Method and apparatus for distributing and updating private keys of multicast group managers using directory replication
First Claim
1. A method for communicating a session key from a first multicast proxy service node of a secure multicast group to a plurality of other multicast proxy service nodes of the secure multicast group in a communication network, wherein each of the multicast proxy service nodes is capable of establishing multicast communication and serving as a key distribution center, the method comprising the steps of:
- creating and storing an original group session key associated with the secure multicast group in a first directory that is based on the Lightweight Directory Access Protocol (LDAP) directory standard;
authenticating the first multicast proxy service node with a subset of the multicast proxy service nodes that are affected by an addition of the first multicast proxy service node to the secure multicast group, based on the original group session key stored in the first directory that is based on the LDAP directory standard;
receiving a plurality of private keys from the subset of the multicast proxy service nodes;
receiving a new group session key for the secure multicast group, for use after addition of the first multicast proxy service node, from a local multicast proxy service node that has received the original group session key through periodic replication of the first directory that is based on the LDAP directory standard;
communicating the new group session key to the first multicast proxy service node; and
communicating a message to the subset of the multicast proxy service nodes that causes the subset of the multicast proxy service nodes to update their private keys.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for establishing secure multicast communication among multiple multicast proxy service nodes is disclosed. The multicast proxy service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the multicast proxy service nodes include the group session key and the private keys of the multicast proxy service nodes that are members of the multicast or broadcast groups. The private keys provide unique identification values for the multicast proxy service nodes, thereby facilitating distribution of such keys. Because keys as well as key version information are housed in the directory, multicast security can be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys. Multicast proxy service nodes may obtain current key information from a local copy of the replicated directory.
129 Citations
27 Claims
-
1. A method for communicating a session key from a first multicast proxy service node of a secure multicast group to a plurality of other multicast proxy service nodes of the secure multicast group in a communication network, wherein each of the multicast proxy service nodes is capable of establishing multicast communication and serving as a key distribution center, the method comprising the steps of:
-
creating and storing an original group session key associated with the secure multicast group in a first directory that is based on the Lightweight Directory Access Protocol (LDAP) directory standard;
authenticating the first multicast proxy service node with a subset of the multicast proxy service nodes that are affected by an addition of the first multicast proxy service node to the secure multicast group, based on the original group session key stored in the first directory that is based on the LDAP directory standard;
receiving a plurality of private keys from the subset of the multicast proxy service nodes;
receiving a new group session key for the secure multicast group, for use after addition of the first multicast proxy service node, from a local multicast proxy service node that has received the original group session key through periodic replication of the first directory that is based on the LDAP directory standard;
communicating the new group session key to the first multicast proxy service node; and
communicating a message to the subset of the multicast proxy service nodes that causes the subset of the multicast proxy service nodes to update their private keys. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A communication system for communicating a session key from a first multicast proxy service node of a secure multicast group to a plurality of other multicast proxy service nodes of the secure multicast group in a communication network, wherein each of the multicast proxy service nodes is capable of establishing multicast communication and serving as a key distribution center, the communication system comprising:
-
a group controller that creates and manages secure multicast communication among the other multicast proxy service nodes, having a private key;
a computer-readable medium comprising one or more instructions which, when executed by one or more processors, cause the one or more processors to carry out the steps of;
creating and storing an original group session key associated with the secure multicast group in a first directory that is based on the Lightweight Directory Access Protocol (LDAP) directory standard;
authenticating the first multicast proxy service node with a subset of the multicast proxy service nodes that are affected by an addition of the multicast proxy service node to the secure multicast group, based on the original group session key stored in the first directory that is based on the LDAP directory standard;
receiving a plurality of private keys from the subset of the multicast proxy service nodes;
receiving a new group session key for the secure multicast group, for use after addition of the first multicast proxy service node, from a local multicast proxy service node that has received the original group session key through periodic replication of the first directory that is based on the LDAP directory standard;
communicating the new group session key to the first multicast proxy service node; and
communicating a message to the subset of the multicast proxy service nodes that causes the subset of the multicast proxy service nodes to update their private keys. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A communication system for creating a secure multicast or broadcast group, the communication system comprising:
-
a plurality of multicast proxy service nodes, each node of the plurality of multicast proxy service nodes having attribute information comprising a group identification value for uniquely identifying a particular node of the multicast proxy service nodes, and a directory that is based on the LDAP directory standard and that comprises a directory system agent (DSA) for communicating with one or more of the multicast proxy service nodes to authenticate each of the multicast proxy service nodes and a replication service agent (RSA) for replicating the attribute information of the one or more multicast proxy service nodes;
wherein one of the multicast proxy service nodes generates a first group session key for establishing the secure multicast or broadcast group among the plurality of multicast proxy service nodes and distributes the first group session key to other multicast proxy service nodes in the secure multicast or broadcast group using directory replication of the directory that is based on the Lightweight Directory Access Protocol (LDAP) directory standard. - View Dependent Claims (14, 15)
-
-
16. A computer-readable medium carrying one or more sequences of instructions for communicating a session key from a first multicast proxy service node of a secure multicast group to a plurality of other multicast proxy service nodes of the secure multicast group in a communication network, wherein each of the multicast proxy service nodes is capable of establishing multicast communication and serving as a key distribution center, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
creating and storing an original group session key associated with the secure multicast group in a first directory that is based on the Lightweight Directory Acess Protocol (LDAP) directory standard;
authenticating the first multicast proxy service node with a subset of the multicast proxy service nodes that are affected by an addition of the first multicast proxy service node to the secure multicast group, based on the original group session key stored in the first directory that is based on the LDAP directory standard;
receiving a plurality of private keys from the subset of the multicast proxy service nodes;
receiving a new group session key for the secure multicast group for use after addition of the first multicast proxy service node from a local multicast proxy service node that has received the original group session key through periodic replication of the first directory that is based on the LDAP directory standard;
communicating the new group session key to the first multicast proxy service node; and
communicating a message to the subset of the multicast proxy service nodes that causes the subset of the multicast proxy service nodes to update their private keys. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. An apparatus for communicating a session key from a first multicast proxy service node of a secure multicast group to a plurality of other multicast proxy service nodes of the secure multicast group in a communication network, wherein each of the multicast proxy service nodes is capable of establishing multicast communication and serving as a key distribution center, the apparatus comprising:
-
means for creating and storing an original group session key associated with the secure multicast group in a first directory that is based on the Lightweight Directory Access Protocol (LDAP) directory standard;
means for authenticating the first multicast proxy service node with a subset of the multicast proxy service nodes that are affected by an addition of the first multicast proxy service node to the secure multicast group, based on the original group session key stored in the first directory that is based on the LDAP directory standard;
means for receiving a plurality of private keys from the subset of the multicast proxy service nodes;
means for receiving a new group session key for the secure multicast group, for use after addition of the first multicast proxy service node, from a local multicast proxy service node that has received the original group session key through periodic replication of the first directory that is based on the LDAP directory standard;
means for communicating the new group session key to the first multicast proxy service node; and
means for communicating a message to the subset of the multicast proxy service nodes that causes the subset of the multicast proxy service nodes to update their private keys. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification