System and method for dynamic secured group communication
First Claim
1. A method of secure communications within a group comprising:
- identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier (ID);
receiving security credentials for the group corresponding to the group identifier;
associating the received security credentials with the group identifier indicative of potential recipients in the group; and
employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group;
wherein;
identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier (ID) comprises identifying, by a data communications device, the plurality of potential recipients as members of the group by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members;
receiving security credentials for the group corresponding to the group identifier comprises receiving from a key management server by the data communications device a group key for the group associated with the VPN ID;
associating the received security credentials with the group identifier indicative of potential recipients in the group comprises associating, by the data communications device, the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and
employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group comprises;
identifying, by the data communications device, a transmission as having a prefix indicative of an address subrange denoting group members, andemploying, by the data communications device, the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.
1 Assignment
0 Petitions
Accused Products
Abstract
Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet. The group key is associated with the group ID by enumerating the address prefixes corresponding to each of the subnets in the group, and examining outgoing transmissions for destination addresses matching one of the address prefixes corresponding to the group.
108 Citations
30 Claims
-
1. A method of secure communications within a group comprising:
-
identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier (ID); receiving security credentials for the group corresponding to the group identifier; associating the received security credentials with the group identifier indicative of potential recipients in the group; and employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group; wherein; identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier (ID) comprises identifying, by a data communications device, the plurality of potential recipients as members of the group by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members; receiving security credentials for the group corresponding to the group identifier comprises receiving from a key management server by the data communications device a group key for the group associated with the VPN ID; associating the received security credentials with the group identifier indicative of potential recipients in the group comprises associating, by the data communications device, the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group comprises; identifying, by the data communications device, a transmission as having a prefix indicative of an address subrange denoting group members, and employing, by the data communications device, the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 29)
-
-
14. A data communications device for establishing secure group communications comprising:
-
a processor coupled to a memory and operable to identify a plurality of potential recipients as members of a group, the group denoted by a group identifier; an interface coupled to the processor and operable to receive security credentials for the group corresponding to the group identifier; and a routing table in the memory, the routing table responsive to the processor, and operable to associate the received security credentials with the group identifier indicative of potential recipients in the group, the processor operable to employ the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group; wherein; the processor coupled to a memory is operable, when identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier, to identify the plurality of potential recipients as members of the group, the group denoted by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members; the interface coupled to the processor is operable, when receiving security credentials for the group corresponding to the group identifier to receive a group key for the group associated with the VPN ID; the routing table in the memory, the routing table responsive to the processor, is operable when associating the received security credentials with the group identifier indicative of potential recipients in the group to associate the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and the processor operable, when employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group, to; identify a transmission as having a prefix indicative of an address subrange denoting group members, and employ the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 30)
-
-
27. A computer program product having a computer readable medium operable to store computer program logic embodied in computer program code encoded thereon for secure communications within a group comprising:
-
computer program code for identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier; computer program code for receiving security credentials for the group corresponding to the group identifier; computer program code for associating the received security credentials with the group identifier indicative of potential recipients in the group; and computer program code for employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group; wherein; computer program code for identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier comprises computer program code for identifying the plurality of potential recipients as members of the group, the group denoted by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members; computer program code for receiving security credentials for the group corresponding to the group identifier comprises computer program code for receiving a group key for the group associated with the VPN ID; computer program code for associating the received security credentials with the group identifier indicative of potential recipients in the group comprises computer program code for associating the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and computer program code for employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group comprises; computer program code for identifying a transmission—
as having a prefix indicative of an address subrange denoting group members, andcomputer program code for employing the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.
-
-
28. A data communications device for establishing secure group communications comprising:
-
means for identifying a plurality of potential recipients as members of a group, the group denoted by a group identifier; means for receiving security credentials for the group corresponding to the group identifier; means for associating the received security credentials with the group identifier indicative of potential recipients in the group; and means for employing the security credentials via the group identifier for a communication from a member of the group to at least one other member of the group; wherein; means for identifying the plurality of potential recipients as members of the group, the group denoted by the group identifier comprises means for identifying the plurality of potential recipients as members of the group, the group denoted by a virtual private network group identifier (VPN ID), the VPN ID associated with a group prefix indicative of an address subrange denoting group members; means for receiving security credentials for the group corresponding to the group identifier comprises means for receiving a group key for the group associated with the VPN ID; means for associating the received security credentials with the group identifier indicative of potential recipients in the group comprises means for associating the group key with the VPN ID associated with the group prefix indicative of the address subrange denoting group members; and means for employing the security credentials via the group identifier for the communication from a member of the group to at least one other member of the group comprises; means identifying a transmission as having a prefix indicative of an address subrange denoting group members, and means for employing the group key to one of encrypt or decrypt the transmission when the transmission has a prefix indicative of an address subrange denoting group members.
-
Specification