EP3732820A1 - Managed securitized containers and container communications - Google Patents
Managed securitized containers and container communicationsInfo
- Publication number
- EP3732820A1 EP3732820A1 EP18896070.2A EP18896070A EP3732820A1 EP 3732820 A1 EP3732820 A1 EP 3732820A1 EP 18896070 A EP18896070 A EP 18896070A EP 3732820 A1 EP3732820 A1 EP 3732820A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- container
- signals
- devices
- containers
- trust
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 80
- 238000012544 monitoring process Methods 0.000 claims abstract description 4
- 238000000034 method Methods 0.000 claims description 50
- 230000005540 biological transmission Effects 0.000 claims description 28
- 230000007246 mechanism Effects 0.000 claims description 14
- 230000015654 memory Effects 0.000 claims description 13
- 230000003287 optical effect Effects 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 7
- 238000010200 validation analysis Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims 1
- 238000003860 storage Methods 0.000 description 19
- 238000005516 engineering process Methods 0.000 description 18
- 238000004519 manufacturing process Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 239000003999 initiator Substances 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 239000004744 fabric Substances 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000009792 diffusion process Methods 0.000 description 3
- 230000002123 temporal effect Effects 0.000 description 3
- 241000282414 Homo sapiens Species 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000037361 pathway Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 241000282326 Felis catus Species 0.000 description 1
- 241000772415 Neovison vison Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000011017 operating method Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 229920001690 polydopamine Polymers 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000035755 proliferation Effects 0.000 description 1
- 238000010926 purge Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000003362 replicative effect Effects 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 230000019491 signal transduction Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Definitions
- application number 16/006,011, filed June 12, 2018, granted as US Patent Number 10,158,613 on December 18, 2018, is a continuation-in-part of US Nonprovisional Application number 16/005,040 filed June 11, 2018 entitled“Securitization of Temporal Digital Communications with Authentication and Validation of User and Access Devices”, granted as US Patent Number 10,154,021 on December 11, 2018.
- the present disclosure relates to randomized encryption of communications, and more particularly to a system mat encrypts and decrypts signals between devices to ensure mat the communications with and from software containers are discoverable by only designated third parties.
- Methods and devices for encryption of these (primarily digital and normally two- way) communications to, from, and within software containers using applications mat may be combined with authorization and validation for receiving, storing, and retrieval of electronic, optical, and/or electro-optical communications in the form of voice, data, or optical transmissions, are also included.
- communications require special encryption techniques essential to denying fraudulent or otherwise unauthorized third parties with the ability to access sealed encrypted transmissions used with data at rest as well as for data on the move and specific to data to, from and within software containers.
- the present disclosure includes devices and a system that is specifically suited for data transmission applications that require a need for discrete communications, preserving privacy of information, electronic commerce transactions, electronic mail communications all required for solving security issues associated with software containers.
- Agile teams can "fail fast” and fix their mistakes as they go.
- Agile teams also benefit from a constant customer feedback loop which allows them to manage their time and budgets more effectively.
- Another characteristic of Agile teams is that they're cross-functional. Rather man doing their specific jobs and not really communicating with other functions (which is typical of Waterfall practices), they're working together to set priorities and remove inefficiencies from their processes.
- DevOps combines software development and operations. The trend started to gain momentum in the early 2000's because there were often disconnects between how a developer thinks the software he's building will operate in the real world and how that software actually works in the real-world.
- Cloud computing helps to resolve the differences because actual and test systems can be configured more identically.
- a "cloud” is a massive compute and storage environment that businesses can rent on a usage basis. Slowly, but surely, businesses across industries are moving to the cloud because they're finding it very difficult if not impossible to continue building and maintaining meir own information technology (IT) infrastructures in today's fast-changing business world).
- IT information technology
- Continuous delivery is a software development method that builds upon the concepts associated with both Agile and DevOps. Continuous delivery works faster than either Agile or DevOps can on their own. Ifs necessary, because software delivery cycles are continuing to shrink. There are several reasons why the cycles are shrinking including the two biggest factors; customer expectations and disruptive companies that have always operated online or in the cloud ("digital natives").
- the present disclosure was developed so that software developers can secure the products they're building without spending any extra time, which makes it ideal for Agile and DevOps teams whether they're performing Continuous Delivery or not If they want their software or device to communicate with any other piece of software or device securely, the present disclosure addresses this need.
- Software containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. These containers can be utilized for example for anything including a software developer's laptop to a test environment, from a staging environment into production, as well as from a physical machine in a data center to a virtual machine in a private or public cloud.
- Debian is a Unix-like computer operating system that is composed entirely of free software, most of which is under the GNU General Public License and packaged by a group of individuals participating in the Debian Project). and production is performed using a Red Hat operating system. Again, the results could be and often lead to unexpected/unintended consequences. These issues are not confined to software malfunctions but network topology might not match and/or the security policies and storage might be different. In all cases, however the software still has to perform properly and as initially intended.
- a container consists of an entire runtime environment: an application, plus all its dependencies, libraries and other binaries, and configuration files needed to run (execute) it, bundled into one package.
- OS operating system
- a server running three containerized applications using software containers runs a single operating system, and each container shares the operating system kernel with the other software containers. Shared parts of the (OS) operating system are read only, while each software container has its own mount (i.e., a way to access the container) for writing. That means the software containers are much more lightweight and use far fewer resources than virtual machines.
- OS operating system
- mount i.e., a way to access the container
- a container may be only tens of megabytes in size, whereas a virtual machine with its own entire operating system may be several gigabytes in size. In this instance, a single server can host far more containers than virtual machines.
- a third benefit is that containerization allows for greater modularity. Rather than run an entire complex application inside a single software container, the application can be split into processor s (such as the database, the application front end, etc.). This is the so-called “microservices approach”. Applications built and provided in this manner are easier to manage because each processor is relatively simple, and changes can be made to processor s without having to rebuild the entire application. Because software containers are so lightweight, individual processors (or microservices) can be instantiated only when they are needed and are available almost immediately.
- a company known as“Docker” has become synonymous with software container technology because it has been the most successful at popularizing it.
- software container technology is not new; it has been built into Linux operating systems in the form of LX € for over 10 years, and similar operating system level virtualization has also been offered by FreeBSD jails, AIX Workload Partitions and Solaris Containers.
- OCI Open Container Initiative
- the idea of the OCI is to ensure that the fundamental building blocks of software container technology (such as the container format) are standardized so that all software developers and architects can take advantage of them. This initiative would then provide the ability to reduce spending resources developing competing software container technologies so that organizations can focus on developing the additional software needed to support the use of standardized software containers in an enterprise or cloud environment.
- the type of software needed includes A major concern and major objective of the present disclosure involves the fact that many people believe that software containers are less secure than virtual machines. This is due, in part, to the possibility that if there is a vulnerability in the container host kernel, this vulnerability can provide a way into the software containers that share the host kernel. This issue is also true for a hypervisor.
- a hypervisor is a virtual machine monitor (VMM) that is computer software, firmware or hardware that creates and runs virtual machines.
- VMM virtual machine monitor
- a computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.
- a hypervisor provides far less functionality than a Linux kernel (which typically implements file systems, networking, application process controls and so on) it presents a much smaller attack“surface” for a virus to be implanted or to access sensitive data.
- a great deal of effort has been devoted to developing software to enhance the security of containers. For example, Docker (and other container systems) now include a signing infrastructure allowing administrators to sign container images to prevent untrusted containers from being deployed.
- Twistlock offers software that profiles a container's expected behavior
- Another specialist container security company known as Polyverse takes a different approach. It takes advantage of the fact that containers can be started in a fraction of a second to relaunch containerized applications in a known“good” state every few seconds to minimize the time that a hacker has to exploit an application running in a software container.
- developers can start seeming their applications within a relatively short period of time. They won't have to configure an thing or know anything about security' for the system to properly operate. Developers can simply wrap their application up in a software container which is like placing personal items in a portable storage container that's under lock and key.
- the software containers of the present disclosure are able to communicate with each oilier securely via an encrypted link.
- the present disclosure provides software developers with a new and better way to secure whatever software they're building so when that software communicates with either a copy of itself or other types of software, including the software resident in various types of devices, the data is kept safe. More specifically, the present disclosure describes the use of the first known context-free and natively-secure software containers that enable software developers the ability to take ownership of application data security. Context free means that developers do not have to rely on a particular vendor/platform (i.e. Amazon, IBM, Cisco, etc.) and is independent of the type of container used. These devices and system are“natively secure” in that they are built into the actual structure of the container itself.
- Securitization and encryption occurs at the transport layer such that the application developers are writing applications that create connections to the rest of the communications world at the transport layer. In this manner, the application developers/writers who create the applications can take ownership of the security themselves instead of handing it off to someone else in the operation or to some external router. Developers using the system disclosed are now in full control of security in that the developer is specifying the data security and the data security is being supplied to their application as they determine and as they complete their task(s).
- Technologent (Irvine, California) are anxious to deploy this new development. They see the system as the ability to offer a ubiquitous capability to provide security for specific platforms. Utilizing the devices and system of the present disclosure, any developer can secure communication between software containers across disparate scheduling and orchestration platforms, IaaS (internet as a service) services, transport-layer security protocols, and onpremises or hybrid environments using Docker-compatible hypervisors. Such hybrid IT environments include colocation (hypervisor) and AWS ECS.
- This system provides DevOps teams with a method to build, deploy and run secure container applications without the costs associated with legacy security strategies.
- legacy security strategies will either use an appliance (routers, servers, etc.) which will contain the presently disclosed security system or because legacy security can be improved by running a small program (software routine) that can be included with (added to running on) the actual legacy equipment.
- This small program is a symmetric TLS library (currently written in Python) that encrypts and decrypts egress and ingress layer 4 traffic (respectfully) using configurable symmetric encryption TLS cipher suites.
- This program is often embedded (the code) into the container.
- the library is 2.5 times faster than the most used open source python crypto wrapper, meaning that cross-platform networks can now be effectively secured without suffering unacceptable latencies.
- This software routine can be installed on another piece of computer equipment and is both the library and the intercept of the present disclosure added in the form of a software router.
- IP security is a layer 3 protocol that supplies secure channels/tunnels between IP addresses.
- tunnels themselves may carry signals that may include channels and tunnels may carry channels or tunnels may carry signals through other tunnels.
- a data channel is an information route with associated circuitry that passes data between systems or parts of systems.
- Tunnels in this case also refers to tunneling and is a mechanism used to ship a foreign protocol across a network that normally would not support that protocol. In either case, a tunnel can be used to penetrate through obstructions (such as firewalls that would be otherwise impenetrable) where channels may not provide this feature.
- IP SEC is a difficult to configure and a difficult to keep operating software that is normally inserted into an appliance. There is also difficulty with operating IP SEC as there is a limited amount of encryption security using the standards available. The cost of IP SEC is also relatively high and normally provided by very few vendors including CISCO. IP SEC normally involves scheduling and orchestration platforms - this is for network servers and is a form of load balancing that requires computer resource scheduling. Orchestration involves the location where the code (in this case the security code) is being executed. To date, inter-container communications have not been addressed adequately by existing container orchestration frameworks and protocols. ICEMicro changes that by providing developers with a natively secure container image to package application code.
- any two ICEMicro containers can communicate securely "out of the box.”
- Another significant issue is the disparity caused when different network resources operate on different companies’ clouds, often causing extreme communication mishaps.
- the solution has been that disparate regions also function on different clouds (e.g. Amazon UK vs Amazon, USA) and a current method to get these two disparate entities to communicate with each other is to get another resource from Amazon for both ends and pay for a bridge between one application on Amazon US to one or more applications with Amazon UK. This requires adding another virtual device that has to run on the Amazon platform. Either Amazon provides this service or you pay Cisco for their Virtual Router. Another possibility is that the developers must write the code themselves which becomes embedded on both ends.
- Level 4 refers to layers that are in a communications stack which from bottom to top is as follows:
- Communication Layer (2) Software running over Layer 1 - such as token ring or ethemet
- Communication Layer (3) Wireless area networks - if wireless connecting from one computer or other hardware device to another IP address - such as the internet - IP address to IP address communications.
- Communication Layer (4) As communications go through the stack from top to bottom, where the manner of transport is irrelevant this last layer becomes the security layer, which presently is where IP SEC resides and is executed.
- This“Layer 4” is known as the transport layer security level or TLS - where security is occurring at the transport layer.
- TLS transport layer security level
- the communications“traffic” is routing from or to communications ports.
- layer 4 is attached to the application itself and provides logical connections between applications. This, understandably is why TLS security is critical.
- the present disclosure describes devices and systems that places the TLS security into the structure of the container itself. In this manner, a developer can provide any application immediate security within the container using the“ICEMicro security devices and systems”. The system allows the developer to inform the container(s) what connections are allowed between transport layer(s) and where the“ICEMicro” securitization and/or encryption should be placed.
- This technique creates and provides a“tunnel” that now exists from one container to a different container and utilizes its own dynamic key and with its own tunnel.
- the ICE system may provide multiple tunnels as there are 16bits of tunnels which equates to 65,535 ports, all of which can possess their own keys.
- the keys are dynamically changed by the“ICE” Library.
- each tunnel can go to any other location
- ICEMicro (including other containers), all capable of running individual independent sets of security on their data transmissions. Developers will gain significant speed and efficiency using the “ICE” system, as securing communications between two containers is accomplished as quickly as applications can be created. ICEMicro does not require additional development overhead or network security expertise.
- ICEMicro does not depend on the transport layer for data security. However, it is compatible with any transport layer security protocol. Transport layer security protocol vulnerabilities are well known. As quickly as protocol upgrades are deployed, hackers exploit new vulnerabilities. Networks deploying legacy TLS pose even higher risks. ICEMicro is agnostic to the TLS protocol and natively secures the communications between containers within legacy or greenfield environments, limiting successful TLS hacks access to encrypted data only. Essentially, ICEMicro renders TLS unnecessary.
- the devices and system of the present disclosure utilize running dynamic ephemeral (temporary) keys as another layer of protection provided by the encryption tools (also described herewithin).
- the present disclosure describes an“ICEMicro” version of a TLS protocol, which can be run on/or embedded in containers (or hybrid systems).
- the present disclosure supports container compatible Hypervisors. Hypervisors are layers of software located between the actual computer systems and the operating systems - which enables virtual operating systems and controls instruction sets to operate on the same computing platforms developers utilize during software development.
- the Hypervisor translates the capabilities of some hardware into a portion of a standardized virtual hardware and controls the access to that virtual hardware.
- the ICEMicro devices and system of the present disclosure provides security bridges to containers directly with built-in security DASA encryption. These are security bridges for communications between containers.
- the system also provides for communications from one container to a legacy network/device or from a legacy network/device to another legacy or any other network or communicating device, whether networked or not.
- Dynamic Encryption Technology eliminates vulnerabilities caused by exposure of any single encryption key by continuously changing encryption keys and keeping the keys synchronized in a fault-tolerant manner.
- Perpetual Authentication Technology uses multiple virtual channels or tunnels for encryption so that in the event one channel or tunnel is compromised, the other tunnels maintain encryption integrity. Together, these technologies not only eliminate the single point of failure problem created by having keys exposed through brute force, side channel, or other types of attack, but do so with very low latency and performance overhead. Whether at rest or in-motion, the encryption processes described ensures communications data (and all associated signals) remains safe, secure and uncompromised.
- the present disclosure and associated invention provides technology that abstracts container services into a Trustplane.
- the Trustplane secures data in transit simply and reliably, allowing developers to ensure data integrity without concern for Data Plane and Control Plane configurations or security vulnerabilities.
- applications running in natively-secured ICEMicro containers VPNs are no longer the vulnerable and expensive chokepoint that limits multi-environment deployments.
- plaintext refers to a text which has not been coded or encrypted. In most cases the plaintext is usually directly readable, and the terms‘cipher- text’ or‘encrypted text’ are used to refer to text that has been coded or“encrypted”.
- Encryption experts also assert that, despite the name,“plaintext”, the word is also synonymous with textual data and binary data, both in data file and computer file form.
- the term“plaintext” also refers to serial data transferred, for example, from a communication system such as a satellite, telephone or electronic mail system.
- Terms such as‘encryption’ and‘enciphering’,‘encrypted’ and‘ciphered’,‘encrypting device’ and‘ciphering device’, ‘decrypting device’ and‘decipher device’ have an equivalent meaning within cryptology and are herein used to describe devices and methods that include encryption and decryption techniques.
- Network security is a burgeoning field.
- encryption algorithms for example, public key encryption techniques using RSA and Diffie-Hellman are widely used.
- Well known public key encryption techniques generally described in the following U.S. Pat. Nos: 4,200,770 entitled, Cryptographic Apparatus and Method, invented by Hellman, Diffie and Merkle; 4,218,582 entitled, Public Key Cryptographic Apparatus and Method, invented by Hellman and Merkle; 4,405,829 entitled Cryptographic Communications System and Method, invented by Rivest, Shamir and Adleman; and 4,424,414 entitled, Exponentiation Cryptographic Apparatus and Method, invented by Hellman and Pohlig.
- network security refer to Network and Internetwork Security, by William Stallings, Prentice Hall, Inc., 1995.
- Another trend in data mobility is to upload and download data on demand over a network, so that the most recent version of the data is always accessible and can be shared only with authorized users.
- This facilitates the use of“thin client” software and minimizes the cost of storing replicated versions of the data, facilitates the implementation of a common backup and long-term storage retention and/or purging plan, and may provide enhanced visibility and auditing as to who accessed the data and the time of access, as may be required for regulatory compliance.
- thin client software greatly increases the vulnerability of such data to hackers who are able to penetrate the firewalls and other mechanisms, unless the data is encrypted on the storage medium in such a way that only authorized users could make sense of it, even if an unauthorized user were able to access the encrypted files.
- DES Data Encryption Standard
- NBS National Institute of Standards and Technology
- FEAL Fast data encipherment algorithm
- Asymmetric file encryption systems use a different key to encrypt a file from the key used to decrypt the encrypted file.
- Many current file encryption systems rely on asymmetric encryption, such as those that rely on public key/private key pairs.
- An example of an encryption algorithm that utilizes public key/private key pairs is the RSA (Rivest, Shamir, and Adleman) algorithm.
- Symmetric file systems use an identical key to encrypt a file as the key used to decrypt the encrypted file.
- Certain file encryption systems utilize a cryptographic process or random number generator to derive a random symmetric key known as the file encryption key (FEK). The FEK is used to encrypt the file.
- Symmetric cryptography functions up to five orders of magnitude faster than asymmetric cryptography on files.
- any such file encryption system still has to overcome the fact that asymmetric keys generally operate at orders of magnitude slower than symmetric keys.
- the file encryption key each time a file is being authenticated, the file encryption key has to be decrypted by the asymmetric key which is time consuming, but becoming less so as computer speeds and operations are constantly improving.
- the present disclosure relates generally to a cryptographic management scheme that provides for network security, mobile security, and specifically and more particularly relates to devices (such as containers) and a system for creating and manipulating encryption keys without risking the security of the key.
- the present disclosure addresses all of the needs described directly herein, as well as described earlier above.
- the present disclosure describes one or more securitized container management devices, comprising at least one control plane, at least one trust plane, and at least one container, wherein at least a single path transfers signals controlled by a controller that exists within a control plane to the trust plane and/or the container, wherein the signals further travel through said control plane to the trust plane and/or the containers and wherein the signals are securitized and/or encrypted either before, or as the signals enter the at least one container.
- At least one container is connected to the control plane such that the signals enter the container subsequent to an entrance to the control plane, wherein the control plane accesses one or more containers and wherein a set of instructions is added to the containers via one or more application logic repositories and from one or more container prototype repositories, and; wherein the at least one container is connected to the trust plane such that the signals enter the container subsequent to entering said trust plane.
- the signals are sent directly from the control plane to at least one container and wherein signals from the control plane are control plane signals.
- the signals can also be sent directly from the trust plane to at least one container and wherein signals from the trust plane are trust plane signals.
- the container devices have control plane signals that flow through the trust plane or other mechanism that provides trust prior to entrance into the containers.
- the signals are communications signals.
- the communications signals either contain or themselves are data transmissions.
- the signals can be securitized while the containers are created, and wherein securitized signals are a mechanism of trust.
- the signals can be securitized for containers that already exist.
- the signals can be encrypted for containers that either are created or already exist and wherein encrypted signals are a mechanism of trust.
- the signals are securitized and encrypted for containers that either are created or already exist and wherein securitized and encrypted signals are a mechanism of trust.
- the signals travel through one or more tunnels from said control plane to said trust plane and wherein said signals travel through one or more tunnels from said either said control plane or said trust plane or both planes into and out of said containers.
- the tunnels themselves may be securitized and carry securitized transmissions.
- the tunnels themselves may be encrypted and carry encrypted transmissions.
- the tunnels can be both securitized and encrypted and carry both securitized and encrypted transmissions.
- the transmissions can be data, voice, and/or optical transmissions and wherein the signals are comprised of electrical, optical, mechanical, electromagnetic, and/or radiative energy from an energy source capable of providing such signals.
- the tunnels are channels through which signals travel.
- the devices include a statistics processor wherein statistics exist for setup and operational parameters, system resource use, communications connections, volume of data, run time and external communications monitoring.
- the devices also include statistics also provide for statistical correlation and autocorrelation to create warnings and alarms for containers that do not maintain statistical norms in comparison with containers that are within statistical norms.
- the trust plane provides both inter-container and external container connections for signals traveling into and out of the trust plane.
- the control plane provides both inter-container and external container connections for signals traveling into and out of the control plane.
- the signals into, out of, or within the control plane provides an ability to create, initiate, modify, destroy and remove the containers, such that the containers are temporary and obsolete subsequent to deployment.
- Signals from the control plane are authenticated, verified and/or encrypted by the controller wherein the controller exists either within or external to the control plane.
- signals from the trust plane are authenticated, verified and/or encrypted by a controller that exists either within or external to the trust plane.
- the containers can all be embedded with secure communications.
- the container devices operate in a frictionless manner in that scripted control and operation occurs without interruption and wherein originated signals remain intact during operation.
- the signals can carry preprogrammed source code that enables and manages operation of the containers.
- the container devices are virtual devices.
- a method for using one or more securitized container management devices wherein the devices are comprising at least one control plane, at least one trust plane, and at least one container, wherein at least a single path is transferring signals controlled by a controller that is existing within a control plane to the trust plane and/or the container, and wherein the signals continue traveling through the control plane to the trust plane and/or the containers and wherein the signals are securitized and/or encrypted either before, or as the signals are entering at least one container.
- This disclosure also provides for a method which serves to manage one or more securitized container devices and systems comprising; initializing a container image that is validated and downloaded onto or into at least once container, wherein a validated program is loaded onto the container that requires reserve computer resources including one or more input/output interface(s), a memory, and network capabilities such that encryption of container-related data at rest or data in transit is implemented by utilizing dynamically changing keys created for each input/output tunnel and/or for each container utilizing the tunnel that are providing transmissions path(s) for loading containers with software applications protected by said encryption.
- the keys are loaded into or onto container security portions of the container thereby leading to establishment of initial communications tunnels and allowing for validation that security has been implemented.
- Figure 1 is a three-dimensional schematic diagram illustrating and representing an exemplary device and associated system that provides the“ICEMicro” securitization and encryption device and associated system for software containers.
- Figure 2 is a schematic diagram illustrating and representing securitization and encryption of communications using“ICEMicro” between two software containers.
- Figure 3 is a two dimensional detailed schematic overview and flow path associated with the exemplary device and associated“ICEMicro” system shown in Figure 1.
- Figure 4 is a flowchart that indicates the methodology for implementing the“ICEMicro” system for securitizing software containers. Detailed Description
- container software developers are utilizing hybrids that may or may not provide the security they think they are applying to newly developed software using software containers.
- Level 4 refers to layers that are in a communications stack which from bottom to top is as follows:
- Communication Layer (2) Software running over Layer 1 - such as token ring or ethemet
- Communication Layer (3) Wireless area networks - if wireless connecting from one computer or other hardware device to another IP address - such as the internet - IP address to IP address communications.
- Communication Layer (4) As communications go through the stack from top to bottom, where the manner of transport is irrelevant this last layer becomes the security layer, which presently is where IP SEC resides and is executed.
- This“Layer 4” is known as the transport layer security level or TLS - where security is occurring at the transport layer.
- TLS transport layer security level
- the communications“traffic” is routing from or to communications ports.
- layer 4 is attached to the application itself and provides logical connections between applications. This, understandably is why TLS security is critical.
- the present disclosure describes devices and systems that places the TLS security into the structure of the container itself. In this manner, a developer can provide any application immediate security within the container using the“ICEMicro security devices and systems”. The system allows the developer to inform the container(s) what connections are allowed between transport layer(s) and where the“ICEMicro” securitization and/or encryption should be placed.
- This technique creates and provides a“tunnel” that now exists from one container to a different container and utilizes its own dynamic key and with its own tunnel.
- the ICE system may provide multiple tunnels as there are 16bits of tunnels which equates to 65,535 ports, all of which can possess their own keys.
- the keys are dynamically changed by the“ICE” Library.
- each tunnel can go to any other location
- ICEMicro (including other containers), all capable of running individual independent sets of security on their data transmissions. Developers will gain significant speed and efficiency using the “ICE” system, as securing communications between two containers is accomplished as quickly as applications can be created. ICEMicro does not require additional development overhead or network security expertise.
- the devices and system of the present disclosure utilize running dynamic ephemeral (temporary) keys as another layer of protection provided by the encryption tools (also described herewithin).
- the present disclosure describes an“ICEMicro” version of a TLS protocol, which can be run on/or embedded in containers (or hybrid systems).
- the present disclosure supports container compatible Hypervisors. Hypervisors are layers of software located between the actual computer systems and the operating systems - which enables virtual operating systems to operate on the same computing platforms developers utilize during software development.
- ICEMicro devices and system of the present disclosure provides security bridges so containers directly with built-in security DASA encryption. These are security bridges for communications between containers.
- the system also provides for
- Dynamic Encryption Technology eliminates vulnerabilities caused by exposure of any single encryption key by continuously changing encryption keys and keeping the keys synchronized in a fault-tolerant manner.
- Perpetual Authentication Technology uses multiple virtual channels or tunnels for encryption so that in the event one channel or tunnel is compromised, the other tunnels maintain encryption
- the managed securitized container device and system (100) is a shown as a three-dimensional schematic which initially includes a control plane (110), a container repository (120) and an application repository (130) with two (normally software) container prototypes (122,124) within the repository (120), and with two different types of applications logic (132,134), and a connector (125) which connects the containers (122, 124) to the control plane (110) as well as a connector which connects the application repository (130) to the control plane (110).
- a control plane logic canister initiator and monitor 140
- the control plane logic remover and destroyer canister 150
- signals travel (142) from the control plane logic canister initiator and monitor toward the trust plane (160) via a connector path (175) from the control plane (110) to a shorter container (170) with application logic (132) which is either embedded in or sits atop the trust plane (160).
- the trust plane (160) provides both securitization and encryption as required by the system (100).
- signals travel (144) from the control plane logic canister initiator and monitor (140) via a connector (185) which also provides a signal path (or tunnel) toward the trust plane (160) via a connector (185) from the control plane (110) to a longer (higher) container with application logic (180) which is either embedded in or sits atop the trust plane (160).
- the signals may travel from connector (146) connecting the application repository (130) directly to the control plane (110) bypassing the canisters (140,150) and eventually via a pathway (142) toward the connector path (175) which enters the either the container (170) or a portion of the trust plane (160).
- the trust plane (160) provides both securitization and encryption as required by the system (100).
- a signal path (146) that connects the control plane logic canister initiator and monitor (140) via pathway (135) and an application repository (130) with two (normally software) container prototypes (122,124) to ensure securitized communication(s) along this and all signal paths.
- a signal path (148) connects control plane logic canister initiator and monitor (140) to a connector (125) which connects the containers (122, 124) to the control plane (110) as well as a connector which connects the container repository (120) to the control plane (110) for complete logic control that includes creating canisters and containers or bypassing canisters and directly creating containers.
- a shorter container (170) with application logic (132) is created and exists on or is embedded in the trust plane (160).
- the signal path (172) provides for flow and connection between the shorter container (170) and the longer (higher) container (180) which contains application logic (134).
- a connector path (185) also exists and allows for signals to pass from the control plane (110) and longer canister (140) via an initial signal pathway (144).
- the signal path (182) either leads signals toward or receives signals from an unsecured environment via a connection (162) and/or connection path that connects the trust plane (160) and/or containers (170,180,190) with either a cloud environment (164), where unsecured data may reside and eventually via a connector path (166) to a computer (167).
- control plane (110) Also existing on or in the control plane (110) is a control plane logic canister remover and destroyer (150).
- a signal path (152) is used to connect the canister remover and destroyer (150) to a virtual container (190) via a signal path (195) that is also located at (in or on) the trust plane (160).
- This entire portion of the schematic representation (150,152, 190, and 195) will disappear at the end of life once the container has been utilized.
- FIG 2 is a schematic representation of the physical implementation regarding how two (or more) containers can communicate in a secure and optionally encrypted manner (200) residing on a trust plane (160).
- the first container which was represented as the shorter of the two containers (170) in Figure 1, resides on a trust plane (160- shown in Figure 1 only) as also shown in Figure 1 that both sends and receives signals through a transceiver (220).
- the second container represented as the taller of the two containers (180) both sends and receives signals through another transceiver (240). Both transceivers are either actually or virtually connected to each of the containers.
- a cloud computing environment (230) may exists between the two containers (170,180) which will be able to access the cloud (230) as needed via signal transmission (data transmission) via the two transceivers
- Figure 3 is a more detailed two-dimensional version of the managed securitized container device and system (100) schematic shown in Figure 1 representing most possible signal flow paths for the system.
- an applications repository (130) and a container repository (120).
- the full container (170) is shown with a dashed line representing the fabric that comprises the container with the application logic (132) as described above.
- dashed lines exist to indicate the entire“fabric” of the
- ICEMicro securitization employment as shown with (310,312,314) for the control plane (110) and the two containers (170, 180).
- an operating system (352) and an I/O interface (362) to ensure communications with a second container (180) having its own application logic (134), operating system (354), I/O interface (364) so that they can communicate with each other and the cloud (164) and computer (167).
- a virtual hardware interface (330) sitting on the actual hardware (bare metal), 340.
- the system is controlled by a controller residing in or on the control plane (110).
- a statistics communication processor that allows a software developer the ability to monitor and analyze the system continuously through both the control plane fabric (310) and the statistics communication processor plane (316) and fabric, which collectively is the statistics communications processor (320).
- the statistics communication processor (320) is connected to the statistics plane (316) via (322) which is the connector from the communications processor (320) to the trust plane (160), which is shown in Figure 1. All connector lines for Figure 3 are the same as those described in Figure 1. Here, however, in Figure 3, it is necessary to employ the virtual hardware interface (330) and accompanying hardware (340) using a virtual hardware interface that is the hardware visor, and could exist as a virtual hypervisor (shown as 120,130 in Figure 3 - which corresponds with but may not be identical to that shown in Figure 1). In the case of Figure 3, the operation of the managed securitized container device and system (100) is now enhanced by the utilization of both the statistics communication processor and either a hyper or real visor device that exists between the repositories (120, 130).
- FIG 4 is a flow diagram that provides one actual methodology associated with using the managed securitized container device and system.
- the container image is validated and downloaded (410).
- a validated program is loaded (420) which often requires reserve computer resources including I/O - input output - interface(s), a memory, and network capabilities (430).
- keys are created for each I/O channel (or tunnel), (440). This provides a transmissions path for loading containers with software applications that are protected by encryption described herewithin (450). Once the keys exist, they can be loaded to the container security portions (known herein as ICEMicro), (460). This leads to establishment of initial communications channels (tunnels) and allows for validation that security has been implemented (470).
- the use of the container is possible and it can be“run” so that its function in developing the software application can be completed (480).
- the methodology and system (400) is proceeding, statistics involving all aspects of the system including all securitization and encryption can be monitored (490). This leads to understanding and being notified when the using the managed securitized container device and system has been completed (495).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201762610827P | 2017-12-27 | 2017-12-27 | |
US16/005,040 US10154021B1 (en) | 2017-06-12 | 2018-06-11 | Securitization of temporal digital communications with authentication and validation of user and access devices |
US16/006,011 US10158613B1 (en) | 2017-06-12 | 2018-06-12 | Combined hidden dynamic random-access devices utilizing selectable keys and key locators for communicating randomized data together with sub-channels and coded encryption keys |
US16/173,091 US10601805B2 (en) | 2017-06-12 | 2018-10-29 | Securitization of temporal digital communications with authentication and validation of user and access devices |
US16/173,384 US10623384B2 (en) | 2017-06-12 | 2018-10-29 | Combined hidden dynamic random-access devices utilizing selectable keys and key locators for communicating randomized data together with sub-channels and coded encryption keys |
PCT/US2018/065752 WO2019133298A1 (en) | 2017-12-27 | 2018-12-14 | Managed securitized containers and container communications |
Publications (2)
Publication Number | Publication Date |
---|---|
EP3732820A1 true EP3732820A1 (en) | 2020-11-04 |
EP3732820A4 EP3732820A4 (en) | 2021-09-22 |
Family
ID=72643875
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP18896070.2A Pending EP3732820A4 (en) | 2017-12-27 | 2018-12-14 | Managed securitized containers and container communications |
Country Status (1)
Country | Link |
---|---|
EP (1) | EP3732820A4 (en) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050144401A1 (en) * | 2003-12-30 | 2005-06-30 | Pantalone Brett A. | Multiprocessor mobile terminal with shared memory arbitration |
WO2006034428A2 (en) * | 2004-09-20 | 2006-03-30 | Pgp Corporation | Apparatus and method for identity-based encryption within a conventional public-key infrastructure |
CN109416718B (en) * | 2015-12-24 | 2023-05-12 | 英特尔公司 | Trusted deployment of application containers in cloud data centers |
-
2018
- 2018-12-14 EP EP18896070.2A patent/EP3732820A4/en active Pending
Also Published As
Publication number | Publication date |
---|---|
EP3732820A4 (en) | 2021-09-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10579793B2 (en) | Managed securitized containers and container communications | |
US10650139B2 (en) | Securing temporal digital communications via authentication and validation for wireless user and access devices with securitized containers | |
EP3937424B1 (en) | Blockchain data processing methods and apparatuses based on cloud computing | |
CN111181720B (en) | Service processing method and device based on trusted execution environment | |
US10454916B2 (en) | Systems and methods for implementing security | |
AU2018299716B2 (en) | Key attestation statement generation providing device anonymity | |
EP3446435B1 (en) | Key-attestation-contingent certificate issuance | |
EP3574622B1 (en) | Addressing a trusted execution environment | |
CN110492990B (en) | Private key management method, device and system under block chain scene | |
CN110580412B (en) | Permission query configuration method and device based on chain codes | |
US11714895B2 (en) | Secure runtime systems and methods | |
CN102163266A (en) | Securely move virtual machines between host servers | |
US20040117318A1 (en) | Portable token controlling trusted environment launch | |
US20150026767A1 (en) | Systems and methods for implementing computer security | |
US10686764B2 (en) | Executable coded cipher keys | |
WO2019199813A2 (en) | Managed high integrity blockchain and blockchain communications that utilize containers | |
WO2024139273A1 (en) | Federated learning method and apparatus, readable storage medium, and electronic device | |
JP7256862B2 (en) | Secure communication method and system between protected containers | |
US20160140329A1 (en) | Enhanced security mechanism for authentication of users of a system | |
Desai et al. | SECAUCTEE: Securing auction smart contracts using trusted execution environments | |
Zhou et al. | vtpm-sm: An application scheme of SM2/SM3/SM4 algorithms based on trusted computing in cloud environment | |
WO2019133298A1 (en) | Managed securitized containers and container communications | |
Hao et al. | Trusted block as a service: Towards sensitive applications on the cloud | |
WO2019133326A1 (en) | Securing temporal digital communications | |
EP3732820A1 (en) | Managed securitized containers and container communications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20200124 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: IRONCLAD ENCRYPTION CORPORATION |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: LERNER, DANIEL MAURICE |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Free format text: PREVIOUS MAIN CLASS: H04L0009080000 Ipc: G06F0021530000 |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20210825 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/14 20060101ALI20210819BHEP Ipc: H04L 9/08 20060101ALI20210819BHEP Ipc: H04L 29/06 20060101ALI20210819BHEP Ipc: G06F 21/62 20130101ALI20210819BHEP Ipc: G06F 21/60 20130101ALI20210819BHEP Ipc: G06F 21/53 20130101AFI20210819BHEP |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |