation formula and the one or more parameters, and wherein the second endpoint is configured to receive and decrypt the encrypted data based on the SPI value. 11. A non-transitory computer readable medium comprising instructions to be executed in a computer system, wherein the instructions when executed in the computer system cause the computer system to perform a method for allocating security parameter index (“SPI”) values to a plurality of endpoints comprising computing devices in a computer network including a first endpoint and a second endpoint, the method comprising: deriving, independently at the first endpoint, an SPI value using a global SPI derivation formula, “GSDF,” that takes as input parameters including: (1) a source endpoint ID number corresponding to the first endpoint, (2) a key policy number corresponding to a key policy assigned to the first endpoint for generating an encryption key for establishing a secured communication channel, (3) a shift factor that changes in response to each restart of the first endpoint, (4) a maximu

Assignees

Nicira Inc

Inventors

Classifications

H04L9/0838Primary
Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these (network architectures or network communication protocols for key exchange in a packet data network H04L63/061) · CPC title
H04L9/0866
involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics · CPC title
H04L63/0485
Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up · CPC title
H04L9/12
Transmitting and receiving encryption devices synchronised or initially set up in a particular manner · CPC title
H04L63/0435
wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title

Patent family

Related publications grouped by family.

View patent family 61249714

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11075949B2 cover?: Certain embodiments described herein are generally directed to allocating security parameter index (“SPI”) values to a plurality of endpoints in a network. The SPI values may be derived using an SPI derivation formula and a plurality of parameters. In some embodiments, the SPI values may be derived by an endpoint and in other embodiments by a server. Using the SPI derivation formula and the plu…
Who is the assignee on this patent?: Nicira Inc
What technology area does this patent fall under?: Primary CPC classification H04L9/0838. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jul 27 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).