Method and apparatus for distributing and updating private keys of multicast group managers using directory replication
First Claim
1. A method for managing session keys for a secure multicast group that includes a plurality of multicast proxy service nodes in a communication network, the method comprising the steps of:
- creating and storing an original session key associated with the secure multicast group in a first directory;
receiving through periodic replication of the first directory a new session key for the secure multicast group, for use after addition of a first multicast proxy service node to the secure multicast group, from a second multicast proxy service node of the plurality of multicast proxy service nodes; and
receiving the new session key comprises receiving the new session key from a replication service agent (RSA) that is operable to replicate key information from a local copy of the first directory that is associated with the second multicast proxy service node;
wherein the local copy of the first directory is associated with a directory system agent (DSA) for communicating with one or more of the multicast proxy service nodes that include the second multicast proxy service node.
0 Assignments
0 Petitions
Accused Products
Abstract
An approach for establishing secure multicast communication among multiple multicast proxy service nodes is disclosed. The multicast proxy service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the multicast proxy service nodes include the group session keys that are members of the secure multicast or broadcast groups. Because keys as well as key version information are housed in the directory, multicast security can be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys. Multicast proxy service nodes may obtain current key information from a local copy of the replicated directory.
89 Citations
40 Claims
-
1. A method for managing session keys for a secure multicast group that includes a plurality of multicast proxy service nodes in a communication network, the method comprising the steps of:
-
creating and storing an original session key associated with the secure multicast group in a first directory; receiving through periodic replication of the first directory a new session key for the secure multicast group, for use after addition of a first multicast proxy service node to the secure multicast group, from a second multicast proxy service node of the plurality of multicast proxy service nodes; and receiving the new session key comprises receiving the new session key from a replication service agent (RSA) that is operable to replicate key information from a local copy of the first directory that is associated with the second multicast proxy service node; wherein the local copy of the first directory is associated with a directory system agent (DSA) for communicating with one or more of the multicast proxy service nodes that include the second multicast proxy service node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A communication system for managing session keys for a secure multicast group that includes a plurality of multicast proxy service nodes in a communication network, the communication system comprising:
-
a group controller that creates and manages secure multicast communication among the plurality of multicast proxy service nodes in the secure multicast group; a computer-readable storage medium comprising one or more instructions which, when executed by one or more processors, cause the one or more processors to carry out the steps of; creating and storing an original session key associated with the secure multicast group in a first directory; receiving through periodic replication of the first directory a new session key for the secure multicast group, for use after addition of a first multicast proxy service node to the secure multicast group, from a second multicast proxy service node of the plurality of multicast proxy service nodes; and the step of receiving the new session key comprises receiving the new session key from a replication service agent (RSA) that is operable to replicate key information from a local copy of the first directory that is associated with the second multicast proxy service node; wherein the local copy of the first directory is associated with a directory system agent (DSA) for communicating with one or more of the multicast proxy service nodes that include the second multicast proxy service node. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable storage medium carrying one or more sequences of instructions for managing session keys for a secure multicast group that includes a plurality of multicast proxy service nodes in a communication network, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
creating and storing an original session key associated with the secure multicast group in a first directory; receiving through periodic replication of the first directory a new session key for the secure multicast group for use after addition of a first multicast proxy service node to the secure multicast group, from a second multicast proxy service node of the plurality of multicast proxy service nodes; and the step of receiving the new session key comprises receiving the new session key from a replication service agent (RSA) that is operable to replicate key information from a local copy of the first directory that is associated with the second multicast proxy service node; wherein the local copy of the first directory is associated with a directory system agent (DSA) for communicating with one or more of the multicast proxy service nodes that include the second multicast proxy service node. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. An apparatus for managing session keys for a secure multicast group that includes a plurality of multicast proxy service nodes group in a communication network, the apparatus comprising:
-
means for creating and storing an original session key associated with the secure multicast group in a first directory; means for receiving through periodic replication of the first directory a new session key for the secure multicast group, for use after addition of a first multicast proxy service node to the secure multicast group, from a second multicast proxy service node of the plurality of multicast proxy service nodes; and the means for receiving the new session key comprise means for receiving the new session key from a replication service agent (RSA) that is operable to replicate key information from a local copy of the first directory that is associated with the second multicast proxy service node; wherein the local copy of the first directory is associated with a directory system agent (DSA) for communicating with one or more of the multicast proxy service nodes that include the second multicast proxy service node. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A communication system for creating a secure multicast or broadcast group, comprising:
-
a plurality of multicast proxy service nodes; a directory; wherein one of the multicast proxy service nodes of the plurality of multicast proxy service nodes is operable to generate and store in the directory a first session key for establishing the secure multicast or broadcast group among the plurality of multicast proxy service nodes; wherein each multicast proxy service node of the plurality of multicast proxy service nodes has attribute information comprising a group identification value for uniquely identifying a particular multicast proxy service node of the plurality of multicast proxy service nodes; and the directory further comprises; a replication service agent (RSA) associated with the directory that is operable to distribute the first session key to other multicast proxy service nodes in the secure multicast or broadcast group by causing the directory to be replicated; and a directory system agent (DSA) that is operable to communicate with one or more of the multicast proxy service nodes to authenticate each of the multicast proxy service nodes; wherein the replication service agent (RSA) is operable to replicate the attribute information of the one or more multicast proxy service nodes. - View Dependent Claims (38, 39, 40)
-
Specification