Group Member Recovery Techniques
US-2015295899-A1 · Oct 15, 2015 · US
Minimizing traffic drop when rekeying in a distributed security group
US12166874B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12166874-B2 |
| Application number | US-202318358345-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 25, 2023 |
| Priority date | Apr 28, 2017 |
| Publication date | Dec 10, 2024 |
| Grant date | Dec 10, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Exemplary methods, apparatuses, and systems include a central controller receiving a request to generate a new encryption key for a security group to replace a current encryption key for the security group. The security group includes a plurality of hosts that each encrypt and decrypt communications using the current encryption key. In response to receiving the request, the central controller determines that a threshold period following generation of the current encryption key has not expired. In response to determining that the threshold period has not expired, the central controller delays execution of the request until the expiration of the threshold period. In response to the expiration of the threshold period, the central controller executes the request by generating the new encryption key, storing a time of creation of the new encryption key, and transmitting the new encryption key to the plurality of hosts.
First claim
Opening claim text (preview).
We claim: 1. A computer-implemented method, comprising: generating a new encryption key for a security group to replace a previous encryption key for the security group, the security group including a plurality of hosts that have each encrypted and decrypted communications using the previous encryption key; storing a time of creation of the new encryption key; transmitting the new encryption key to the plurality of hosts; during a threshold period following the time of creation of the new encryption key: receiving encrypted traffic associated with security group; and determining whether to decrypt the encrypted traffic with the new encryption key or the previous encryption key based on an identifier associated with the encrypted traffic; after an expiration of the threshold period following the time of creation of the previous encryption key, using the new encryption key to decrypt all received encrypted traffic associated with the security group. 2. The computer-implemented method of claim 1 , wherein the identifier associated with the encrypted traffic comprises a security parameter index (SPI) value. 3. The computer-implemented method of claim 1 , further comprising, in response to the expiration of the threshold period following the time of creation of the previous encryption key, deleting the previous encryption key. 4. The computer-implemented method of claim 1 , wherein the previous encryption key was configured with a lifetime, and wherein an expiration of the lifetime triggered an automatic generation of the new encryption key. 5. The computer-implemented method of claim 1 , further comprising: determining, for each host of the plurality of hosts, an amount of time needed to transmit data to the host; determining a difference between a longest amount of time needed to transmit data to a given host of the plurality of hosts and a shortest amount of time needed to transmit data to a different given host of the plurality of hosts; and setting the threshold period to the determined difference. 6. The computer-implemented method of claim 1 , wherein storing the time of creation of the new encryption key includes storing the time of creation of the new encryption key to distributed consistent storage accessible to each host of the plurality of hosts. 7. The computer-implemented method of claim 1 , wherein storing the time of creation of the new encryption key is accompanied by deleting a respective time of creation of the previous encryption key. 8. A system, comprising: at least one memory; and at least one processor coupled to the at least one memory, the at least one processor and the at least one memory configured to: generate a new encryption key for a security group to replace a previous encryption key for the security group, the security group including a plurality of hosts that have each encrypted and decrypted communications using the previous encryption key; store a time of creation of the new encryption key; transmit the new encryption key to the plurality of hosts; during a threshold period following the time of creation of the new encryption key: receive encrypted traffic associated with security group; and determine whether to decrypt the encrypted traffic with the new encryption key or the previous encryption key based on an identifier associated with the encrypted traffic; after an expiration of the threshold period following the time of creation of the previous encryption key, use the new encryption key to decrypt all received encrypted traffic associated with the security group. 9. The system of claim 8 , wherein the identifier associated with the encrypted traffic comprises a security parameter index (SPI) value. 10. The system of claim 8 , wherein the at least one processor and the at least one memory are further configured to, in response to the expiration of the threshold period following the time of creation of the previous encryption key, delete the previous encryption key. 11. The system of claim 8 , wherein the previous encryption key was configured with a lifetime, and wherein an expiration of the lifetime triggered an automatic generation of the new encryption key. 12. The system of claim 8 , wherein the at least one processor and the at least one memory are further configured to: determine, for each host of the plurality of hosts, an amount of time needed to transmit data to the host; determine a difference between a longest amount of time needed to transmit data to a given host of the plurality of hosts and a shortest amount of time needed to transmit data to a different given host of the plurality of hosts; and set the threshold period to the determined difference. 13. The system of claim 8 , wherein storing the time of creation of the new encryption key includes storing the time of creation of the new encryption key to distributed consistent storage accessible to each host of the plurality of hosts. 14. The system of claim 8 , wherein storing the time of creation of the new encryption key is accompanied by deleting a respective time of creation of the previous encryption key. 15. A non-transitory computer-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to: generate a new encryption key for a security group to replace a previous encryption key for the security group, the security group including a plurality of hosts that have each encrypted and decrypted communications using the previous encryption key; store a time of creation of the new encryption key; transmit the new encryption key to the plurality of hosts; during a threshold period following the time of creation of the new encryption key: receive encrypted traffic associated with security group; and determine whether to decrypt the encrypted traffic with the new encryption key or the previous encryption key based on an identifier associated with the encrypted traffic; after an expiration of the threshold period following the time of creation of the previous encryption key, use the new encryption key to decrypt all received encrypted traffic associated with the security group. 16. The non-transitory computer-readable medium of claim 15 , wherein the identifier associated with the encrypted traffic comprises a security parameter index (SPI) value. 17. The non-transitory computer-readable medium of claim 15 , wherein the instructions, when executed by the one or more processors, further cause the one or more processors to, in response to the expiration of the threshold period following the time of creation of the previous encryption key, delete the previous encryption key. 18. The non-transitory computer-readable medium of claim 15 , wherein the previous encryption key was configured with a lifetime, and wherein an expiration of the lifetime triggered an automatic generation of the new encryption key. 19. The non-transitory computer-readable medium of claim 15 , wherein the instructions, when executed by the one or more processors, further cause the one or more processors to: determine, for each host of the plurality of hosts, an amount of time needed to transmit data to the host; determine a difference between a longest amount of time needed to transmit data to a given host of the plurality of hosts and a shortest amount of time needed to transmit data to a different given host of the plurality of hosts; and set the threshold period to the determined difference. 20. The non-transitory computer-readable medium of claim
Assignees
Inventors
Classifications
using time-dependent keys, e.g. periodically changing keys (cryptographic mechanisms or cryptographic arrangements for controlling usage of secret information H04L9/088) · CPC title
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
for group communications (cryptographic mechanisms or cryptographic arrangements for key management involving conference or group key H04L9/0833) · CPC title
Virtual private networks · CPC title
involving conference or group key (network architectures or network communication protocols for key management in group communication in a packet data network H04L63/065) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12166874B2 cover?
- Exemplary methods, apparatuses, and systems include a central controller receiving a request to generate a new encryption key for a security group to replace a current encryption key for the security group. The security group includes a plurality of hosts that each encrypt and decrypt communications using the current encryption key. In response to receiving the request, the central controller d…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0891. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 10 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).