Method and apparatus for multicast indication of group key change
First Claim
1. A method of changing a group key, comprising the steps performed by a node including a key manager function in a system for processing data, of:
- sending an indicator to each member of a group that it is time to change the group key; and
distributing, after sending the indicator, a new group key to at least one member of the group.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus to allow a key manager node in a network to initiate the process of changing a group key for all nodes in a multicasting group. In the described embodiment, the key manager node initiates changing the group key by setting an indicator in a multicast packet. The indicator indicates that each of the nodes in the multicast group should obtain a new group key from the key manager node. The key manager node sets the indicator whenever the key manager node determines that the nodes in the group need to change their key. The nodes in the multicast group then obtain a key from the key manager node. In one embodiment of the present invention, the key manager node sends the group key to the members of the group and, once all nodes in the group have received their key, sends an indicator that the group members should start using the new keys. In another embodiment, the key manager node sends the new key to the group, along with instructions specifying when the new key is to take effect. For example, the new key can take effect at a certain time or when a certain packet number is received. In another embodiment, each receiver in the group uses both the new key and the old key for a predetermined time period or until all group members have received the key.
193 Citations
46 Claims
-
1. A method of changing a group key, comprising the steps performed by a node including a key manager function in a system for processing data, of:
-
sending an indicator to each member of a group that it is time to change the group key; and
distributing, after sending the indicator, a new group key to at least one member of the group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
receiving a request for a new group key, in response to the indicator, from at least one member of the group.
-
-
4. The method of claim 3, wherein the step of receiving a request includes the step of receiving a unicast request from the at least one member of the group.
-
5. The method of claim 3, wherein the distributing step includes the step of unicasting a new group key to the requesting at least one member of the group.
-
6. The method of claim 1, wherein the distributing step includes the steps of:
-
determining, after the step of sending the new group key, that all members of the group have received the new group key; and
sending a second indicator to the members of the group to start using the new group key.
-
-
7. The method of claim 1, wherein the distributing step includes the steps of:
-
determining, after the step of sending the new group key, that a timeout has occurred, even though not all members of the group have received the new group key; and
sending a second indicator to the members of the group to start using the new group key.
-
-
8. The method of claim 1, wherein the distributing step includes the step of:
sending the new group key to at least one member of the group, along with a time value.
-
9. The method of claim 8, further comprising the step of determining, by the at least one member of the group, in accordance with the time value, that it is time to start using the new group key.
-
10. The method of claim 1, wherein the distributing step includes the step of:
sending the new group key to at least one member of the group, along with a packet number indicating a first packet that is to use the new group key.
-
11. The method of claim 10, further comprising the step of determining, by the at least one member of the group, in accordance with the packet number, that it is time to start using the new group key.
-
12. The method of claim 1, further comprising the step, performed by the at least one group member, of decrypting information received from a sender node using both an old group key and the new group key for a predetermined time period.
-
13. The method of claim 1, further comprising the step, performed by the at least one group member, of encrypting information using the new group key and sending the encrypted information to another group member.
-
14. The method of claim 1, wherein the distribution step includes:
-
sending, by the key manager, a different group key of a plurality of group keys to respective ones of a plurality of senders in the group, and sending, by the key manager, the plurality of group keys to each of a plurality of receivers in the group.
-
-
15. The method of claim 1, further comprising the step, performed by the at least one group member, of decrypting information that is received from another group member, using the new group key.
-
16. The method of claim 1, wherein the distributing step includes the step of sending the group key to at least one group member without receiving a request from the at least one group member.
-
17. A method of changing a group key, comprising the steps performed by a node including a key manager function in a system for processing data, of:
-
distributing a set of group keys to each member of a group;
sending an indicator to each member of a group that it is time to change the group key; and
changing, by at least one member of the group, to a next group key in the set of group keys. - View Dependent Claims (18)
-
-
19. A method of changing a group key, comprising the steps performed by a system for processing data, of:
-
sending, by a key manager node, an indicator to each member of a group that it is time to change the group key; and
changing, by at least one group member, to a new group key responsive to the indicator. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
receiving, by the key manager node, a request from the at least one group member for the new group key; and
distributing, by the key manager node, in response to the request, a new group key to the requesting members of the group.
-
-
21. The method of claim 19, further comprising the step of:
encrypting and sending, by a first member of the group to a second member of the group, information in accordance with the new group key.
-
22. The method of claim 19, further comprising the step of decrypting using the new group key, by a first member of the group, information sent by another member of the group.
-
23. The method of claim 19, further comprising the step of receiving, after the step of sending the indicator, a second indicator from the key manager node indicating that the group members should start using the new group key.
-
24. The method of claim 20,
wherein the step of distributing the new group key includes the step of sending a time value to the at least one member of the group. -
25. The method of claim 24, further comprising the step of determining, by the at least one member of the group, in accordance with the time value, that it is time to start using the new group key.
-
26. The method of claim 19,
wherein the step of sending a new group key includes the step of sending a packet number to the at least one member of the group, the packet number indicating a first packet that is to use the new group key. -
27. The method of claim 26, further comprising the step of determining, by the at least one member of the group, in accordance with the packet number, that it is time to start using the new group key.
-
28. The method of claim 19, further comprising the step, performed by the at least one group member, of decrypting information received from a sender node using both an old group key and the new group key for a predetermined time period.
-
29. A method of changing a group key, comprising the steps performed by a member of a group in a system for processing data, of:
-
receiving, by the member of the group, an indicator that it is time to change the group key; and
receiving, after the first receiving step, the new group key. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
sending, by the member of the group, in response to the indicator, a request for a new group key.
-
-
31. The method of claim 29, wherein the step of receiving an indicator includes the step of receiving the indicator via multicast.
-
32. The method of claim 30, wherein the step of sending a request includes the step of sending a unicast request by the member of the group.
-
33. The method of claim 29, wherein the key receiving step includes the step of receiving a new group key by the member of the group, where the new group key is unicast to the member of the group.
-
34. The method of claim 29, further comprising the step of receiving a second indicator that indicates to start using the new group key.
-
35. The method of claim 29,
wherein the step of receiving a new group key includes the step of receiving a time value at which time the new group key will take effect. -
36. The method of claim 35, further comprising the step of determining, by the member of the group, in accordance with the time value, that it is time to start using the new group key.
-
37. The method of claim 29,
wherein the step of receiving a new group key includes the step of receiving a packet number, the packet number indicating a first packet that will use the new group key. -
38. The method of claim 37, further comprising the step of determining, by the at least one member of the group, in accordance with the packet number, that it is time to start using the new group key.
-
39. The method of claim 29, further comprising the step, performed by the member of the group, of decrypting information received from another group member using both an old group key and the new group key for a predetermined time period.
-
40. The method of claim 29, further comprising the step of:
encrypting and sending, by the member of the group to at least one receiver in the group, information in accordance with the new group key.
-
41. The method of claim 29, further comprising the step of decrypting using the new group key, by the member of the group, information sent by another member of the group.
-
42. The method of claim 29, wherein the step of receiving the new group key includes the step of receiving the new group key without having to make a request for the new group key.
-
43. An apparatus that changes a group key, comprising:
-
a portion configured to send an indicator to each member of a group that it is time to change the group key; and
a portion configured to send a new group key to at least one member of the group.
-
-
44. A computer program product comprising:
-
a computer usable medium having computer readable code embodied therein for changing a group key, the computer program product including;
computer readable program code devices configured to cause a computer to effect sending an indicator to each member of a group that it is time to change the group key; and
computer readable program code devices configured to cause a computer to effect distributing a new group key to at least one member of the group.
-
-
45. A computer data signal embodied in a carrier wave and representing sequences of instructions which, when executed by a processor, cause the processor to change a group key, by performing the steps of:
-
sending an indicator to each member of a group that it is time to change the group key; and
distributing a new group key to at least one member of the group.
-
-
46. An apparatus that changes a group key, comprising:
-
means for sending an indicator to each member of a group that it is time to change the group key; and
means for distributing a new group key to at least one member of the group.
-
Specification