Method and apparatus for generating pairwise cryptographic transforms based on group keys
First Claim
1. A method of generating a cryptographic transform for use in a point-to-point secure communication session among a first node and a second node that are enrolled in a secure communication group, the method comprising the computer-implemented steps of:
- receiving a group key for use in secure communication among members of the secure communications group that includes the first node and the second node, wherein the first node is seeking to initiate the secure point-to-point communication session within the secure communications group with the second node wherein the secure point-to-point communication session allows the first and the second node to communicate with each other privately with respect to other members of the secure communications group;
receiving one or more descriptor values that are associated with the group key;
deriving, based on the group key and the one or more descriptor values, a data-security session key for use in the secure point-to-point communication session by only the first node and the second node privately with respect to the other secure communications group members;
wherein the secure communications group comprises at least one node besides the first and second node, wherein the group key comprises a single group key that is common to all nodes of the secure communications group and wherein the deriving step is performed within the secure communications group, independently, by only each of the first and second nodes;
encrypting one or more data packets using the data-security session key; and
communicating the one or more data packets privately with respect to the other secure communications group members, to the second node as part of the secure communication session.
1 Assignment
0 Petitions
Accused Products
Abstract
Group key management techniques are applied to generating pair-wise keys for point-to-point secure communication applications. Nodes participating in a secure communication group each receive a group key and associated policy information. When a first node wishes to establish a secure point-to-point connection to a second node, the first node derives a pairwise key from the group key and policy information, for example, by hashing the group key and information identifying the two nodes. As a result, a pairwise key is generated without exchanging negotiation messages among the two nodes and without expensive asymmetric cryptographic computation approaches.
219 Citations
44 Claims
-
1. A method of generating a cryptographic transform for use in a point-to-point secure communication session among a first node and a second node that are enrolled in a secure communication group, the method comprising the computer-implemented steps of:
-
receiving a group key for use in secure communication among members of the secure communications group that includes the first node and the second node, wherein the first node is seeking to initiate the secure point-to-point communication session within the secure communications group with the second node wherein the secure point-to-point communication session allows the first and the second node to communicate with each other privately with respect to other members of the secure communications group; receiving one or more descriptor values that are associated with the group key; deriving, based on the group key and the one or more descriptor values, a data-security session key for use in the secure point-to-point communication session by only the first node and the second node privately with respect to the other secure communications group members; wherein the secure communications group comprises at least one node besides the first and second node, wherein the group key comprises a single group key that is common to all nodes of the secure communications group and wherein the deriving step is performed within the secure communications group, independently, by only each of the first and second nodes; encrypting one or more data packets using the data-security session key; and communicating the one or more data packets privately with respect to the other secure communications group members, to the second node as part of the secure communication session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. In a network comprising a key server and first and second nodes that are communicatively coupled to the key server, wherein the first and second nodes each have received a group key for use in a secure communication group that comprises a first node and the second node and have received one or more descriptor values that are associated with the group key, and wherein the first node is seeking to initiate a secure point-to-point communication session with the second node, a method of generating a cryptographic transform for use to secure the communication session among the first node and the second node, the method comprising the computer-implemented steps of:
-
deriving, based on the group key and the one or more descriptor values, a data-security session key for use in the secure point-to-point communication session between only the first node and the second node wherein the secure communications session allows the first and second node to communicate with each other within the secure communications group privately with respect to other members of the secure communications group; wherein the secure communications group comprises at least one node besides the first and second node, wherein the group key comprises a single group key that is common to all nodes of the secure communications group and wherein the deriving step is performed within the secure communications group, independently, by only each of the first and second nodes; encrypting one or more data packets using the data-security session key; and communicating the one or more data packets to the second node privately with respect to other members of the secure communications group as part of the secure point-to-point communication session. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computer-readable medium carrying one or more sequences of instructions for generating a cryptographic transform for use in a point-to-point secure communication session among a first node and a second node that are enrolled in a secure communication group, which instructions, when executed by one or more processors, cause the one or more processors to carry out a process that comprises the steps of:
-
receiving a group key for use in secure communication among members of the secure communications group that includes a first node and a second node, wherein the first node is seeking to initiate a secure point-to-point communication session within the secure communications group with the second node wherein the secure point-to-point communication session allows the first and the second node to communicate with each other privately with respect to other members of the secure communications group; receiving one or more descriptor values that are associated with the group key; deriving, based on the group key and the one or more descriptor values, a data-security session key for use in the secure point-to-point communication session by only the first node and the second node privately with respect to the other secure communications group members; wherein the secure communications group comprises at least one node besides the first and second node, wherein the group key comprises a single group key that is common to all nodes of the secure communications group and wherein the deriving step is performed within the secure communications group, independently, by only each of the first and second nodes; encrypting one or more data packets using the data-security session key; and communicating the one or more data packets privately with respect to the other secure communications group members, to the second node as part of the secure communication session. - View Dependent Claims (19, 20, 21, 22)
-
-
23. An apparatus for generating a cryptographic transform for use in a point-to-point secure communication session among a first node and a second node that are enrolled in a secure communication group, comprising:
-
means for receiving a group key for use in secure communication among members of the secure communications group that includes a first node and a second node, wherein the first node is seeking to initiate a secure point-to-point communication session within the secure communications group with the second node wherein the secure point-to-point communication session allows the first and the second node to communicate with each other privately with respect to other members of the secure communications group; means for receiving one or more descriptor values that are associated with the group key; means for deriving, based on the group key and the one or more descriptor values, a data-security session key for use in the secure point-to-point communication session by only the first node and the second node privately with respect to the other secure communications group members; wherein the secure communications group comprises at least one node besides the first and second node, wherein the group key comprises a single group key that is common to all nodes of the secure communications group and wherein the deriving means function within the secure communications group, independently, in only each of the first and second nodes; means for encrypting one or more data packets using the data-security session key; and means for communicating the one or more data packets privately with respect to the other secure communications group members, to the second node as part of the secure communication session. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. An apparatus for generating a cryptographic transform for use in a point-to-point secure communication session among a first node and a second node that are enrolled in a secure communication group, comprising:
-
a network interface that is coupled to the data network for receiving one or more packet flows therefrom; a processor coupled to the network interface; and a storage coupled to the processor for supplying thereto one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out a process that comprises the steps of; receiving a group key for use in secure communication among members of the secure communications group that includes a first node and a second node, wherein the first node is seeking to initiate a secure point-to-point communication session within the secure communications group with the second node wherein the secure point-to-point communication session allows the first and the second node to communicate with each other privately with respect to other members of the secure communications group; receiving one or more descriptor values that are associated with the group key; deriving, based on the group key and the one or more descriptor values, a data-security session key for use in the secure point-to-point communication session by only the first node and the second node privately with respect to the other secure communications group members; wherein the secure communications group comprises at least one node besides the first and second node, wherein the group key comprises a single group key that is common to all nodes of the secure communications group and wherein the deriving step is performed within the secure communications group, independently, by only each of the first and second nodes; encrypting one or more data packets using the data-security session key; and communicating the one or more data packets privately with respect to the other secure communications group members, to the second node as part of the secure communication session. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
Specification