Method and apparatus for creating a secure communication channel among multiple event service nodes
First Claim
1. A method for managing addition of a first event service node to a secure multicast group that includes a plurality of other event service nodes in a communication network, wherein each of the event service nodes is capable of establishing multicast communication and serving as a key distribution center, wherein each event service node is created and stored within a domain of a directory server system, wherein each event service node is logically organized in a binary tree having a root node, intermediate nodes, and leaf nodes, wherein one of the event service nodes is a group controller and is represented by the root node, and wherein the other event service nodes are represented by the leaf nodes, the method comprising the steps of:
- authenticating the first event service node with a subset of the event service nodes that are affected by an addition of the first event service node to the multicast group, based on key information stored in a directory;
receiving a plurality of private keys from the subset of nodes;
generating a new private key for the first event service node;
communicating the plurality of private keys and the new private key to the first event service node;
communicating a message to the subset of nodes that causes the subset of nodes to update their private keys.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for establishing secure multicast communication among multiple event service nodes is disclosed. The event service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the event service nodes include the group session key and the private keys of the event service nodes that are members of the multicast or broadcast groups. The private keys provide unique identification values for the event service nodes, thereby facilitating distribution of such keys. Because keys as well as key version information are housed in the directory, multicast security can readily be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys. Event service nodes may obtain current key information from a local copy of the replicated directory.
390 Citations
26 Claims
-
1. A method for managing addition of a first event service node to a secure multicast group that includes a plurality of other event service nodes in a communication network, wherein each of the event service nodes is capable of establishing multicast communication and serving as a key distribution center, wherein each event service node is created and stored within a domain of a directory server system, wherein each event service node is logically organized in a binary tree having a root node, intermediate nodes, and leaf nodes, wherein one of the event service nodes is a group controller and is represented by the root node, and wherein the other event service nodes are represented by the leaf nodes, the method comprising the steps of:
-
authenticating the first event service node with a subset of the event service nodes that are affected by an addition of the first event service node to the multicast group, based on key information stored in a directory;
receiving a plurality of private keys from the subset of nodes;
generating a new private key for the first event service node;
communicating the plurality of private keys and the new private key to the first event service node;
communicating a message to the subset of nodes that causes the subset of nodes to update their private keys. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for managing removal of a first event service node from a secure multicast group that comprises the first event service node and a plurality of event service nodes in a communication network, wherein each of the event service nodes is capable of secure multicast communication and capable of serving as a key distribution center, wherein each event service node is created and stored within a domain of a directory server system, wherein each event service node and the secure multicast group are logically represented by a binary tree having a root node, intermediate nodes, and leaf nodes, wherein one of the event service nodes is a group controller and is represented by the root node, and wherein the other event service nodes are represented by the leaf nodes, the method comprising the steps of:
-
(a) creating and storing a new authentication key for an event service node that is a logical parent node of the first event service node, and for each successive ancestral node up to the root node;
(b) encrypting the new authentication key for the logical parent node, using a private key of an adjacent node;
(c) encrypting an authentication key of an immediate ancestral node using the private keys of all node that are logically below the first event service node;
(d) iteratively repeating step (c) until an authentication key of the root node has been encrypted; and
(e) communicating the authentication keys to each node in a branch of the tree that contains the first event service node. - View Dependent Claims (21, 22, 23)
-
-
24. A communication system for managing addition of a first event service node to a secure multicast group that includes a plurality of other event service nodes in a communication network, wherein each of the event service nodes is capable of establishing multicast communication and serving as a key distribution center, wherein each event service node is created and stored within a domain of a directory server system, wherein each event service node is logically represented by a binary tree having a root node, intermediate nodes, and leaf nodes, wherein the event service nodes are represented by the leaf nodes, the communication system comprising:
-
a group controller that is represented by the root node and that creates and manages secure multicast communication among a plurality of event service nodes, in which the event service nodes each have a private key;
a computer-readable medium comprising one or more instructions which, when executed by one or more processors, cause the one or more processors to carry out the steps of;
authenticating the first event service node with a subset of the event service nodes that are affected by an addition of the first event service node to the multicast group, based on key information stored in a directory;
receiving a plurality of private keys from the subset of nodes;
generating a new private key for the first event service node;
communicating the plurality of private keys and the new private key to the first event service node;
communicating a message to the subset of nodes that causes the subset of nodes to update their private keys.
-
-
25. A computer-readable medium carrying one or more sequences of instructions for managing addition of a first event service node to a secure multicast group that includes a plurality of other event service nodes in a communication network, wherein each of the event service nodes is capable of establishing multicast communication and serving as a key distribution center, wherein each event service node is created and stored within a domain of a directory server system, wherein each event service node is logically represented by a binary tree having a root node, intermediate nodes, and leaf nodes, wherein one of the event service nodes is a group controller and is represented by the root node, and wherein the other event service nodes are represented by the leaf nodes, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
authenticating the first event service node with a subset of the event service nodes that are affected by an addition of the first event service node to the multicast group, based on key information stored in a directory;
receiving a plurality of private keys from the subset of nodes;
generating a new private key for the first event service node;
communicating the plurality of private keys and the new private key to the first event service node;
communicating a message to the subset of nodes that causes the subset of nodes to update their private keys.
-
-
26. A secure network communication system, comprising a plurality of group controllers coupled to a communication network, each group controller comprising:
-
a processor;
a memory coupled to the processor using a bus;
one or more sequences of instructions stored in the memory for managing addition of a first event service node to a secure multicast group that includes a plurality of other event service nodes in a communication network, wherein each of the event service nodes is capable of establishing multicast communication and serving as a key distribution center, wherein each event service node is created and stored within a domain of a directory server system, wherein each event service node is logically represented by a binary tree having a root node, intermediate nodes, and leaf nodes, wherein one of the event service nodes is a group controller and is represented by the root node, and wherein the other event service nodes are represented by the leaf nodes, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of;
authenticating the first event service node with a subset of the event service nodes that are affected by an addition of the first event service node to the multicast group, based on key information stored in a directory;
receiving a plurality of private keys from the subset of nodes;
generating a new private key for the first event service node;
communicating the plurality of private keys and the new private key to the first event service node;
communicating a message to the subset of nodes that causes the subset of nodes to update their private keys.
-
Specification