Method and apparatus for distributing and updating group controllers over a wide area network using a tree structure
First Claim
1. An apparatus for communicating a session key from a first node of a secure multicast group to a plurality of other nodes of the multicast group, wherein each of the nodes is represented by a leaf node of a binary tree stored in a domain of a directory service that is distributed across a wide area network, wherein each of the nodes is capable of establishing multicast communication and serving as a key distribution center, the apparatus comprising:
- one or more processors;
a network interface that communicatively couples the one or more processors to a network;
a memory communicatively coupled to the one or more processors and comprising one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
creating and storing a group session key associated with the multicast group and a private key associated with each node in a directory;
receiving information indicating that the first node is joining the multicast group;
communicating first messages to a subset of nodes in a branch of the binary tree that contains the joining node, wherein the first messages cause the subset of nodes to update all affected keys thereof;
receiving a new group session key for the multicast group, for use after addition of the first node, and a new private key for the first node, from a local group manager node;
communicating a second message to the subset of nodes that causes the subset of nodes to update their private keys.
0 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and computer-readable media are disclosed for establishing secure multicast communication among multiple multicast proxy service nodes of domains of a replicated directory service that spans a wide area network. Domains are organized in a logical tree. Each domain has a logical tree that organizes the multicast proxy service nodes, a group manager at the root node, a multicast key distribution center, multicast service agent, directory service agent and key distribution center. Multicast proxy service nodes store a group session key and a private key. Replication of the directory performs key distribution. A multicast group member joins or leaves the group by publishing message. The local key distribution center and multicast service agent obtain the publisher'"'"'s identity from a local directory service agent. Based on the identity, a secure channel is established with the directory service agent in the group member'"'"'s domain. Keys of the binary tree branch that contains the joining or leaving node are updated, and an updated group session key and a new private key are received.
-
Citations
36 Claims
-
1. An apparatus for communicating a session key from a first node of a secure multicast group to a plurality of other nodes of the multicast group, wherein each of the nodes is represented by a leaf node of a binary tree stored in a domain of a directory service that is distributed across a wide area network, wherein each of the nodes is capable of establishing multicast communication and serving as a key distribution center, the apparatus comprising:
-
one or more processors;
a network interface that communicatively couples the one or more processors to a network;
a memory communicatively coupled to the one or more processors and comprising one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
creating and storing a group session key associated with the multicast group and a private key associated with each node in a directory;
receiving information indicating that the first node is joining the multicast group;
communicating first messages to a subset of nodes in a branch of the binary tree that contains the joining node, wherein the first messages cause the subset of nodes to update all affected keys thereof;
receiving a new group session key for the multicast group, for use after addition of the first node, and a new private key for the first node, from a local group manager node;
communicating a second message to the subset of nodes that causes the subset of nodes to update their private keys. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable medium for communicating a session key from a first node of a secure multicast group to a plurality of other nodes of the multicast group, wherein each of the nodes is represented by a leaf node of a binary tree stored in a domain of a directory service that is distributed across a wide area network, wherein each of the nodes is capable of establishing multicast communication and serving as a key distribution center, the computer-readable medium comprising one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of:
-
creating and storing a group session key associated with the multicast group and a private key associated with each node in a group;
receiving information indicating that the first node is joining the multicast group;
communicating first messages to a subset of nodes in a branch of the binary tree that contains the joining node, wherein the first messages cause the subset of nodes to update all affected keys thereof;
receiving a new group session key for the multicast group, for use after addition of the first node, and a new private key for the first node, from a local group manager node;
communicating a second message to the subset of nodes that causes the subset of nodes to update their private keys. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus for communicating a session key from a first node of a secure multicast group to a plurality of other nodes of the multicast group, wherein each of the nodes is represented by a leaf node of a binary tree stored in a domain of a directory service that is distributed across a wide area network, wherein each of the nodes is capable of establishing multicast communication and serving as a key distribution center, the apparatus comprising:
-
means for creating and storing a group session key associated with the multicast group and a private key associated with each node in a group;
means for receiving information indicating that the first node is joining the multicast group;
means for communicating first messages to a subset of nodes in a branch of the binary tree that contains the joining node, wherein the first messages cause the subset of nodes to update all affected keys thereof;
means for receiving a new group session key for the multicast group, for use after addition of the first node, and a new private key for the first node, from a local group manager node;
means for communicating a second message to the subset of nodes that causes the subset of nodes to update their private keys. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. An apparatus for creating a secure multicast or broadcast group, the apparatus comprising:
-
a plurality of multicast proxy service nodes, each of the multicast proxy service nodes having attribute information comprising a group identification value for uniquely identifying a particular one of the multicast proxy service nodes, wherein the plurality of multicast proxy service nodes is located in one of a plurality of domains of a directory service that spans a wide area network and the domains forms a logical arrangement of the multicast proxy service nodes according to a tree structure, the tree structure having a root node, intermediate nodes, and leaf nodes, one of the multicast proxy service node being designated as a primary multicast proxy service node, the primary multicast proxy service node being mapped to the root node, the other multicast proxy service nodes having private keys corresponding to the group identification values and being mapped to the intermediate nodes and the leaf nodes;
a directory comprising a directory system agent (DSA) for communicating with one or more of the multicast proxy service nodes to authenticate each of the multicast proxy service nodes and for replicating the attribute information of the one or more multicast proxy service nodes; and
a plurality of client nodes coupled to one of the multicast proxy service nodes, the one multicast proxy service node creating a secure multicast or broadcast client group that is separate from the secure multicast or broadcast group;
wherein one of the multicast proxy service nodes comprises;
means for creating and storing a group session key associated with the multicast group and a private key associated with each node in a directory;
means for receiving information indicating that the first node is joining the multicast group;
means for updating all affected keys of a subset of nodes in a branch of the binary tree that contains the joining node;
means for receiving a new group session key for the multicast group, for use after addition of the first node, and a new private key for the first node, from a local group manager node;
means for communicating a message to the subset of nodes that causes the subset of nodes to update their private keys. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
Specification