System and method for secure group communications

US 20040044891A1
Filed: 09/04/2002
Published: 03/04/2004
Est. Priority Date: 09/04/2002
Status: Active Grant

First Claim

Patent Images

1. A system for secure group communications, the system comprising:

a communication network;

a policy server coupled to the communication network, the policy server having a secure interface, and a security policy; and

a plurality of group nodes operatively coupled to the secure interface of the policy server through the communication network, wherein the group nodes include a copy of the security policy, wherein the group nodes include a common set of encryption keys, and wherein one group node is configured to use the security policy and the encryption keys to securely communicate with another group node.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for secure group communications is provided. One embodiment provides a method for implementing a virtual private group network. The method includes creating a virtual private group definition on a policy server, establishing a plurality of secure connections between the policy server and a plurality of group nodes, sending a copy of the virtual private group definition from the policy server to the group nodes, sending a shared traffic encryption key from the policy server to each of the group nodes, and sharing secure communication information among the group nodes using the shared traffic encryption key, wherein each group node is included in the virtual private group definition.

194 Citations

40 Claims

1. A system for secure group communications, the system comprising:
- a communication network;
  
  a policy server coupled to the communication network, the policy server having a secure interface, and a security policy; and
  
  a plurality of group nodes operatively coupled to the secure interface of the policy server through the communication network, wherein the group nodes include a copy of the security policy, wherein the group nodes include a common set of encryption keys, and wherein one group node is configured to use the security policy and the encryption keys to securely communicate with another group node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein one group node includes a host computer, the host computer having a processor, a memory, and a computer-readable medium.
  - 3. The system of claim 2, wherein the one group node further includes a network interface device coupled to the host computer, the network interface device having a memory, a processor, and a computer-readable medium.
  - 4. The system of claim 3, wherein the memory of the network interface device includes both volatile and non-volatile memory.
  - 5. The system of claim 3, wherein the network interface device detects unauthorized packets sent to the group node using a packet filter.
  - 6. The system of claim 3, wherein the one group node further includes an additional host computer coupled to the network interface device, the additional host computer having a processor, a memory, and a computer-readable medium.
  - 7. The system of claim 1, wherein the common set of encryption keys includes public encryption keys that are used for asymmetric encryption.
  - 8. The system of claim 1, wherein one group node uses the security policy and the encryption keys to securely communicate with a plurality of other group nodes.

9. A virtual private group communication system, comprising:
- a communication network;
  
  a policy server coupled to the communication network, the policy server having a plurality of key distribution keys; and
  
  a virtual private group having a plurality of virtual private group nodes that are operatively coupled to the policy server through the communication network, wherein each virtual private group node has a key distribution key and a shared traffic encryption key, and wherein the virtual private group nodes are adapted to send secure data to the other virtual private group nodes by using the shared traffic encryption keys.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The virtual private group communication system of claim 9, wherein each virtual private group node receives its key distribution key and its shared traffic encryption key from the policy server.
  - 11. The virtual private group communication system of claim 9, wherein the policy server further includes a security policy having rules for group node membership, and wherein the policy server transmits a copy of the security policy to each of the virtual private group nodes.
  - 12. The virtual private group communication system of claim 9, wherein each virtual private group node further includes a shared group membership key that is transmitted from the policy server.
  - 13. The virtual private group communication system of claim 12, wherein one of the virtual private group nodes includes a host computer coupled to the communication network through a network interface device.
  - 14. The virtual private group communication system of claim 13, wherein the network interface device includes non-volatile memory, and wherein the key distribution key, the shared traffic encryption key, and the shared group membership key of the virtual private group node are stored in the non-volatile memory of the network interface device.
  - 15. The virtual private group communication system of claim 13, wherein the network interface device includes a cryptographic engine.
  - 16. The virtual private group communication system of claim 12, wherein one of the virtual private group nodes includes a host computer coupled to the communication network, and wherein the host computer includes a group management component, a key storage component, and an encryption/decryption component.

17. A system for secure communications, the system comprising:
- a network;
  
  a policy server system coupled to the network, the policy server system having a security policy database and a filter rule database; and
  
  a group of nodes each coupled to the network, wherein the policy server system is configured to use the security policy database and the filter rule database to create security policy rules, wherein the policy server system is configured to transmit the security policy rules to the nodes of the group, wherein the nodes of the group are configured to use a common set of encryption keys, and wherein the nodes of the group are configured to communicate securely with one another by using the security policy rules and the common set of encryption keys to encrypt or decrypt data that is transmitted across the network.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the nodes of the group each have a packet filter to detect unauthorized packets in the data as a function of the security policy rules.
  - 19. The system of claim 17, wherein the policy server system creates unique security policy rules for each node in the group, and wherein the unique security policy rules contain one or more entries for members of the group.
  - 20. The system of claim 17, wherein the system further includes a second group of nodes each coupled to the network, wherein the policy server system transmits the security policy rules to the nodes of the second group, wherein the nodes of the second group use a second common set of encryption keys, and wherein the nodes of the second group communicate securely with one another by using the security policy rules and the second common set of encryption keys to encrypt and decrypt data that is transmitted across the network.
  - 21. The system of claim 17, wherein the system further includes:
    - a second policy server system coupled to the network, the second policy server system having a security policy database and a filter rule database; and
      
      a third group of nodes each coupled to the network, wherein the second policy server system uses the security policy database and the filter rule database to create security policy rules, wherein the second policy server system transmits the security policy rules to the nodes of the third group, wherein the nodes of the third group use a common set of encryption keys, and wherein the nodes of the third group communicate securely with one another by using the security policy rules and the common set of encryption keys to encrypt and decrypt data that is transmitted across the network.

22. A system for secure communications between members of a virtual private group, the system comprising:
- a communications network;
  
  policy management means, coupled to the communications network, for managing the virtual private group and for managing a set of node security keys associated with the virtual private group; and
  
  group communication means, coupled to the communication network, for storing the set of node security keys and for encrypting data between members of the virtual private group by using the node security keys.

23. A method for implementing a virtual private group network, the method comprising:
- creating a virtual private group definition on a policy server;
  
  establishing a plurality of secure connections between the policy server and a plurality of group nodes;
  
  sending a copy of the virtual private group definition from the policy server to the group nodes;
  
  sending a shared traffic encryption key from the policy server to each of the group nodes; and
  
  sharing secure communication information among the group nodes using the shared traffic encryption key, wherein each group node is included in the virtual private group definition.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23, wherein the sending a copy of the virtual private group definition from the policy server to the group nodes includes:
    - creating a customized group definition for each group node, the customized group definitions having group member information; and
      
      sending the customized group definitions from the policy server to the respective group nodes.
  - 25. The method of claim 23, wherein the sharing of secure communication information includes detecting unauthorized communication information using a packet filter.
  - 26. The method of claim 23, wherein the sharing of secure communication information includes using a shared group membership key.

27. A method for centralized management of a virtual private group, the method comprising:
- creating a virtual private group membership list on a policy server;
  
  adding a plurality of group members to the membership list, including a first, a second, and a third group member;
  
  establishing a plurality of secure connections between the policy server and the group members;
  
  sending group member data from the policy server to each of the group members, including sending a traffic encryption key list from the policy server to each of the group members, the traffic encryption key list having a plurality of traffic encryption keys;
  
  sending secure communication information from one group member to another group member by using one of the traffic encryption keys from the traffic encryption key list; and
  
  updating the group member data.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. The method of claim 27, wherein the sending of group member data includes sending a copy of the membership list from the policy server to each of the group members.
  - 29. The method of claim 27, wherein the sending of group member data includes sending a membership key from the policy server to each of the group members.
  - 30. The method of claim 27, wherein the updating of the group member data includes sending a secure message from the policy server to one group member to indicate that all group members must use a new traffic encryption key from the traffic encryption key list, and sending secure communication information from the one group member to another group member by using the new traffic encryption key.
  - 31. The method of claim 27, wherein the updating of the group member data includes changing the plurality of group members in the membership list on the policy server, sending an updated copy of the membership list from the policy server to each of the group members, sending a new membership key from the policy server to each of the group members, and sending a new traffic encryption key list from the policy server to each of the group members.
  - 32. The method of claim 31, wherein the changing of the plurality of group members in the membership list includes adding a new group member to the membership list.
  - 33. The method of claim 31, wherein the changing of the plurality of group members in the membership list includes removing one of the group members from the membership list.
  - 34. The method of claim 27, wherein the updating of the group member data includes sending a secure message from the policy server to all of the group members to indicate that they must use a new traffic encryption key from the traffic encryption key list, and sending secure communication information from one group member to another group member by using the new traffic encryption key.

35. A computer-readable medium having a group security policy data structure stored thereon, the group security policy data structure comprising:
- a plurality of node entries;
  
  a plurality of priority identifiers; and
  
  a plurality of virtual private group definitions, wherein each virtual private group definition includes a plurality of the node entries, and wherein each virtual private group definition includes one of the priority identifiers.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The computer-readable medium of claim 35, wherein at least one of the node entries in the group security policy data structure includes a user identification.
  - 37. The computer-readable medium of claim 35, wherein at least one of the node entries in the group security policy data structure includes a machine identification.
  - 38. The computer-readable medium of claim 35, wherein at least one of the node entries in the group security policy data structure includes one or more Internet Protocol (IP) addresses.
  - 39. The computer-readable medium of claim 38, wherein the at least one of the node entries in the group security policy data structure that includes one or more IP addresses further includes an exclusion identifier.

40. A computer-readable medium having computer-executable instructions thereon for performing a method, the method comprising:
- managing a plurality of group definitions on a policy server, each group definition including a plurality of group member entries;
  
  establishing a plurality of secure connections between the policy server and a plurality of group members;
  
  creating a plurality of customized group member policies based on the group member entries in the group definitions;
  
  securely sending a group membership key from the policy server to each of the group members;
  
  securely sending one or more traffic encryption keys from the policy server to each of the group members; and
  
  securely sending the customized group member policies from the policy server to each of the corresponding group members.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Markham, Thomas R., Meredith, Lynn Marquette, Lowe, Geoffrey A., Hanzlik, Robert Otto

Granted Patent

US 7,594,262 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/20   for managing network securi...

System and method for secure group communications

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

194 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure group communications

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

194 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links