System and method for dynamic secured group communication

US 7,509,491 B1
Filed: 06/14/2004
Issued: 03/24/2009
Est. Priority Date: 06/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method of secure communications within a group comprising:

identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier (ID);

receiving security credentials for the group corresponding to the group identifier;

associating the received security credentials with the group identifier indicative of potential recipients in the group; and

employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group;

wherein;

identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier (ID) comprises identifying, by a data communications device, the plurality of potential recipients as members of the group by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members;

receiving security credentials for the group corresponding to the group identifier comprises receiving from a key management server by the data communications device a group key for the group associated with the VPN ID;

associating the received security credentials with the group identifier indicative of potential recipients in the group comprises associating, by the data communications device, the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and

employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group comprises;

identifying, by the data communications device, a transmission as having a prefix indicative of an address subrange denoting group members, andemploying, by the data communications device, the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet. The group key is associated with the group ID by enumerating the address prefixes corresponding to each of the subnets in the group, and examining outgoing transmissions for destination addresses matching one of the address prefixes corresponding to the group.

108 Citations

View as Search Results

30 Claims

1. A method of secure communications within a group comprising:
- identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier (ID);
  
  receiving security credentials for the group corresponding to the group identifier;
  
  associating the received security credentials with the group identifier indicative of potential recipients in the group; and
  
  employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group;
  
  wherein;
  
  identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier (ID) comprises identifying, by a data communications device, the plurality of potential recipients as members of the group by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members;
  
  receiving security credentials for the group corresponding to the group identifier comprises receiving from a key management server by the data communications device a group key for the group associated with the VPN ID;
  
  associating the received security credentials with the group identifier indicative of potential recipients in the group comprises associating, by the data communications device, the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and
  
  employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group comprises;
  
  identifying, by the data communications device, a transmission as having a prefix indicative of an address subrange denoting group members, andemploying, by the data communications device, the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 29)
- - 2. The method of claim 1 wherein the receiving security credentials further comprises:
    - establishing, at a key management server, a group key for the group associated with the group ID; and
      
      transmitting the resulting security credentials including the group key to data communications devices.
  - 3. The method of claim 2 wherein the security credentials further comprise an announcement, the announcement operable for receipt by the data communications devices and including at least one of:
    - the group ID indicative of the members of the group;
      
      an address of a key server having the group key; and
      
      an authentication method to be employed with respect to the key for distributing the key to the data communications devices.
  - 4. The method of claim 3 wherein employing the security credentials further comprises:
    - communicating with the key management server identified in the multicast announcement;
      
      authenticating with the key management server and the group ID; and
      
      receiving the key corresponding to the group ID.
  - 5. The method of claim 1 further comprising:
    - identifying a subset of the group denoted by a group prefix indicative of an address subrange denoting group members;
      
      propagating the group prefix and the group ID to other group members corresponding to other group prefixes indicative of an address subrange denoting group members;
      
      identifying a communication as destined for another group member; and
      
      employing the key corresponding to the group for the communication to the other group member.
  - 6. The method of claim 5 further comprising:
    - identifying a transmission destined for a recipient subrange corresponding to a particular group;
      
      retrieving security credentials associated with the particular group; and
      
      employing the retrieved security credentials for the identified transmission with group.
  - 7. The method of claim 6 wherein the key corresponding to the group security credentials is operable to transform a packet by delivering an encrypted payload representing the packet to a plurality of group members via the key.
  - 8. The method of claim 6 wherein the group is a logical group operable to include group members according to an external protocol, wherein communication between group members further employs consistent routing information between group members.
  - 9. The method of claim 8 wherein the received security credentials are operable to enable data communication devices to receive the same group key avoiding reestablishment of a trusted connection for successive communications between different data communication devices.
  - 10. The method of claim 1 wherein the group further comprises a plurality of address subranges, each address subrange indicative of at least one recipient.
  - 11. The method of claim 10 wherein the communication is from a group member to a plurality of group members employing the same security credentials and avoiding establishing a point to point key from the group member to each of the plurality of group members.
  - 12. The method of claim 11 wherein the communication employs a tunnel mode with header preservation to enable routing information to remain visible in a manner nonintrusive to the encrypted payload.
  - 13. The method of claim 12 wherein communications further allows authentication assurances by comparison of inner and outer header upon delivery.
  - 29. The method of claim 1, wherein the data communication device comprises a gateway router and wherein the plurality of potential recipients comprises client devices.

14. A data communications device for establishing secure group communications comprising:
- a processor coupled to a memory and operable to identify a plurality of potential recipients as members of a group, the group denoted by a group identifier;
  
  an interface coupled to the processor and operable to receive security credentials for the group corresponding to the group identifier; and
  
  a routing table in the memory, the routing table responsive to the processor, and operable to associate the received security credentials with the group identifier indicative of potential recipients in the group, the processor operable to employ the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group;
  
  wherein;
  
  the processor coupled to a memory is operable, when identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier, to identify the plurality of potential recipients as members of the group, the group denoted by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members;
  
  the interface coupled to the processor is operable, when receiving security credentials for the group corresponding to the group identifier to receive a group key for the group associated with the VPN ID;
  
  the routing table in the memory, the routing table responsive to the processor, is operable when associating the received security credentials with the group identifier indicative of potential recipients in the group to associate the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and
  
  the processor operable, when employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group, to;
  
  identify a transmission as having a prefix indicative of an address subrange denoting group members, andemploy the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 30)
- - 15. The data processing device of claim 14 wherein the processor is further operable to:
    - establish, via the received security credentials, a group key at a key management server for the group associated with the group identifier; and
      
      transmit the resulting security credentials indicative of the group key to the data communications device.
  - 16. The data processing device of claim 15 wherein the security credentials further comprise a routing prefix announcement, the routing prefix announcement operable for receipt by data communication devices and including at least one of:
    - the group ID indicative of the members of the group;
      
      the address of the key management server having the group key; and
      
      an authentication method to be employed with respect to the key.
  - 17. The data processing device of claim 16 wherein the device is further operable to employ the security credentials to:
    - communicate with the key management server identified in the announcement;
      
      authenticate with the key management server and the group ID; and
      
      receive the group key corresponding to the group ID.
  - 18. The data processing device of claim 14 wherein the device is a routing device further operable to:
    - identify a subset of the group denoted by a group prefix indicative of an address subrange denoting group members;
      
      propagate the group prefix and the group ID to other group members corresponding to other group prefixes indicative of an address subrange denoting group members;
      
      identify a communication as destined for another group member; and
      
      employ the key corresponding to the group for the communication to the other group member.
  - 19. The data processing device of claim 18 wherein the device is further operable to:
    - identify a transmission destined for a recipient subrange corresponding to a particular group;
      
      retrieve security credentials associated with the particular group; and
      
      employ the retrieved security credentials for the identified transmission with the recipient group.
  - 20. The data processing device of claim 19 wherein the key corresponding to the group security credentials is operable to transform a packet by delivering encrypted payload representing that packet to a plurality of group members via the key.
  - 21. The data processing device of claim 19 wherein the group is a logical group operable to include group members according to an external protocol, wherein communication between group members further employs consistent routing information between group members.
  - 22. The data processing device of claim 19 wherein the retrieved security credentials are operable to enable data communications devices to receive the same group key to avoid reestablishment of a trusted connection for successive communications between different data communications devices.
  - 23. The data processing device of claim 14 wherein the group further comprises a plurality of address subranges, each address subrange indicative of at least one recipient.
  - 24. The data processing device of claim 23 wherein the communication is from a group member to a plurality of group members employing the same security credentials and avoids establishing a point to point key from the group member to each of the plurality of group members.
  - 25. The data processing device of claim 24 wherein the communication employs a tunnel mode with header preservation to enable routing information to remain visible in a manner nonintrusive to the encrypted payload.
  - 26. The data processing device of claim 25 wherein communications further allows authentication assurances by comparison of inner and outer header upon delivery.
  - 30. The data communication device of claim 14, wherein the data communication device comprises a gateway router.

27. A computer program product having a computer readable medium operable to store computer program logic embodied in computer program code encoded thereon for secure communications within a group comprising:
- computer program code for identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier;
  
  computer program code for receiving security credentials for the group corresponding to the group identifier;
  
  computer program code for associating the received security credentials with the group identifier indicative of potential recipients in the group; and
  
  computer program code for employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group;
  
  wherein;
  
  computer program code for identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier comprises computer program code for identifying the plurality of potential recipients as members of the group, the group denoted by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members;
  
  computer program code for receiving security credentials for the group corresponding to the group identifier comprises computer program code for receiving a group key for the group associated with the VPN ID;
  
  computer program code for associating the received security credentials with the group identifier indicative of potential recipients in the group comprises computer program code for associating the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and
  
  computer program code for employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group comprises;
  
  computer program code for identifying a transmission—
  
  as having a prefix indicative of an address subrange denoting group members, andcomputer program code for employing the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.

28. A data communications device for establishing secure group communications comprising:
- means for identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier;
  
  means for receiving security credentials for the group corresponding to the group identifier;
  
  means for associating the received security credentials with the group identifier indicative of potential recipients in the group; and
  
  means for employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group;
  
  wherein;
  
  means for identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier comprises means for identifying the plurality of potential recipients as members of the group, the group denoted by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members;
  
  means for receiving security credentials for the group corresponding to the group identifier comprises means for receiving a group key for the group associated with the VPN ID;
  
  means for associating the received security credentials with the group identifier indicative of potential recipients in the group comprises means for associating the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and
  
  means for employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group comprises;
  
  means identifying a transmission as having a prefix indicative of an address subrange denoting group members, andmeans for employing the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Guichard, James N., Wainner, W. Scott, Weis, Brian E., McGrew, David A.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/867,266
Time in Patent Office

1,744 Days
Field of Search

713/163, 726/15
US Class Current

713/163
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04L 9/0833   involving conference or gro...

H04L 9/321   involving a third party or ...

System and method for dynamic secured group communication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

108 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamic secured group communication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links