Distributed group key management for multicast security

US 6,584,566 B1
Filed: 06/11/1999
Issued: 06/24/2003
Est. Priority Date: 08/27/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method comprising:

an initiator key server distributing to a plurality of key servers a first key set including an initial common group key and a replacement common group key;

initially distributing the initial common group key, but not the replacement common group key, to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages;

responsive to a first need to re-key the current common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key; and

wherein said subsequently distributing is performed at least in part in parallel with said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for distributed group key management for multicast security. According to one aspect of the invention, an initiator key server distributes to a plurality of key servers a first key set including an initial common group key and a replacement common group key. The initial common group key, but not the replacement common group key, is initially distributed to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages. Responsive to a need to re-key the current common group key of the multicast group, each of the key servers subsequently distributes to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key.

Citations

24 Claims

1. A computer-implemented method comprising:
- an initiator key server distributing to a plurality of key servers a first key set including an initial common group key and a replacement common group key;
  
  initially distributing the initial common group key, but not the replacement common group key, to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages;
  
  responsive to a first need to re-key the current common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key; and
  
  wherein said subsequently distributing is performed at least in part in parallel with said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
3. The method of claim 1, wherein said initiator key server distributing further comprises:
- encrypting the first key set using a server group key shared by the plurality of key servers but not the clients of the key servers; and
  
  multicasting the encrypted first key set to the plurality of key servers.
4. The method of claim 1, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
- a first of said plurality of key servers decrypting the encrypted first key set;
  
  said first key server encrypting the initial common group key, without the replacement common group key, using a domain key shared by the clients of said first key server that are currently members of said multicast group; and
  
  said first key server multicasting said encrypted initial common group key.
5. The method of claim 1, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
- a first of said plurality of key servers decrypting the encrypted first key set;
  
  said first key server separately encrypting the initial common group key, without the replacement common group key, for each client of said first key server that is currently a member of said multicast group using a private key shared by that client and the first key server; and
  
  said first key server transmitting said separate encryptions of the initial common group key to its clients that are currently members of said multicast group.

6. A computer-implemented method comprising:
- selecting a first key set including an initial common group key and a replacement common group key;
  
  encrypting said first key set using a set of one or more keys;
  
  distributing said encrypted first key set to a set of one or more key servers;
  
  each of said set of one or more key servers performing the following, receiving said encrypted first key set, decrypting the encrypted first key set, and distributing to clients of that key server that are currently members of a multicast group the initial common group key as a current common group key for the multicast group, wherein the replacement common group key is not distributed to the members at this time; and
  
  responsive to a need to re-key the current common group key, performing the following at least partially in parallel, distributing to said set of one or more key servers an encrypted second key set including a different initial common group key and replacement common group key, and each of said set of one or more key servers distributing to their clients who are currently members of said multicast group the replacement common group key from the first key set as the current common group key.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein said set of one or more keys includes a single server group key, wherein said distributing said encrypted first key set is by a secure multicast established through said single server group key.
  - 8. The method of claim 6, wherein said selecting includes selecting a security association for said first key set, and wherein said encrypting includes encrypting said security association as part of said first key set.
  - 9. The method of claim 6 further comprising:
10. The method of claim 6 further comprising:
- selecting a second key set including a different initial common group key and replacement common group key;
  
  encrypting said second key set;
  
  distributing said encrypted second key set to said set of one or more key servers; and
  
  each of said set of one or more key servers performing the following, receiving said encrypted second key set, decrypting the encrypted second key set, and responsive to a second need to re-key the current common group key, distributing the initial common group key from the second key set to clients of that key server that are currently members of the multicast group.

11. One or more machine-readable media having stored thereon one or more sequences of instructions that when executed cause the following:
- an initiator key server distributing to a plurality of key servers a first key set including an initial common group key and a replacement common group key;
  
  initially distributing the initial common group key, but not the replacement common group key, to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages;
  
  responsive to a first need to re-key the current common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key; and
  
  wherein said subsequently distributing is performed at least in part in parallel with said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The one or more machine-readable media of claim 11 in which the one or more sequences of instructions when executed also cause the following:
13. The one or more machine-readable media of claim 11, wherein said initiator key server distributing further comprises:
- encrypting the first key set using a server group key shared by the plurality of key servers but not the clients of the key servers; and
  
  multicasting the encrypted first key set to the plurality of key servers.
14. The one or more machine-readable media of claim 11, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
- a first of said plurality of key servers decrypting the encrypted first key set;
  
  said first key server encrypting the initial common group key, without the replacement common group key, using a domain key shared by the clients of said first key server that are currently members of said multicast group; and
  
  said first key server multicasting said encrypted initial common group key.
15. The one or more machine-readable media of claim 11, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
- a first of said plurality of key servers decrypting the encrypted first key set;
  
  said first key server separately encrypting the initial common group key, without the replacement common group key, for each client of said first key server that is currently a member of said multicast group using a private key shared by that client and the first key server; and
  
  said first key server transmitting said separate encryptions of the initial common group key to its clients that are currently members of said multicast group.

16. One or more machine-readable media having stored thereon one or more sequences of instructions that when executed cause the following:
- said first key server decrypting an encrypted first key set including an initial common group key and a replacement common group key, said encrypted first key set having been received over a network;
  
  said first key server initially distributing to clients of said first key server that are currently members of a multicast group the initial common group key as a current common group key;
  
  responsive to a need to re-key the current common group key of the multicast group, said first key server subsequently distributing to clients of said first key server that are currently members of said multicast group the replacement common group key as the current common group key; and
  
  wherein said first key server receives from said second key server an encrypted second key set including a different initial common group key and replacement common group key.
- View Dependent Claims (17, 18, 19)
- - 17. The one or more machine-readable media of claim 16, wherein said encrypted first key set is encrypted with a single server group key shared by a plurality of key servers that includes said first key server.
  - 18. The one or more machine-readable media of claim 16, wherein said decrypting said encrypted first key set includes decrypting a security association for said initial and replacement common group keys.
  - 19. The one or more machine-readable media of claim 16 in which the one or more sequences of instructions when executed also cause the following:

20. One or more machine-readable media having stored thereon one or more sequences of instructions that when executed cause the following:
- selecting a first key set including an initial common group key and a replacement common group key;
  
  encrypting said first key set using a set of one or more keys;
  
  distributing said encrypted first key set to a set of one or more key servers;
  
  each of said set of one or more key servers performing the following, decrypting said encrypted first key set, and distributing to clients of that key server that are currently members of a multicast group the initial common group key as a current common group key for the multicast group, wherein the replacement common group key is not distributed to the members at this time;
  
  selecting a second key set including a different initial common group key and replacement common group key;
  
  encrypting said second key set;
  
  distributing said encrypted second key set to said set of one or more key servers; and
  
  each of said set of one or more key servers performing the following, receiving said encrypted second key set, decrypting the encrypted second key set, and responsive to a second need to re-key the current common group key, distributing the initial common group key from the second key set to clients of that key server that are currently members of the multicast group..
- View Dependent Claims (21, 22, 23, 24)
- - 21. The one or more machine-readable media of claim 20, wherein said set of one or more keys includes a single server group key, wherein said distributing said encrypted first key set is by a secure multicast established through said single server group key.
  - 22. The one or more machine-readable media of claim 20, wherein said selecting includes selecting a security association for said first key set, and wherein said encrypting includes encrypting said security association as part of said first key set.
  - 23. The one or more machine-readable media of claim 20 in which the one or more sequences of instructions when executed also cause the following:
24. The one or more machine-readable media of claim 20 in which the one or more sequences of instructions when executed also cause the following:
- responsive to a need to re-key the current common group key, performing the following at least partially in parallel, distributing to said set of one or more key servers an encrypted second key set including a different initial common group key and replacement common group key, and each of said set of one or more key servers distributing to their clients who are currently members of said multicast group the replacement common group key from the first key set as the current common group key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Hardjono, Thomas P.
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
NOBAHAR, ABDULHAKIM

Application Number

US09/330,897
Time in Patent Office

1,474 Days
Field of Search

713/162, 713/163, 380/271, 380/273, 380/277, 380/279, 380/278, 380/280, 380/281, 380/282
US Class Current

713/163
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 9/0833   involving conference or gro...

H04L 9/0891   Revocation or update of sec...

Distributed group key management for multicast security

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed group key management for multicast security

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links