Distributed group key management for multicast security
First Claim
1. A computer-implemented method comprising:
- an initiator key server distributing to a plurality of key servers a first key set including an initial common group key and a replacement common group key;
initially distributing the initial common group key, but not the replacement common group key, to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages;
responsive to a first need to re-key the current common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key; and
wherein said subsequently distributing is performed at least in part in parallel with said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key.
11 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for distributed group key management for multicast security. According to one aspect of the invention, an initiator key server distributes to a plurality of key servers a first key set including an initial common group key and a replacement common group key. The initial common group key, but not the replacement common group key, is initially distributed to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages. Responsive to a need to re-key the current common group key of the multicast group, each of the key servers subsequently distributes to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key.
-
Citations
24 Claims
-
1. A computer-implemented method comprising:
-
an initiator key server distributing to a plurality of key servers a first key set including an initial common group key and a replacement common group key;
initially distributing the initial common group key, but not the replacement common group key, to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages;
responsive to a first need to re-key the current common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key; and
wherein said subsequently distributing is performed at least in part in parallel with said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key. - View Dependent Claims (2, 3, 4, 5)
said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key;
responsive to a second need to re-key the common group key of the multicast group, distributing the initial common group key from the second key set, but not the replacement common group key from the second key set, to clients of the plurality of key servers that are currently members of the multicast group as the current common group key; and
responsive to a third need to re-key the common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key from the second key set as the current common group key.
-
-
3. The method of claim 1, wherein said initiator key server distributing further comprises:
-
encrypting the first key set using a server group key shared by the plurality of key servers but not the clients of the key servers; and
multicasting the encrypted first key set to the plurality of key servers.
-
-
4. The method of claim 1, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
-
a first of said plurality of key servers decrypting the encrypted first key set;
said first key server encrypting the initial common group key, without the replacement common group key, using a domain key shared by the clients of said first key server that are currently members of said multicast group; and
said first key server multicasting said encrypted initial common group key.
-
-
5. The method of claim 1, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
-
a first of said plurality of key servers decrypting the encrypted first key set;
said first key server separately encrypting the initial common group key, without the replacement common group key, for each client of said first key server that is currently a member of said multicast group using a private key shared by that client and the first key server; and
said first key server transmitting said separate encryptions of the initial common group key to its clients that are currently members of said multicast group.
-
-
6. A computer-implemented method comprising:
-
selecting a first key set including an initial common group key and a replacement common group key;
encrypting said first key set using a set of one or more keys;
distributing said encrypted first key set to a set of one or more key servers;
each of said set of one or more key servers performing the following, receiving said encrypted first key set, decrypting the encrypted first key set, and distributing to clients of that key server that are currently members of a multicast group the initial common group key as a current common group key for the multicast group, wherein the replacement common group key is not distributed to the members at this time; and
responsive to a need to re-key the current common group key, performing the following at least partially in parallel, distributing to said set of one or more key servers an encrypted second key set including a different initial common group key and replacement common group key, and each of said set of one or more key servers distributing to their clients who are currently members of said multicast group the replacement common group key from the first key set as the current common group key. - View Dependent Claims (7, 8, 9, 10)
responsive to a first need to re-key the current common group key, each of said set of one or more key servers performing the following, distributing to clients of that key server that are currently members of said multicast group the replacement common group key as the current common group key.
-
-
10. The method of claim 6 further comprising:
-
selecting a second key set including a different initial common group key and replacement common group key;
encrypting said second key set;
distributing said encrypted second key set to said set of one or more key servers; and
each of said set of one or more key servers performing the following, receiving said encrypted second key set, decrypting the encrypted second key set, and responsive to a second need to re-key the current common group key, distributing the initial common group key from the second key set to clients of that key server that are currently members of the multicast group.
-
-
11. One or more machine-readable media having stored thereon one or more sequences of instructions that when executed cause the following:
-
an initiator key server distributing to a plurality of key servers a first key set including an initial common group key and a replacement common group key;
initially distributing the initial common group key, but not the replacement common group key, to clients of the plurality of key servers that are currently members of a multicast group as a current common group key for multicast messages;
responsive to a first need to re-key the current common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key as the current common group key; and
wherein said subsequently distributing is performed at least in part in parallel with said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key. - View Dependent Claims (12, 13, 14, 15)
said initiator key server distributing to the plurality of key servers a second key set including a different initial common group key and replacement common group key;
responsive to a second need to re-key the common group key of the multicast group, distributing the initial common group key from the second key set, but not the replacement common group key from the second key set, to clients of the plurality of key servers that are currently members of the multicast group as the current common group key; and
responsive to a third need to re-key the common group key of the multicast group, each of the key servers subsequently distributing to their clients that are currently members of the multicast group the previously distributed replacement common group key from the second key set as the current common group key.
-
-
13. The one or more machine-readable media of claim 11, wherein said initiator key server distributing further comprises:
-
encrypting the first key set using a server group key shared by the plurality of key servers but not the clients of the key servers; and
multicasting the encrypted first key set to the plurality of key servers.
-
-
14. The one or more machine-readable media of claim 11, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
-
a first of said plurality of key servers decrypting the encrypted first key set;
said first key server encrypting the initial common group key, without the replacement common group key, using a domain key shared by the clients of said first key server that are currently members of said multicast group; and
said first key server multicasting said encrypted initial common group key.
-
-
15. The one or more machine-readable media of claim 11, wherein said first key set is distributed by said initiator key server encrypted and said initially distributing includes:
-
a first of said plurality of key servers decrypting the encrypted first key set;
said first key server separately encrypting the initial common group key, without the replacement common group key, for each client of said first key server that is currently a member of said multicast group using a private key shared by that client and the first key server; and
said first key server transmitting said separate encryptions of the initial common group key to its clients that are currently members of said multicast group.
-
-
16. One or more machine-readable media having stored thereon one or more sequences of instructions that when executed cause the following:
-
said first key server decrypting an encrypted first key set including an initial common group key and a replacement common group key, said encrypted first key set having been received over a network;
said first key server initially distributing to clients of said first key server that are currently members of a multicast group the initial common group key as a current common group key;
responsive to a need to re-key the current common group key of the multicast group, said first key server subsequently distributing to clients of said first key server that are currently members of said multicast group the replacement common group key as the current common group key; and
wherein said first key server receives from said second key server an encrypted second key set including a different initial common group key and replacement common group key. - View Dependent Claims (17, 18, 19)
a second key server selecting said first key set;
said second key server generating said encrypted first key set; and
said second key server transmitting said encrypted first key set to a set of one or more key servers that includes said first key server.
-
-
20. One or more machine-readable media having stored thereon one or more sequences of instructions that when executed cause the following:
-
selecting a first key set including an initial common group key and a replacement common group key;
encrypting said first key set using a set of one or more keys;
distributing said encrypted first key set to a set of one or more key servers;
each of said set of one or more key servers performing the following, decrypting said encrypted first key set, and distributing to clients of that key server that are currently members of a multicast group the initial common group key as a current common group key for the multicast group, wherein the replacement common group key is not distributed to the members at this time;
selecting a second key set including a different initial common group key and replacement common group key;
encrypting said second key set;
distributing said encrypted second key set to said set of one or more key servers; and
each of said set of one or more key servers performing the following, receiving said encrypted second key set, decrypting the encrypted second key set, and responsive to a second need to re-key the current common group key, distributing the initial common group key from the second key set to clients of that key server that are currently members of the multicast group.. - View Dependent Claims (21, 22, 23, 24)
responsive to a first need to re-key the current common group key, each of said set of one or more key servers performing the following, distributing to clients of that key server that are currently members of said multicast group the replacement common group key as the current common group key.
-
-
24. The one or more machine-readable media of claim 20 in which the one or more sequences of instructions when executed also cause the following:
-
responsive to a need to re-key the current common group key, performing the following at least partially in parallel, distributing to said set of one or more key servers an encrypted second key set including a different initial common group key and replacement common group key, and each of said set of one or more key servers distributing to their clients who are currently members of said multicast group the replacement common group key from the first key set as the current common group key.
-
Specification