Method and apparatus for encrypted unicast group communication

US 7,577,837 B1
Filed: 04/17/2003
Issued: 08/18/2009
Est. Priority Date: 04/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method for managing encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to each of the network devices, the method comprising the computer-implemented steps of:

receiving a request for an encrypted communication among a plurality of network devices;

wherein the request is received at a sender, operating as a communications hub, coupled to a plurality of the network devices, and from which traffic is sent on a plurality of separate unicast paths to respective network devices among the plurality of network devices;

providing a common decryption key to each of the network devices;

providing a common security parameters index to each of the network devices for locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association;

encrypting information according to the common security association;

wherein the common security association, the common decryption key and the common security parameters index are common to each of the network devices participating in the unicast group communication and wherein the common decryption key comprises a shared private key; and

unicasting the encrypted information from the sender to each of the network devices using the plurality of separate unicast paths.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for managing encrypted group communication according to a single security association (SA) for network traffic from a sender includes receiving a request for an encrypted communication among a plurality of network devices. A common decryption key and a common security parameters index (SPI) are provided to each of the network devices participating in the communication. The common security parameters index facilitates locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association. Information is encrypted based on the common security association, and unicasted to each of the network devices. In an embodiment, the common security parameters index provided to each network device is established by the sender. For example, the SPI is established by a conference server and sent to each device participating in a voice conference.

23 Citations

View as Search Results

66 Claims

1. A method for managing encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to each of the network devices, the method comprising the computer-implemented steps of:
- receiving a request for an encrypted communication among a plurality of network devices;
  
  wherein the request is received at a sender, operating as a communications hub, coupled to a plurality of the network devices, and from which traffic is sent on a plurality of separate unicast paths to respective network devices among the plurality of network devices;
  
  providing a common decryption key to each of the network devices;
  
  providing a common security parameters index to each of the network devices for locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association;
  
  encrypting information according to the common security association;
  
  wherein the common security association, the common decryption key and the common security parameters index are common to each of the network devices participating in the unicast group communication and wherein the common decryption key comprises a shared private key; and
  
  unicasting the encrypted information from the sender to each of the network devices using the plurality of separate unicast paths.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the steps are performed by the sender.
  - 3. The method of claim 1, wherein the steps are performed by the sender, and the method further comprises the computer-implemented step of:
    - establishing the common security parameters index.
  - 4. The method of claim 1, wherein the security association is based on IPsec protocols.
  - 5. The method of claim 1, wherein the step of providing the common security parameters index includes providing the common security parameters index as part of an IPsec Quick Mode message.
  - 6. The method of claim 1, wherein the step of providing the common security parameters index includes providing the common security parameters index in a Vendor ID payload of an IPsec Quick Mode message.
  - 7. The method of claim 1, wherein the step of providing the common key includes providing the common key as part of an IPsec Quick Mode message.
  - 8. The method of claim 1, wherein the step of providing the common key includes providing the common key in a Vendor ID payload of an IPsec Quick Mode message.
  - 9. The method of claim 1, wherein the sender performs the step of transmitting the encrypted information and wherein at least one of the network devices uses a network address associated with the sender for locating the security association information in a database associated with the at least one network device.
  - 10. The method of claim 9, wherein the at least one of the network devices further uses, for locating the security association information in the database:
    - the common security parameters index,an indication of a security protocol associated with the network traffic from the sender to the network devices, anda network address associated with the at least one of the network devices.
  - 11. The method of claim 1, wherein the unicast communication among the network devices is a voice conference.
  - 12. The method of claim 1, wherein the sender is a conference server communicatively coupled to the plurality of network devices.
  - 13. The method of claim 12, wherein the plurality of network devices are IP phones.

14. A method for participating in an encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to the network devices, the method comprising the computer-implemented steps of:
- receiving a decryption key that is provided to each of the network devices;
  
  wherein the network devices are coupled to a sender, operating as a communications hub, and from which the decryption key and other traffic is received on a plurality of separate unicast paths by respective ones of the network devices;
  
  receiving a security parameters index that is provided to each of the network devices, wherein the security parameters index is for locating, in a respective database associated with each of the network devices, security association information that is associated with the common security association;
  
  receiving encrypted information from the sender that is based on the common security association;
  
  locating the security association information in a database based on the security parameters index;
  
  wherein the common security association, the decryption key and the security parameters index are common to each of the network devices participating in the unicast group communication and wherein the decryption key comprises a shared private key; and
  
  decrypting the encrypted information using the decryption key and based on the security association information.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The method of claim 14, wherein the decryption key and the security parameters index are received from the sender.
  - 16. The method of claim 14, further comprising the computer-implemented steps of:
    - locating, by a network device of the network devices, the security association information in a database based onthe security parameters index,an indication of a security protocol associated with the network traffic from the sender to the network devices,a network address associated with the network device that is locating the information, anda network address associated with the sender.
  - 17. The method of claim 14, wherein each of the steps are performed by each of the network devices participating in the encrypted unicast communication.
  - 18. The method of claim 14, wherein the received security parameters index is established by the sender.
  - 19. The method of claim 18, wherein the sender is a conference server communicatively coupled to the network devices through a public network.
  - 20. The method of claim 19, wherein at least one of the network devices is an IP phone.
  - 21. The method of claim 14, wherein the security association is based on IPsec protocols.
  - 22. The method of claim 14, wherein the step of receiving the decryption key includes receiving the decryption key as part of an IPsec Quick Mode message.
  - 23. The method of claim 14, wherein the step of receiving the decryption key includes receiving the decryption key in a Vendor ID payload of an IPsec Quick Mode message.
  - 24. The method of claim 14, wherein the step of receiving the security parameters index includes receiving the security parameters index as part of an IPsec Quick Mode message.
  - 25. The method of claim 14, wherein the step of receiving the security parameters index includes receiving the security parameters index in a Vendor ID payload of an IPsec Quick Mode message.
  - 26. The method of claim 14, wherein the unicast communication is a voice conference.

27. A computer-readable medium carrying one or more sequences of instructions for managing encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to each of the network devices, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a request for an encrypted communication among a plurality of network devices;
  
  wherein the request is received at a sender, operating as a communications hub, coupled to a plurality of the network devices, and from which traffic is sent on a plurality of separate unicast paths to respective network devices among the plurality of network devices;
  
  providing a common decryption key to each of the network devices;
  
  providing a common security parameters index to each of the network devices for locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association;
  
  encrypting information according to the common security association;
  
  wherein the common security association, the common decryption key and the common security parameters index are common to each of the network devices participating in the unicast group communication and wherein the common decryption key comprises a shared private key; and
  
  unicasting the encrypted information from the sender to each of the network devices using the plurality of separate unicast paths.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. The computer-readable medium of claim 27, wherein the instructions, when executed by one or more processors, cause the one or more processors to carry out the step of:
    - establishing, by the sender, the common security parameters index.
  - 29. The computer-readable medium of claim 27, wherein the security association is based on IPsec protocols.
  - 30. The computer-readable medium of claim 27, wherein the instructions cause the one or more processors to carry out the step of providing the common security parameters index by providing the common security parameters index as part of an IPsec Quick Mode message.
  - 31. The computer-readable medium of claim 27, wherein the instructions cause the one or more processors to carry out the step of providing the common security parameters index by providing the common security parameters index in a Vendor ID payload of an IPsec Quick Mode message.
  - 32. The computer-readable medium of claim 27, wherein the instructions cause the one or more processors to carry out the step of providing the common key by providing the common key as part of an IPsec Quick Mode message.
  - 33. The computer-readable medium of claim 27, wherein the instructions cause the one or more processors to carry out the step of providing the common key by providing the common key in a Vendor ID payload of an IPsec Quick Mode message.
  - 34. The computer-readable medium of claim 27, wherein the unicast communication among the network devices is a voice conference.
  - 35. The computer-readable medium of claim 27, wherein the sender is a conference server communicatively coupled to the plurality of network devices.
  - 36. The computer-readable medium of claim 35, wherein the plurality of network devices are IP phones.

37. A computer-readable medium carrying one or more sequences of instructions for participating in an encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to the network devices, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a decryption key that is provided to each of the network devices;
  
  wherein the network devices are coupled to a sender, operating as a communications hub, and from which the decryption key and other traffic is received on a plurality of separate unicast paths by respective ones of the network devices;
  
  receiving a security parameters index that is provided to each of the network devices, wherein the security parameters index is for locating, in a respective database associated with each of the network devices, security association information that is associated with the common security association;
  
  receiving encrypted information from the sender that is based on the common security association;
  
  locating the security association information in a database based on the security parameters index;
  
  wherein the common security association, the decryption key and the security parameters index are common to each of the network devices participating in the unicast group communication and wherein the decryption key comprises a shared private key; and
  
  decrypting the encrypted information using the decryption key and based on the security association information.
- View Dependent Claims (38, 39, 40)
- - 38. The computer-readable medium of claim 37, wherein the instructions cause the one or more processors to carry out the steps of:
    - locating, by a network device of the network devices, the security association information in a database based onthe security parameters index,an indication of a security protocol associated with the network traffic from the sender to the network devices,a network address associated with the network device that is locating the information, anda network address associated with the sender.
  - 39. The computer-readable medium of claim 37, wherein each of the steps are performed by each of the network devices participating in the encrypted unicast communication.
  - 40. The computer-readable medium of claim 37, wherein the received security parameters index is established by the sender.

41. An apparatus for managing encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to each of the network devices, the apparatus comprising:
- means for receiving a request for an encrypted communication among a plurality of network devices;
  
  wherein the request is received at a sender, operating as a communications hub, coupled to a plurality of the network devices, and from which traffic is sent on a plurality of separate unicast paths to respective network devices among the plurality of network devices;
  
  means for providing a common decryption key to each of the network devices;
  
  means for providing a common security parameters index to each of the network devices for locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association;
  
  means for encrypting information according to the common security association;
  
  wherein the common security association, the common decryption key and the common security parameters index are common to each of the network devices participating in the unicast group communication and wherein the common decryption key comprises a shared private key; and
  
  means for unicasting the encrypted information from the sender to each of the network devices using the plurality of separate unicast paths.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 42. The apparatus of claim 41, further comprising:
    - means for establishing, by the sender, the common security parameters index.
  - 43. The apparatus of claim 41, wherein the security association is based on IPsec protocols.
  - 44. The apparatus of claim 41, wherein the means for providing the common security parameters index includes means for providing the common security parameters index as part of an IPsec Quick Mode message.
  - 45. The apparatus of claim 41, wherein the means for providing the common security parameters index includes means for providing the common security parameters index in a Vendor ID payload of an IPsec Quick Mode message.
  - 46. The apparatus of claim 41, wherein the means for providing the common security parameters index includes means for providing the common security parameters index as part of an IPsec Quick Mode message.
  - 47. The apparatus of claim 41, wherein the means for providing the common security parameters index includes means for providing the common security parameters index in a Vendor ID payload of an IPsec Quick Mode message.
  - 48. The apparatus of claim 41, wherein the unicast communication among the network devices is a voice conference.
  - 49. The apparatus of claim 41, wherein the apparatus is a conference server, operating as the sender, communicatively coupled to the plurality of network devices.
  - 50. The apparatus of claim 49, wherein the plurality of network devices are IP phones.

51. An apparatus for participating in an encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to the network devices, the apparatus comprising:
- means for receiving a decryption key that is provided to each of the network devices;
  
  wherein the network devices are coupled to a sender, operating as a communications hub, and from which the decryption key and other traffic is received on a plurality of separate unicast paths by respective ones of the network devices;
  
  means for receiving a security parameters index that is provided to each of the network devices, wherein the security parameters index is for locating, in a respective database associated with each of the network devices, security association information that is associated with the common security association;
  
  means for receiving encrypted information from the sender that is based on the common security association;
  
  means for locating the security association information in a database based on the security parameters index;
  
  wherein the common security association, the decryption key and the security parameters index are common to each of the network devices participating in the unicast group communication and wherein the decryption key comprises a shared private key; and
  
  means for decrypting the encrypted information using the decryption key and based on the security association information.
- View Dependent Claims (52, 53)
- - 52. The apparatus of claim 51, further comprising:
    - means for locating, by a network device of the network devices, the security association information in a database based onthe security parameters index,an indication of a security protocol associated with the network traffic from the sender to the network devices,a network address associated with the network device that is locating the information, anda network address associated with the sender.
  - 53. The apparatus of claim 51, wherein the means for receiving a security parameters index includes means for receiving a security parameters index established by the sender.

54. A device that can manage encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to each of the network devices, the device comprising:
- a network interface;
  
  a processor coupled to the network interface and receiving network messages from the network through the network interface;
  
  a computer-readable medium comprising one or more stored sequences which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving a request for an encrypted communication among a plurality of network devices;
  
  wherein the request is received at the device, operating as a communications hub, coupled to a plurality of the network devices, and from which traffic is sent on a plurality of separate unicast paths to respective network devices among the plurality of network devices;
  
  providing a common decryption key to each of the network devices;
  
  providing a common security parameters index to each of the network devices for locating, in respective databases associated with each of the network devices, security association information that is associated with the common security association;
  
  encrypting information according to the common security association;
  
  wherein the common security association, the common decryption key and the common security parameters index are common to each of the network devices participating in the unicast group communication and wherein the common decryption key comprises a shared private key; and
  
  unicasting the encrypted information from the device to each of the network devices using the plurality of separate unicast paths.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 55. The device of claim 54, wherein the instructions cause the one or more processors to carry out the steps of:
    - establishing, by the sender, the common security parameters index.
  - 56. The device of claim 54, wherein the security association is based on IPsec protocols.
  - 57. The device of claim 54, wherein the instructions cause the one or more processors to carry out the step of providing the common security parameters index by providing the common security parameters index as part of an IPsec Quick Mode message.
  - 58. The device of claim 54, wherein the instructions cause the one or more processors to carry out the step of providing the common security parameters index by providing the common security parameters index in a Vendor ID payload of an IPsec Quick Mode message.
  - 59. The device of claim 54, wherein the instructions cause the one or more processors to carry out the step of providing the common security parameters index by providing the common security parameters index as part of an IPsec Quick Mode message.
  - 60. The device of claim 54, wherein the instructions cause the one or more processors to carry out the step of providing the common security parameters index by providing the common security parameters index in a Vendor ID payload of an IPsec Quick Mode message.
  - 61. The device of claim 54, wherein the unicast communication among the network devices is a voice conference.
  - 62. The device of claim 54, wherein the device is a conference server, operating as the sender, communicatively coupled to the plurality of network devices.
  - 63. The device of claim 62, wherein the plurality of network devices are IP phones.

64. A device that can participate in an encrypted unicast group communication among network devices according to a common security association for network traffic from a sender to the network devices, the device comprising:
- a network interface;
  
  a processor coupled to the network interface and receiving network messages from the network through the network interface;
  
  a computer-readable medium comprising one or more stored sequences which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving a decryption key that is provided to each of the network devices;
  
  wherein the network devices are coupled to a sender, operating as a communications hub, and from which the decryption key and other traffic is received on a plurality of separate unicast paths by respective ones of the network devices;
  
  receiving a security parameters index that is provided to each of the network devices, wherein the security parameters index is for locating, in a respective database associated with each of the network devices, security association information that is associated with the common security association;
  
  receiving encrypted information from the sender that is based on the common security association;
  
  wherein the common security association, the decryption key and the security parameters index are common to each of the network devices participating in the unicast group communication and wherein the decryption key comprises a shared private key;
  
  locating the security association information in a database based on the security parameters index; and
  
  decrypting the encrypted information using the decryption key and based on the security association information.
- View Dependent Claims (65, 66)
- - 65. The device of claim 64, wherein the instructions cause the one or more processors to carry out the step of:
    - locating, by a network device of the network devices, the security association information in a database based onthe security parameters index,an indication of a security protocol associated with the network traffic from the sender to the network devices,a network address associated with the network device that is locating the information, anda network address associated with the sender.
  - 66. The device of claim 64, wherein the instructions cause the one or more processors to carry out the step of receiving a security parameters index by receiving a security parameters index established by the sender.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gadde, Ravi, Ithal, Ravishankar Ganesh
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tolentino; Roderick

Application Number

US10/418,877
Time in Patent Office

2,315 Days
Field of Search

713/153, 713/163, 713/162, 713/150, 726/12, 380/149, 709/245, 709/225
US Class Current

713/163
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 63/164   at the network layer

Method and apparatus for encrypted unicast group communication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for encrypted unicast group communication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links