Directory enabled secure multicast group communications

US 20050097317A1
Filed: 11/09/2004
Published: 05/05/2005
Est. Priority Date: 01/12/2000
Status: Active Grant

First Claim

Patent Images

1. A method for securely establishing communication in a multicast group of nodes of a network, in which the nodes of the network include publishers and subscribers, the method comprising the steps of:

registering a publisher and a subscriber with an event server; and

generating, within the event server, a group session key for establishing a multicast group, wherein the multicast group includes the publisher and the subscriber, and the group session key is encrypted in a first message that has a prescribed format.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for establishing secure communication among multiple multicast groups using a multi-master directory is disclosed. The multi-master directory is on a per object and per attribute access controls basis. The event service nodes, which can implemented as event servers, are distributed throughout an enterprise domain. The attributes of the event service nodes include the group session key and the private keys of the event service nodes. A standardized authentication service is used to register publishers and subscribers. These publishers and subscribers can individually belong to multiple multicast groups under a readily scalable, secure network architecture.

Citations

23 Claims

1. A method for securely establishing communication in a multicast group of nodes of a network, in which the nodes of the network include publishers and subscribers, the method comprising the steps of:
- registering a publisher and a subscriber with an event server; and
  
  generating, within the event server, a group session key for establishing a multicast group, wherein the multicast group includes the publisher and the subscriber, and the group session key is encrypted in a first message that has a prescribed format.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as recited in claim 1, further comprising the step of representing a multicasted message from the publisher to the subscriber as an event managed by the event server.
  - 3. The method as recited in claim 1, wherein:
    - the group session key is encrypted in the first message by using public keys of the publisher and the subscriber; and
      
      the method further comprises the step of decrypting the first message at each of the publisher and the subscriber by using its unique private key.
  - 4. The method as recited in claim 1, further comprising the steps of:
    - receiving a second message from the subscriber in response to the subscriber determining whether the first message corresponds to a correct key version;
      
      updating the group session key at the event server; and
      
      selectively reregistering the subscriber at the event server.
  - 5. The method as recited in claim 4, wherein:
    - a multi-master directory co-located with the event server stores objects representing events, publishers, and subscribers; and
      
      the step of updating the group session key comprises;
      
      creating a new group session key;
      
      modifying an object in the multi-master directory based upon the new group session key by using a change password protocol;
      
      sending a new message that contains the new group session key to the subscriber; and
      
      notifying the subscriber to reregister.
  - 6. The method as recited in claim 1, wherein the prescribed format of the first message conforms to Lightweight Directory Access Protocol (LDAP).
  - 7. The method as recited in claim 1, wherein a directory service, co-located with the event server, manages a multi-master directory of objects representing events, publishers, and subscribers, wherein access controls are associated with each object and with each attribute of an object.
  - 8. The method as recited in claim 7, further comprising the step of authenticating events, publishers, and subscribers by the directory service based on the access controls associated with objects stored in the multi-master directory.
  - 9. The method as recited in claim 7, further comprising the step of authenticating events, publishers, and subscribers, by the directory service, based on the access controls and by controlling access in conjunction with utilizing an external authentication service.
  - 10. The method recited in claim 9, wherein the step of authenticating includes authenticating publishers and subscribers that have no corresponding objects in the multi-master directory.
  - 11. The method as recited in claim 7, further comprising:
    - determining, based on objects stored in the multi-master directory, whether the publisher is authorized to produce a particular event; and
      
      determining, based on objects stored in the multi-master directory, whether the subscriber is authorized the receive the particular event.
  - 12. The method as recited in claim 1, wherein the step of registering comprises performing an access control check of the subscriber by the event server.

13. A communication system for creating a plurality of secure multicast groups in a network that includes a plurality of principals configured for functioning as subscribers and publishers, the communication system comprising:
- an event server communicatively coupled to the plurality of principals for registering the plurality of principals;
  
  means in the event server for creating a group session key for establishing one of the multicast groups; and
  
  means in the event server for distributing the group session key to a set of publishers and subscribers of the plurality of principals in an encrypted message that has a prescribed format.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The communication system as recited in claim 13, further comprising a directory server that is co-located with the event server, wherein the directory server and the event server participate in a common one of the multicast groups.
  - 15. The communication system as recited in claim 14, further comprising:
    - a multi-master directory managed by the directory server, wherein the multi-master directory includes objects having attributes and representing a plurality of events and the plurality of principals; and
      
      means in the directory server for controlling access on a per object and per attribute basis.
  - 16. The communication system as recited in claim 15, wherein the directory server authenticates the plurality of principals by controlling access based on objects in the multi-master directory and, in conjunction, by utilizing an external authentication service that allows extending membership of the multicast groups to subscribers not represented by objects in the multi-master directory.
  - 17. The communication system as recited in claim 16, wherein the external authentication service is supplied by a Kerberos server.
  - 18. The communication system as recited in claim 13, wherein the event server performs access control check of the principals during registration of the plurality of principals.

19. A computer system functioning as an event server and for establishing multiple secure multicast groups, the computer system comprising:
- a communication interface for communicating with a plurality of nodes;
  
  a bus coupled to the communication interface for transferring data;
  
  one or more processors coupled to the bus for establishing a multicast group by selectively generating a group session key in an encrypted message that has a prescribed format; and
  
  a memory coupled to the one or more processors via the bus, the memory including one or more sequences of instructions which when executed by the one or more processors cause the one or more processors to perform the step of registering the plurality of nodes with the event server.
- View Dependent Claims (20, 21, 22)
- - 20. The computer system as recited in claim 19, further comprising a multi-master directory that includes objects representing the plurality of nodes, wherein the directory authenticates the plurality of nodes in conjunction with a Kerberos authentication service.
  - 21. The computer system as recited in claim 19, wherein the memory includes one or more instructions which when executed by the one or more processors cause the one or more processors to perform the step of generating private keys corresponding to the plurality of nodes.
  - 22. The computer system as recited in claim 19, wherein the computer system performs access control check of the nodes during the step of registering the plurality of nodes with the event server.

23. A computer-readable medium carrying one or more sequences of instructions for securely establishing communication in a multicast group of nodes of a network, in which the nodes of the network include publishers and subscribers, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- registering a publisher and a subscriber with an event server; and
  
  generating, within the event server, a group session key for establishing a multicast group, wherein the multicast group includes the publisher and the subscriber, and the group session key is encrypted in a first message that has a prescribed format.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jonathan Trostle, Ramprasad Golla, Raymond Bell, Sunil Srivastava
Original Assignee
Jonathan Trostle, Ramprasad Golla, Raymond Bell, Sunil Srivastava
Inventors
Trostle, Jonathan, Bell, Raymond, Golla, Ramprasad, Srivastava, Sunil

Granted Patent

US 7,502,927 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/163
CPC Class Codes

H04L 63/065   for group communications cr...

H04L 63/068   using time-dependent keys, ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/0833   involving conference or gro...

H04L 9/0891   Revocation or update of sec...

Directory enabled secure multicast group communications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Directory enabled secure multicast group communications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links