Directory enabled secure multicast group communications
First Claim
1. A method for securely establishing communication in a multicast group of nodes of a network, in which the network includes publisher nodes, subscriber nodes, a multi-master directory that stores information about events in the network and that can authenticate the subscriber nodes and the publisher nodes, wherein each of the subscriber nodes and the publisher nodes receives a unique private key and that can determine events that the subscribers and the publishers may process, the method comprising the steps of:
- registering the subscribers and the publishers with an event server configured to determine whether the publishers are authorized to produce certain events corresponding to event types and whether the subscribers are authorized to receive the certain events in response to the step of registering; and
generating, with the event server, a group session key for establishing the multicast group, the group session key being encrypted in a first message that has a prescribed format.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for establishing secure communication among multiple multicast groups using a multi-master directory is disclosed. The multi-master directory is on a per object and per attribute access controls basis. The event service nodes, which can implemented as event servers, are distributed throughout an enterprise domain. The attributes of the event service nodes include the group session key and the private keys of the event service nodes. A standardized authentication service is used to register publishers and subscribers. These publishers and subscribers can individually belong to multiple multicast groups under a readily scalable, secure network architecture.
130 Citations
30 Claims
-
1. A method for securely establishing communication in a multicast group of nodes of a network, in which the network includes publisher nodes, subscriber nodes, a multi-master directory that stores information about events in the network and that can authenticate the subscriber nodes and the publisher nodes, wherein each of the subscriber nodes and the publisher nodes receives a unique private key and that can determine events that the subscribers and the publishers may process, the method comprising the steps of:
-
registering the subscribers and the publishers with an event server configured to determine whether the publishers are authorized to produce certain events corresponding to event types and whether the subscribers are authorized to receive the certain events in response to the step of registering; and
generating, with the event server, a group session key for establishing the multicast group, the group session key being encrypted in a first message that has a prescribed format. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A communication system for creating a plurality of secure multicast groups in a network that includes a plurality of principals configured for functioning as subscribers and publishers, each of the principals having a private key, a multi-master directory comprising a directory server for communicating with one or more of the principals to authenticate each of the principals and to provide access control, the multi-master directory controlling access on a per object and per attribute basis, the communication system comprising:
-
an event server coupled to the plurality of principals for registering the plurality of principals and for determining whether the principals are authorized to produce certain events when the principals are functioning as publishers and whether the principals are authorized to receive the certain events when the principals are functioning as subscribers; and
means in the event server for creating a group session key for establishing one of the multicast groups, by distributing the group session key in an encrypted message to the subscribers, the encrypted message encapsulating the group session key according to a prescribed format;
means in the event server for updating the group session key by utilizing a change password protocol to modify an object in the directory;
means in the event server for notifying the subscribers to reregister in response to the updating of the group session key. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer system functioning as an event server and for establishing multiple secure multicast groups, the computer system comprising:
-
a communication interface for communicating with a plurality of nodes and for interfacing a multi-master directory to authenticate the computer system and the plurality of nodes, the multi-master directory having access controls on a per object and per attribute basis, wherein the nodes access the directory to determine events that the nodes may process;
a bus coupled to the communication interface for transferring data;
one or more processors coupled to the bus for selectively generating a group session key and private keys corresponding to the plurality of nodes, the group session key being updated by utilizing a change password protocol to modify an object corresponding to the events in the directory;
an event server that is executed by the one or more processors; and
a memory coupled to the one or more processors via the bus, the memory including one or more sequences of instructions which when executed by the one or more processors cause the one or more processors to perform the steps of registering the plurality of nodes, determining whether the nodes are authorized to produce and authorized to receive certain events corresponding to objects of the directory, distributing the group session key to the nodes via a message, the message encapsulating the group session key according to a prescribed format, and selectively reregistering the nodes in response to updating the group session key. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
-
26. A computer-readable medium carrying one or more sequences of instructions for securely establishing communication in a multicast group of nodes of a network, in which the network includes publisher nodes, subscriber nodes, a multi-master directory that stores information about events in the network and that can authenticate the subscriber nodes and the publisher nodes, whereby each of the subscriber nodes and the publisher nodes receives a unique private key and that can determine events that the subscribers and the publishers may process, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
registering the subscribers and the publishers with an event server, the event server determining whether the publishers are authorized to produce certain events corresponding to event types and whether the subscribers are authorized to receive the certain events in response to the step of registering; and
generating a group session key for establishing the multicast group, the group session key being encrypted in a first message that has a prescribed format. - View Dependent Claims (27, 28, 29, 30)
-
Specification