Method for overcoming the single point of failure of the central group controller in a binary tree group key exchange approach
First Claim
1. A method for managing addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network without a single point of failure, wherein each of the network nodes is associated with one of a plurality of group controllers, wherein each group controller of the plurality of group controllers is a replica of a particular group controller, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, the method comprising the steps of:
- joining a first group controller to the plurality of group controllers in a local network;
establishing a secure communication channel between the first group controller and a second group controller of the plurality of group controllers using a key exchange protocol;
receiving a request to add or delete a network node of the secure multicast or broadcast group from a load balancer that is coupled to the plurality of group controllers;
creating and storing a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and
distributing a group session key from a third group controller of the plurality of group controllers to the network nodes.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for managing addition or deletion of nodes in a multicast or broadcast group, which avoids introducing a single point of failure at a group controller, certificate authority, or key distribution center, is disclosed. A central group controller utilizes a binary tree structure to generate and distribute session keys for the establishment of a secure multicast group among multiple user nodes. The central group controller is replicated in a plurality of other group controllers, interconnected in a network having a secure communication channel and connected to a load balancer. The secure communication channel is established using a public key exchange protocol. The load balancer distributes incoming join/leave requests to a master group controller. The master group controller processes the join or leave, generates a new group session key, and distributes the new group session key to all other group controller replicas. Each group controller is successively designated as master group controller in real time when a former master group controller crashes or relinquishes its master authority.
122 Citations
80 Claims
-
1. A method for managing addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network without a single point of failure, wherein each of the network nodes is associated with one of a plurality of group controllers, wherein each group controller of the plurality of group controllers is a replica of a particular group controller, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, the method comprising the steps of:
-
joining a first group controller to the plurality of group controllers in a local network; establishing a secure communication channel between the first group controller and a second group controller of the plurality of group controllers using a key exchange protocol; receiving a request to add or delete a network node of the secure multicast or broadcast group from a load balancer that is coupled to the plurality of group controllers; creating and storing a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and distributing a group session key from a third group controller of the plurality of group controllers to the network nodes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 14)
-
-
11. A computer-readable storage medium comprising one or more sequences of executable instructions for managing addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network without a single point of failure, wherein each of the network nodes is associated with one of a plurality of group controllers, wherein each group controller of the plurality of group controllers is a replica of a particular group controller, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, and which instructions, when executed by one or more processors, cause the processors to carry out the steps of:
-
joining a first group controller to the plurality of group controllers in a local network; establishing a secure communication channel between the first group controller and a second group controller of the plurality of group controllers using a public key exchange protocol; receiving a request to add or delete a network node of the secure multicast or broadcast group from a load balancer that is coupled to the plurality of group controllers; creating and storing a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and distributing a group session key from a third group controller of the plurality of group controllers to the network nodes. - View Dependent Claims (12, 13, 15, 16, 17, 18, 19, 20)
-
-
21. A method of managing addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network, wherein each of the network nodes is associated with a first group controller comprising information that is replicated in a plurality of group controllers, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, the method comprising the steps of:
-
joining the first group controller in a local network in which the plurality of group controllers are coupled; establishing a secure channel between the first group controller and the plurality of group controllers through secure key exchange; receiving a request to add or delete a network node from a load balancer that controls distribution of requests to the plurality of group controllers; generating a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and distributing the group session key from the first group controller to the other group controllers of the plurality of group controllers over the secure channel. - View Dependent Claims (22, 23)
-
-
24. A method for creating a secure multicast or broadcast group, the method comprising the steps of:
-
establishing a secure communication channel among a plurality of group controllers via a public key exchange protocol; load balancing traffic emanating from a plurality of network nodes to the plurality of group controllers; and distributing a group session key by one of the group controllers based upon a logical arrangement of the network nodes in a binary tree structure, the binary tree structure having a root node, intermediate nodes, and leaf nodes, wherein the plurality of network nodes correspond to leaf nodes of the binary tree structure and the plurality of group controllers correspond to the root node. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A computer system that can manage addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network without a single point of failure, wherein each of the network nodes is associated with one of a plurality of group controllers, wherein each group controller of the plurality of group controllers is a replica of a particular group controller, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, the computer system comprising:
-
a load balancer coupled to the plurality of group controllers for interfacing inbound service requests to a selected group controller of the plurality of group controllers; a bus coupled to the load balancer for transferring data; one or more processors coupled to the bus for selectively generating a group session key under control of program instructions; a memory coupled to the one or more processors via the bus; one or more sequences of program instructions stored in the memory which, when executed by the one or more processors cause the one or more processors to perform the steps of; joining a first group controller to the plurality of group controllers in a local network; establishing a secure communication channel between the first group controller and a second group controller of the plurality of group controllers using a key exchange protocol; receiving a request to add or delete a network node of the secure multicast or broadcast group from the load balancer that is coupled to the plurality of group controllers; creating and storing a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; distributing the group session key from a third group controller of the plurality of group controllers to the network nodes. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. An apparatus for managing addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network without a single point of failure, wherein each of the network nodes is associated with one of a plurality of group controllers, wherein each group controller of the plurality of group controllers is a replica of a particular group controller, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, the apparatus comprising:
-
means for joining a first group controller to the plurality of group controllers in a local network; means for establishing a secure communication channel between the first group controller and a second group controller of the plurality of group controllers using a key exchange protocol; means for receiving a request to add or delete a network node of the secure multicast or broadcast group from a load balancer that is coupled to the plurality of group controllers; means for creating and storing a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and means for distributing a group session key from a third group controller of the plurality of group controllers to the network nodes. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A computer-readable storage medium comprising one or more sequences of executable instructions for managing addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network, wherein each of the network nodes is associated with a first group controller comprising information that is replicated in a plurality of group controllers, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, and which instructions, when executed by one or more processors, cause the processors to carry out the steps of:
-
joining the first group controller in a local network in which the plurality of group controllers are coupled; establishing a secure channel between the first group controller and the plurality of group controllers through secure key exchange; receiving a request to add or delete a network node from a load balancer that controls distribution of requests to the plurality of group controllers; generating a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and distributing the group session key from the first group controller to the other group controllers of the plurality of group controllers over the secure channel. - View Dependent Claims (52, 53)
-
-
54. A computer-readable storage medium comprising one or more sequences of executable instructions for creating a secure multicast or broadcast group, and which instructions, when executed by one or more processors, cause the processors to carry out the steps of:
-
establishing a secure communication channel among a plurality of group controllers via a public key exchange protocol; load balancing traffic emanating from a plurality of network nodes to the plurality of group controllers; and distributing a group session key by one of the group controllers based upon a logical arrangement of the network nodes in a binary tree structure, the binary tree structure having a root node, intermediate nodes, and leaf nodes, wherein the plurality of network nodes correspond to leaf nodes of the binary tree structure and the plurality of group controllers correspond to the root node. - View Dependent Claims (55, 56, 57, 58, 59, 60)
-
-
61. A computer system that can manage addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network, wherein each of the network nodes is associated with a first group controller comprising information that is replicated in a plurality of group controllers, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, the computer system comprising:
-
a load balancer coupled to the plurality of group controllers for interfacing inbound service requests to a selected group controller of the plurality of group controllers; a bus coupled to the load balancer for transferring data; one or more processors coupled to the bus for selectively generating a group session key under control of program instructions; a memory coupled to the one or more processors via the bus; one or more sequences of program instructions stored in the memory which, when executed by the one or more processors cause the one or more processors to perform the steps of; joining the first group controller in a local network in which the plurality of group controllers are coupled; establishing a secure channel between the first group controller and the plurality of group controllers through secure key exchange; receiving a request to add or delete a network node from the load balancer that controls distribution of requests to the plurality of group controllers; generating a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and distributing the group session key from the first group controller to the other group controllers of the plurality of group controllers over the secure channel. - View Dependent Claims (62, 63)
-
-
64. A computer system that can create a secure multicast or broadcast group, the computer system comprising:
-
a load balancer coupled to the plurality of group controllers for interfacing inbound service requests to a selected group controller of the plurality of group controllers; a bus coupled to the load balancer for transferring data; one or more processors coupled to the bus for selectively generating a group session key under control of program instructions; a memory coupled to the one or more processors via the bus; one or more sequences of program instructions stored in the memory which, when executed by the one or more processors cause the one or more processors to perform the steps of; establishing a secure communication channel among a plurality of group controllers via a public key exchange protocol; load balancing traffic emanating from a plurality of network nodes to the plurality of group controllers; and distributing a group session key by one of the group controllers based upon a logical arrangement of the network nodes in a binary tree structure, the binary tree structure having a root node, intermediate nodes, and leaf nodes, wherein the plurality of network nodes correspond to leaf nodes of the binary tree structure and the plurality of group controllers correspond to the root node. - View Dependent Claims (65, 66, 67, 68, 69, 70)
-
-
71. An apparatus for managing addition and deletion of network nodes from and to a secure multicast or broadcast group of network nodes in a communications network, wherein each of the network nodes is associated with a first group controller comprising information that is replicated in a plurality of group controllers, and wherein the network nodes and the plurality of group controllers are logically organized in a binary tree that represents the network nodes and the plurality of group controllers, in which leaf nodes of the binary tree represent network nodes that are joining or leaving the secure multicast or broadcast group, intermediate nodes represent other network nodes, and root nodes represent the plurality of group controllers, the apparatus comprising:
-
means for joining the first group controller in a local network in which the plurality of group controllers are coupled; means for establishing a secure channel between the first group controller and the plurality of group controllers through secure key exchange; means for receiving a request to add or delete a network node from a load balancer that controls distribution of requests to the plurality of group controllers; means for generating a new group session key for each network node represented in each branch of the binary tree that is affected by adding or deleting the network node from the secure multicast or broadcast group; and means for distributing the group session key from the first group controller to the other group controllers of the plurality of group controllers over the secure channel. - View Dependent Claims (72, 73)
-
-
74. An apparatus for creating a secure multicast or broadcast group, the apparatus comprising:
-
means for establishing a secure communication channel among a plurality of group controllers via a public key exchange protocol; means for load balancing traffic emanating from a plurality of network nodes to the plurality of group controllers; and means for distributing a group session key by one of the group controllers based upon a logical arrangement of the network nodes in a binary tree structure, the binary tree structure having a root node, intermediate nodes, and leaf nodes, wherein the plurality of network nodes correspond to leaf nodes of the binary tree structure and the plurality of group controllers correspond to the root node. - View Dependent Claims (75, 76, 77, 78, 79, 80)
-
Specification