Method and apparatus for sending secure datagram multicasts
First Claim
1. An improved method for a first data processing device (node I) to send data to a second data processing device (node J) in a multicast user group having an address M, comprising:
- obtaining a group interchange key for node I from a group owner;
independently of node J, randomly generating a transient key;
utilizing said group interchange key to encrypt the randomly generated transient key;
encrypting a data packet to be transmitted to said multicast address using said transient key; and
sending said data packet encrypted using said transient key to said multicast address.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for generating additional implicit keys from a key [Kij ]N without the necessity of generating a new Diffie-Helman (DH) certificate or requiring communication between nodes to change implicit master keys is disclosed. A first data processing device (node I) is coupled to a private network which is in turn coupled to the Internet. A second data processing device (node J) is coupled to the same, or to a different network, which is also coupled to the Internet, such that node I communicates with node J using the Internet protocol. Node I is provided with a secret value i and a public value. Data packets (referred to as "datagrams") are encrypted to enhance network security. Each node maintains an internal value of N which is incremented based on time and upon the receipt of a data packet from another node. The key [Kij ]N.sbsb.i is derived from the appropriate quantity of ∝Nij by using high order key-sized bits of the respective quantity. The present invention then utilizes the key [Kij ]N.sbsb.i to encrypt a transient key which is referred to as Kp. Node I encrypts the IP data in Kp and encrypts Kp in [Kij ]N.sbsb.i. Node I transmits the encrypted IP datagram packet in the encrypted key Kp to the receiving node J. Node I further includes its current internal value of Ni in the outgoing packet. The present invention also provides for the application of one-way functions to the shared secret to enhance security. Thus, either node I or node J may change the context such that if in the future [Kij ]Ni is compromised, or is not useable by a cracker to either decrypt prior encrypted packets. The present invention discloses methods and apparatus for achieving perfect forward security for closed user groups, and for the application of the SKIP methodology to datagram multicast protocols.
85 Citations
10 Claims
-
1. An improved method for a first data processing device (node I) to send data to a second data processing device (node J) in a multicast user group having an address M, comprising:
-
obtaining a group interchange key for node I from a group owner; independently of node J, randomly generating a transient key; utilizing said group interchange key to encrypt the randomly generated transient key; encrypting a data packet to be transmitted to said multicast address using said transient key; and sending said data packet encrypted using said transient key to said multicast address. - View Dependent Claims (3, 4, 5)
-
-
2. A method for a first data processing device (node J) to receive data from a second data processing device (node I) in a multicast user group having an address M, wherein a data packet is sent by node I to node J, the data packet being encrypted with a transient key and the transient key being encrypted utilizing a group interchange kev obtained from a group owner, comprising:
-
receiving said data packet from node I; and obtaining said group interchange key from said group owner; independently of node I, utilizing said group interchange key to decrypt the transient key, and decrypting said received data packet using said transient key, whereby node J decrypts data received and previously encrypted by node I.
-
-
6. An apparatus for encrypting data for transmission from a first data processing device (node I) to at least one second data processing device (node I) in a multicast group having an address M, comprising:
-
a storage device for storing a group interchange key obtained from a group owner; an encrypting device arranged to encrypt a data packet to be transmitted to node J, said encrypting device randomly and independently of node J generating a transient key and encrypting the randomly generated transient key using the group interchange key, and encrypting said data packet using said transient key; and an interface circuit arranged to transmit said encrypted data packet to said node J at said multicast address. - View Dependent Claims (8, 9, 10)
-
-
7. An apparatus for decrypting data transmitted from a first data processing device (node I) to at least a second data processing device (node J) in a multicast group having an address M, wherein a data packet is sent by node I to node J, the data packet being encrypted with a transient key and the transient key being encrypted utilizing a group interchange key obtained from a group owner, comprising:
-
a receiver for receiving said encrypted data packet from node I; and a decrypting device coupled to said receiver for decrypting said data packet from node I, wherein the decrypting device utilizes the group interchange key to decrypt the transient key independently of node I and decrypts the received data packet using the transient key.
-
Specification