SYSTEMS AND METHODS FOR PROVIDING SECURE MULTICAST INTRA-CLUSTER COMMUNICATION

US 20130054966A1
Filed: 08/25/2011
Published: 02/28/2013
Est. Priority Date: 08/25/2011
Status: Active Grant

First Claim

Patent Images

1. A method for providing secure multicast communication capabilities to a plurality of nodes of a cluster, the method comprising:

performing a mutual authentication session between a node joining the cluster and any single node validly part of the cluster; and

if the mutual authentication is successful, communicating a cluster secret to the node joining the cluster using a secure communication channel unique to the mutual authentication session, wherein the cluster secret renders the node joining the cluster a cluster node and enables the cluster node to securely communicate with every other node which is validly part of the cluster.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods which facilitate secure multicast communications between any valid node of a cluster using authentication between a node joining the cluster and any single node which is validly part of the cluster are disclosed. In accordance with embodiments, a cluster key is utilized to provide security with respect to intra-cluster communications. The cluster key of embodiments is shared by a node which is already part of the cluster with a node joining the cluster only after these two nodes mutually authenticate one another. The mutual authentication handshake of embodiments implements a protocol in which a session key is calculated by both nodes, thereby providing a secure means by which a cluster key may be shared. Having the cluster key, each node of the cluster is enabled to securely communicate with any other node of the cluster, whether individually (e.g., unicast) or collectively (e.g., multicast), according to embodiments.

Citations

23 Claims

1. A method for providing secure multicast communication capabilities to a plurality of nodes of a cluster, the method comprising:
- performing a mutual authentication session between a node joining the cluster and any single node validly part of the cluster; and
  
  if the mutual authentication is successful, communicating a cluster secret to the node joining the cluster using a secure communication channel unique to the mutual authentication session, wherein the cluster secret renders the node joining the cluster a cluster node and enables the cluster node to securely communicate with every other node which is validly part of the cluster.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the node joining the cluster is rendered a cluster node after performing the mutual authentication session only with the single node validly part of the cluster.
  - 3. The method of claim 1, wherein the single node validly part of the cluster is a peer node of the node joining the cluster.
  - 4. The method of claim 1, wherein the performing a mutual authentication session comprises:
    - calculating a session key separately by the node joining the cluster and the single node, wherein the session key is unique to the mutual authentication session.
  - 5. The method of claim 4, wherein the communicating a cluster secret comprises:
    - communicating a cluster key between the node joining the cluster and the single node using the session key.
  - 6. The method of claim 1, wherein the performing a mutual authentication session comprises:
    - calculating, separately for the mutual authentication session, a verifier using cluster credentials possessed by the node joining the cluster and all nodes validly part of the cluster including the node of the cluster performing the mutual authentication session.
  - 7. The method of claim 6, wherein the calculating a verifier using cluster credentials further uses information uniquely identifying the node joining the cluster.
  - 8. The method of claim 6, wherein the cluster credentials comprise a cluster password injected separately into each of the node joining the cluster and the node of the cluster performing the mutual authentication session.
  - 9. The method of claim 1, wherein the performing a mutual authentication session comprises:
    - determining that the node joining the cluster is included in a roster of nodes allowed in the cluster.
  - 10. The method of claim 1, wherein the cluster secret comprises a symmetrical cryptographic key.
  - 11. The method of claim 1, further comprising:
    - regenerating the cluster secret; and
      
      requiring all the nodes validly part of the cluster to again perform a mutual authentication session between each such node and another node of the cluster to obtain the regenerated cluster secret.
  - 12. The method of claim 11, wherein the regenerating the cluster secret is performed periodically.
  - 13. The method of claim 11, wherein the regenerating the cluster secret is performed upon a node resigning from the cluster.

14. A method comprising:
- performing a mutual authentication handshake between a first node of a cluster and a second node of the cluster;
  
  communicating a cluster key between the first node and the second node using a secure communication channel established by the mutual authentication handshake between the first node and the second node;
  
  performing a mutual authentication handshake between a third node of the cluster and one of the first node and second node;
  
  communicating the cluster key between the third node and the one of the first node and second node using a secure communication channel established by the mutual authentication handshake between the third node and the one of the first node and the second node; and
  
  performing secure cluster communications between the first node, the second node, and the third node using the cluster key.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein performing the mutual authentication handshake between the first node and the second node comprises calculating a first session key separately by the first node and the second node, wherein the secure communication channel established by the mutual authentication handshake between the first node and the second node is secured using the first session key, and wherein performing the mutual authentication handshake between the third node and the one of the first node and the second node comprises calculating a second session key separately by the third node and the one of the first node and the second node, wherein the secure communication channel established by the mutual authentication handshake between the third node and the one of the first node and the second node is secured using the second session key.
  - 16. The method of claim 14, wherein the secure cluster communications comprise unicast communications and multicast communications.
  - 17. The method of claim 14, wherein the performing a mutual authentication session between the first node and the second node comprises:
    - calculating a first verifier using a cluster password possessed by the first node and the second node, wherein the cluster password is injected separately into each of the first node and the second node; and
      
      wherein the performing a mutual authentication session between the third node and one of the first node and second node comprises;
      
      calculating a second verifier using the cluster password possessed by the third node and the one of the first node and second node, wherein the cluster password is injected separately into each of the third node and the one of the first node and second node.

18. A system comprising:
- a first processor-based network-connected device adapted to operate as a node of a cluster of nodes in accordance with code controlling the operation of the first processor-based network-connected device, wherein the code of the first processor-based network-connected device provides for operation of the first processor-based network-connected device as both a secure source of a secret of the cluster and a secure recipient of the secret of the cluster with respect to one or more other processor-based network-connected devices operating as nodes of the cluster, and wherein the secret of the cluster is adapted to allow secure communication between all nodes of the cluster.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The system of claim 18, wherein the secret of the cluster comprises a cryptographic cluster key.
  - 20. The system of claim 18, wherein the operation of the first processor-based network-connected device as a source of the secret of the cluster facilitates one or more other processor-based network-connected devices to join the cluster as a node through authenticating only with the first processor-based network-connected device, and wherein the operation of the first processor-based network-connected device as recipient of the secret of the cluster facilitates the first processor-based network-connected device joining the cluster through authenticating only with one other processor-based network-connected device of the one or more other processor-based network-connected devices.
  - 21. The system of claim 18, wherein the code of the first processor-based network-connected device is adapted to perform a mutual authentication session with a processor-based network-connected device of one of the other processor-based network-connected devices, wherein mutual authentication session provides a secure communication channel unique to the mutual authentication session adapted for secure communication of the cluster secret.
  - 22. The system of claim 21, wherein if the first processor-based network-connected device is joining the cluster the mutual authentication session is operable to authenticate the first processor-based network-connected device as a node validly part of the cluster and to receive the cluster secret communicated by the secure communication channel, and wherein if the first processor-based network-connected device is negotiating joining of the cluster by the processor-based network-connected device of the one or more other processor-based network-connected devices the mutual authentication session is operable to authenticate the processor-based network-connected device of the one or more other processor-based network-connected devices and to communicate the cluster secret by the secure communication channel if the processor-based network-connected device of the one or more other nodes is successfully authenticated.
  - 23. The system of claim 18, wherein the first process-based network-connected device is one of a plurality of processor-based network-connected devices adapted to operate as part of the cluster of nodes in accordance with code controlling the operations thereof, wherein the code of each processor-based network-connected device of the plurality provides for operation of the respective processor-based network-connected device as both a secure source of a secret of the cluster and a secure recipient of the secret of the cluster, and wherein each processor-based network-connected device of the plurality is adapted to join the cluster by operation of its code authenticating with a single other processor-based network-connected device of the plurality and to securely communicate with every other processor-based network-connected device of the plurality.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Clay, Philip B.

Granted Patent

US 8,719,571 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/065   for group communications cr...

H04L 63/0869   for achieving mutual authen...

H04L 63/104   Grouping of entities

H04L 9/3273   for mutual authentication n...

SYSTEMS AND METHODS FOR PROVIDING SECURE MULTICAST INTRA-CLUSTER COMMUNICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR PROVIDING SECURE MULTICAST INTRA-CLUSTER COMMUNICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links