Method and apparatus providing secure multicast group communication
First Claim
1. A method of establishing a secure communication session among a plurality of member nodes that participate in a multicast group across a wide area network, comprising the steps of:
- receiving information defining a plurality of multicast proxy service nodes, wherein;
the plurality of multicast service nodes are distributed across the wide area network;
the plurality of multicast service nodes control when any of the plurality of member nodes join or leave the multicast group; and
the plurality of multicast proxy service nodes are logically represented by a first binary tree, wherein;
each node of the first binary tree is associated with a domain of a plurality of domains of a directory service that is distributed across the wide area network; and
each node of the first binary tree is associated with one or more multicast proxy service nodes of the plurality of multicast proxy service nodes;
creating and storing a second binary tree that represents the plurality of member nodes, wherein;
each of the member nodes of the plurality of member nodes is represented by a leaf node of the second binary tree;
the second binary tree is stored in a particular domain of the plurality of domains of the directory service that is distributed across the wide area network;
a root node of the second binary tree represents one or more of the multicast proxy service nodes of the plurality of multicast proxy service nodes; and
each of the member nodes of the plurality of member nodes is capable of establishing multicast communication and serving as a key distribution center;
creating and storing a group session key associated with the multicast group and a private key associated with each member node of the multicast group using secure key exchange;
when an additional member node joins the multicast group, determining a new group session key by replicating a branch of the second binary tree.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for establishing secure multicast communication among multiple members that participate in a multicast group is disclosed. In one feature, multiple multicast proxy service nodes (MPSNs) are defined and control when members join or leave the multicast group. The MPSNs are logically represented by a first binary tree in which each node of the first binary tree is associated with a domain of a directory service and one or more of the MPSNs. A second binary tree is created that has leaf nodes representing each member. The second binary tree is stored in a domain of the directory service with a root node that represents one or more of the MPSNs. The members can each establish multicast communication and serve as a key distribution center. When a member joins the multicast group, a new group session key is determined by replicating a branch of the second binary tree.
127 Citations
64 Claims
-
1. A method of establishing a secure communication session among a plurality of member nodes that participate in a multicast group across a wide area network, comprising the steps of:
-
receiving information defining a plurality of multicast proxy service nodes, wherein; the plurality of multicast service nodes are distributed across the wide area network; the plurality of multicast service nodes control when any of the plurality of member nodes join or leave the multicast group; and the plurality of multicast proxy service nodes are logically represented by a first binary tree, wherein; each node of the first binary tree is associated with a domain of a plurality of domains of a directory service that is distributed across the wide area network; and each node of the first binary tree is associated with one or more multicast proxy service nodes of the plurality of multicast proxy service nodes; creating and storing a second binary tree that represents the plurality of member nodes, wherein; each of the member nodes of the plurality of member nodes is represented by a leaf node of the second binary tree; the second binary tree is stored in a particular domain of the plurality of domains of the directory service that is distributed across the wide area network; a root node of the second binary tree represents one or more of the multicast proxy service nodes of the plurality of multicast proxy service nodes; and each of the member nodes of the plurality of member nodes is capable of establishing multicast communication and serving as a key distribution center; creating and storing a group session key associated with the multicast group and a private key associated with each member node of the multicast group using secure key exchange; when an additional member node joins the multicast group, determining a new group session key by replicating a branch of the second binary tree. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer-readable medium carrying one or more sequences of instructions for establishing a secure communication session among a plurality of member nodes that participate in a multicast group across a wide area network, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving information defining a plurality of multicast proxy service nodes, wherein; the plurality of multicast service nodes are distributed across the wide area network; the plurality of multicast service nodes control when any of the plurality of member nodes join or leave the multicast group; and the plurality of multicast proxy service nodes are logically represented by a first binary tree, wherein; each node of the first binary tree is associated with a domain of a plurality of domains of a directory service that is distributed across the wide area network; and each node of the first binary tree is associated with one or more multicast proxy service nodes of the plurality of multicast proxy service nodes; creating and storing a second binary tree that represents the plurality of member nodes, wherein; each of the member nodes of the plurality of member nodes is represented by a leaf node of the second binary tree; the second binary tree is stored in a particular domain of the plurality of domains of the directory service that is distributed across the wide area network; a root node of the second binary tree represents one or more of the multicast proxy service nodes of the plurality of multicast proxy service nodes; and each of the member nodes of the plurality of member nodes is capable of establishing multicast communication and serving as a key distribution center; creating and storing a group session key associated with the multicast group and a private key associated with each member node of the multicast group using secure key exchange; when an additional member node joins the multicast group, determining a new group session key by replicating a branch of the second binary tree.
-
-
23. An apparatus for establishing a secure communication session among a plurality of member nodes that participate in a multicast group across a wide area network, the apparatus comprising:
-
means for receiving information defining a plurality of multicast proxy service nodes that are distributed across the wide area network and that are operable to control when any of the plurality of member nodes join or leave the multicast group; means for creating and storing a first binary tree that represents the plurality of multicast proxy service nodes, wherein; each node of the first binary tree is associated with a domain of a plurality of domains of a directory service that is distributed across the wide area network; and each node of the first binary tree is associated with one or more multicast proxy service nodes of the plurality of multicast proxy service nodes; means for creating and storing, in a particular domain of the plurality of domains of the directory service that is distributed across the wide area network, a second binary tree that represents the plurality of member nodes, wherein; each of the member nodes of the plurality of member nodes is represented by a leaf node of the secondary binary tree; a root node of the second binary tree represents one or more of the multicast proxy service nodes of the plurality of multicast proxy service nodes; and each of the member nodes of the plurality of member nodes is operable to establish multicast communication and to serve as a key distribution center; means for creating and storing a group session key associated with the multicast group and a private key associated with each member node of the multicast group using secure key exchange; means for determining a new group session key by replicating a branch of the second binary tree when an additional member node joins the multicast group. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A communication system for establishing a secure communication session among a plurality of member nodes that participate in a multicast group across a wide area network, the communication system comprising:
-
a plurality of multicast proxy service nodes that are distributed across the wide area network and that are operable to control when any of the plurality of member nodes join or leave the multicast group; wherein each of the member nodes of the plurality of member nodes is operable to establish multicast communication and to serve as a key distribution center; first logic encoded in one or more tangible media for execution and when executed operable to create and store a first binary tree that represents the plurality of multicast proxy service nodes, wherein; each node of the first binary tree is associated with a domain of a plurality of domains of a directory service that is distributed across the wide area network; and each node of the first binary tree is associated with one or more multicast proxy service nodes of the plurality of multicast proxy service nodes; second logic encoded in one or more tangible media for execution and when executed operable to; create and store, in a particular domain of the plurality of domains of the directory service that is distributed across the wide area network, a second binary tree that represents the plurality of member nodes, wherein; each of the member nodes of the plurality of member nodes is represented by a leaf node of the second binary tree; and a root node of the second binary tree represents one or more of the multicast proxy service nodes of the plurality of multicast proxy service nodes; create and store a group session key associated with the multicast group and a private key associated with each member node of the multicast group using secure key exchange; and determine a new group session key by replicating a branch of the second binary tree when an additional member node joins the multicast group. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
Specification