In recent years, information security has become increasingly important for businesses and individual consumers. It has long been recognized that data stored on computers, servers and other electronic devices must be protected (e.g., by passwords and other means of access control). However, there has been less interest in the development and adoption of security techniques to protect data in transit. Modern techniques for protecting data in transit between servers and other endpoints using encryption are available, but generally rely on third party certificate centers (e.g., the HTTPS protocol) in order to validate endpoints certificates and to provide notice to other endpoints during the communication process. However, there are many disadvantages associated with these systems.
For example, in the case of HTTPS, a user must trust that the browser software correctly implements HTTPS with correctly pre-installed certificate authorities, and must trust the certificate authority to vouch only for legitimate websites, and that the website provides a valid certificate, which means it was signed by a trusted authority. Moreover, the user must trust that the protocol's encryption layer (SSL/TLS) is sufficiently secure against eavesdroppers. Each of these requirements is a potential point of failure which can result in a complete loss of data security.
Systems which follow this paradigm are relatively easy to implement and provide a reasonable degree of confidence for users. However, systems of this sort suffer from several disadvantages such as the need for additional overhead associated with maintaining a system of certificates for each node in a given network. In addition, there is always the concern that the certificate system will be compromised or that the certificate authority will willingly subvert the system. For example, the certificate authority may be compelled to allow a government agency to eavesdrop on communications due to a court order. Ultimately, systems built on this model can never be fully secured in the sense that there is always some degree of reliance on a third party.
Communication between servers and other devices can also be secured to some extent using encryption protocols that do not rely upon a third party intermediary, such as methods based on symmetric-key algorithms or which implement authentication gateways. However, there are logistical issues associated with developing and implementing systems of this type, such as risks associated with shared keys and the interception of data that can be used to discern encryption keys or capture. Authentication gateways suffer from many of the defects associated with third party certificate authorities in the sense that they may be compromised or disabled (e.g., by a DDoS attack).
The need for secure communication between servers is also particularly important in view of the increasing reliance on virtualized computer systems, particularly at the enterprise level. The virtual machines (“VMs”) of numerous customers may be hosted in the same data center sharing the same physical machine resources. One of the challenges in VM deployments is to establish customer trust that data stored on and transmitted to, from, or between multiple VMs that belong to the customer are protected from eavesdropping and that the VMs are not accidentally opened up to other users or other customers. Secure transmission of data between virtual machines is therefore a significant issue, which will likely become increasingly important going forward based on current trends which project increased adoption of virtualization by consumers and enterprise users alike.
In view of these shortcomings, there exists a need for additional means of establishing secure communication channels between computers and other electronic devices, regardless of whether such endpoints are physical or virtual in nature.