System and method for secure group communications

US 7,594,262 B2
Filed: 09/04/2002
Issued: 09/22/2009
Est. Priority Date: 09/04/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for secure group communications, the system comprising:

a communication network;

a policy server coupled to the communication network, the policy server havinga secure interface,a first security policy, anda second security policy; and

a plurality of nodes operatively coupled to each other through the communication network, wherein the plurality of nodes includes a plurality of group nodes operatively coupled to the secure interface of the policy server through the communication network, wherein each of the plurality of group nodes includes a host computer connected to a network interface device over a bus interface, wherein;

the host computer includes a memory; and

the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory,wherein each of the group nodes is assigned to one or more virtual private groups,wherein the first security policy includes group membership information for each of the plurality of group nodes,wherein the network interface devices receive a copy of the first security policy, a copy of the second security policy, and a set of encryption keys from the policy server and store the the security policies and the set of encryption keys into memory within each network interface device,wherein each network interface device is configured to use the first security policy, the group membership information and the encryption keys associated with the group membership information to receive information from the host computer and to securely communicate with a network interface device on another group node, andwherein the network interface device detects and blocks unauthorized packets sent to the group node using the packet filter as a function of the first security policy when the packets come from a group node and as a function of the second security policy when the packets come from a node that is not part of a virtual private group.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for secure group communications is provided. One embodiment provides a method for implementing a virtual private group network. The method includes creating a virtual private group definition on a policy server, establishing a plurality of secure connections between the policy server and a plurality of group nodes, sending a copy of the virtual private group definition from the policy server to the group nodes, sending a shared traffic encryption key from the policy server to each of the group nodes, and sharing secure communication information among the group nodes using the shared traffic encryption key, wherein each group node is included in the virtual private group definition.

138 Citations

View as Search Results

26 Claims

1. A system for secure group communications, the system comprising:
- a communication network;
  
  a policy server coupled to the communication network, the policy server havinga secure interface,a first security policy, anda second security policy; and
  
  a plurality of nodes operatively coupled to each other through the communication network, wherein the plurality of nodes includes a plurality of group nodes operatively coupled to the secure interface of the policy server through the communication network, wherein each of the plurality of group nodes includes a host computer connected to a network interface device over a bus interface, wherein;
  
  the host computer includes a memory; and
  
  the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory,wherein each of the group nodes is assigned to one or more virtual private groups,wherein the first security policy includes group membership information for each of the plurality of group nodes,wherein the network interface devices receive a copy of the first security policy, a copy of the second security policy, and a set of encryption keys from the policy server and store the the security policies and the set of encryption keys into memory within each network interface device,wherein each network interface device is configured to use the first security policy, the group membership information and the encryption keys associated with the group membership information to receive information from the host computer and to securely communicate with a network interface device on another group node, andwherein the network interface device detects and blocks unauthorized packets sent to the group node using the packet filter as a function of the first security policy when the packets come from a group node and as a function of the second security policy when the packets come from a node that is not part of a virtual private group.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein one host computer further includes a computer-readable medium.
  - 3. The system of claim 1, wherein the memory of the network interface device includes both volatile and non-volatile memory.
  - 4. The system of claim 1, wherein one group node further includes an additional host computer coupled to the network interface device, the additional host computer having a processor, a memory, and a computer-readable medium.
  - 5. The system of claim 1, wherein the common set of encryption keys includes public encryption keys that are used for asymmetric encryption.

6. A virtual private group communication system, comprising:
- a communication network;
  
  a plurality of nodes operatively coupled to each other through the communication network;
  
  a policy server coupled to the communication network, the policy server having a plurality of key distribution keys; and
  
  one or more virtual private groups, wherein each virtual private group includes a plurality of the nodes as virtual private group nodes that are operatively coupled to the policy server through the communication network,wherein;
  
  each virtual private group node includes a host computer connected to a network interface device over a bus interface,the host computer includes a memory,the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory,each virtual private group node has virtual private group membership information, a key distribution key, and a shared traffic encryption key stored in the memory of the network interface device,the virtual private group membership information details the group nodes that are members of the virtual private group,the packet filter operates to block packets as a function of a first security policy when the operating as a virtual private group node and as a function of a second security policy when not operating as a virtual private group node, andthe virtual private group nodes are adapted to send secure data to the other virtual private group nodes within a particular virtual private group by using the shared traffic encryption keys associated with the virtual private group.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The virtual private group communication system of claim 6, wherein each virtual private group node receives its key distribution key and its shared traffic encryption key from the policy server.
  - 8. The virtual private group communication system of claim 6, wherein the policy server further includes a security policy having rules for group node membership, and wherein the policy server transmits a copy of the security policy to each of the virtual private group nodes.
  - 9. The virtual private group communication system of claim 6, wherein each virtual private group node further includes a shared group membership key that is transmitted from the policy server.
  - 10. The virtual private group communication system of claim 6, wherein the memory of the network interface device includes non-volatile memory, and wherein the key distribution key, the shared traffic encryption key, and the shared group membership key of the virtual private group node are stored in the non-volatile memory of the network interface device.

11. A system for secure communications, the system comprising:
- a network;
  
  a policy server system coupled to the network, the policy server system having a security policy database and a filter rule database; and
  
  a plurality of nodes, wherein each node is coupled to the network through a network interface device and wherein each node includes a host computer connected to the network interface device over a bus interface, wherein the host computer includes a memory and wherein the network interface device includes a processor, a cryptographic unit and a memory separate from the host computer memory and wherein each network interface device includes a packet filter,wherein the policy server system is configured to use the security policy database and the filter rule database to create security policy rules assigning two or more of the nodes to a virtual private group,wherein the policy server system is configured to transmit the security policy rules to the two or more nodes that are members of the virtual private group,wherein the nodes of the virtual private group are configured to use a common set of encryption keys stored in the memory of the network interface device and to communicate securely with one another by using the security policy rules and the common set of encryption keys to encrypt or decrypt data that is transmitted across the network to other members of the virtual private group, andwherein the nodes of the virtual private group use the packet filter in the network interface device to detect unauthorized packets as a function of a first set of security policy rules when communicating with another virtual private group member and as a function of a second set of security policy rules when communicating with a node that is not a virtual private group member.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the policy server system creates unique security policy rules for each node in the group, and wherein the unique security policy rules contain one or more entries for members of the group.
  - 13. The system of claim 11, wherein two or more nodes of the plurality of nodes are assigned to a second virtual private group,wherein the policy server system transmits the security policy rules to the nodes assigned to the second virtual private group,wherein the nodes of the second virtual private group use a second common set of encryption keys stored in the memory of their network interface devices, andwherein the nodes of the second virtual private group communicate securely with one another by using the security policy rules and the second common set of encryption keys to encrypt and decrypt data that is transmitted across the network.
  - 14. The system of claim 13, wherein the system further includes:
    - a second policy server system coupled to the network, the second policy server system having a security policy database and a filter rule database; and
      
      wherein two or more nodes of the plurality of nodes are assigned to a third virtual private group,wherein the second policy server system uses the security policy database and the filter rule database to create security policy rules associated with the third virtual private group,wherein the second policy server system transmits the security policy rules associated with the third virtual private group to the nodes assigned to the third virtual private group,wherein the nodes of the third virtual private group use a common set of encryption keys, andwherein the nodes of the third virtual private group communicate securely with one another by using the security policy rules and the common set of encryption keys to encrypt and decrypt data that is transmitted across the network.

15. A system for secure communications between members of a virtual private group, the system comprising:
- a communications network;
  
  policy management means, coupled to the communications network, for managing the virtual private group and for managing a set of node security keys associated with the virtual private group and for providing security policy rules;
  
  group communication means, coupled to the communication network, for storing the set of node security keys and for encrypting data between members of the virtual private group by using the node security keys, wherein;
  
  the group communication means includes a host computer connected to the network interface device over a bus interface, wherein the host computer includes a memory,the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory,the set of node security keys are stored in the memory of the network interface device, andthe cryptographic unit encrypts data to be transferred between members of the virtual private group using the set of node security keys stored in the memory of the network interface device;
  
  wherein the policy management means includes means for determining, at each node, if another node is a member of the virtual private group;
  
  wherein the group communication means includes means for sending encrypted data between two or more nodes of the same virtual private group;
  
  wherein the packet filter blocks unauthorized packets as a function of a first set of security policy rules when the group communication means is sending or receiving data between members of the same virtual private group and as a function of a second set of security policy rules when the group communication means is sending or receiving data between members of different virtual private groups.

16. A computer-readable medium having computer-executable instructions thereon for performing a method, the method comprising:
- managing a plurality of group definitions on a policy server, each group definition including a plurality of group member entries;
  
  establishing a secure connection between the policy server and a plurality of group members, wherein;
  
  each of the plurality of group members includes a host computer connected to a network interface device over a bus interface,the host computer includes a memory, andthe network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory;
  
  creating a plurality of customized group member policies based on the group member entries in the group definitions;
  
  securely sending a group membership key from the policy server to each of the group members;
  
  securely sending a traffic encryption key list from the policy server to each of the group members and wherein the traffic encryption key list contains one or more traffic encryption keys;
  
  securely sending the customized group member policies from the policy server to each of the corresponding group members; and
  
  storing the group membership key, traffic encryption key list and the customized group member policies in memory of the network interface device, wherein the customized group member policies include a first and a second set of group member policies applied by the packet filter of the network interface device to detect and block unauthorized packets, wherein the first set of group member policies are applied when sending or receiving data between group members.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein each security policy received by a virtual private group node includes a virtual private group table, wherein the virtual private group table includes virtual private group membership information for all the virtual private groups in which the group node is a member.
  - 18. The system of claim 17, wherein each group node includes a means for accessing the virtual private group table with a group node identifier associated with a group node.
  - 19. The system of claim 18, wherein the means for accessing includes a means for applying a priority to accesses within the virtual private table.

20. A method for securing communication within a virtual private group, the method comprising:
- providing a policy server, wherein the policy server includes a security policy database, a filter rule database and a secure interface;
  
  providing a plurality of nodes connected across a network, wherein each of the plurality of nodes includes a host computer connected to a network interface device over a bus interface, wherein the host computer includes a memory and wherein the network interface device includes a processor, a cryptographic unit, a packet filter to apply filter rules from the filter rule database, and a memory separate from the host computer memory, wherein the filter rule database includes a set of filter rules for each virtual private group;
  
  assigning two or more nodes to a first virtual private group;
  
  assigning two or more nodes to a second virtual private group;
  
  determining group member data for each virtual private group;
  
  establishing a secure connection between the policy server and the nodes of the first virtual private group and the nodes of the second virtual private group;
  
  sending the virtual private group member data for the first virtual private group from the policy server to each member of the first virtual private group;
  
  storing the virtual private group member data for the first virtual private group in the memory of the network interface device of each member of the first virtual private group;
  
  sending the virtual private group member data for the second virtual private group from the policy server to each member of the second virtual private group;
  
  storing the virtual private group member data for the second virtual private group in the memory of the network interface device of each member of the first virtual private group;
  
  sending a secure communication between two or more members of the first virtual private group utilizing the first virtual private group'"'"'s member data; and
  
  sending a second secure communication between two or more members of the second virtual private group utilizing the second virtual private group'"'"'s member data.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20, wherein the virtual private group member data includes:
    - a shared membership key;
      
      a list of shared traffic encryption keys, wherein the list includes one or more traffic encryption keys; and
      
      a virtual private group security policy.
  - 22. The method of claim 21, wherein the security policy includes a list of each node assigned to a virtual private group.
  - 23. The method of claim 21, wherein sending a secure communication includes encrypting a control message using the shared membership key.
  - 24. The method of claim 21, wherein sending a secure communication includes encrypting a control message using the shared membership key, wherein the control message includes virtual private group member data.
  - 25. The method of claim 21, wherein sending a secure communication includes encrypting a control message using the shared membership key, wherein the control message includes a pointer into the list of shared traffic encryption keys.
  - 26. The method of claim 20, wherein the first virtual private group includes a first node and a second node, and wherein the second virtual private group includes the first node and a third node;
    - andwherein the first and second nodes communicate using a first set of filter rules stored in the filter rule database and the first and third nodes communicate using a second set of filter rules stored in the filter rule database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Meredith, Lynn Marquette, Lowe, Geoffrey A., Hanzlik, Robert Otto, Markham, Thomas R.
Primary Examiner(s)
Revak; Christopher A

Application Number

US10/234,223
Publication Number

US 20040044891A1
Time in Patent Office

2,575 Days
Field of Search

None
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/20   for managing network securi...

System and method for secure group communications

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

138 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure group communications

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links