System and method for encrypted group network communication with point-to-point privacy

US 8,160,255 B2
Filed: 04/24/2006
Issued: 04/17/2012
Est. Priority Date: 04/24/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

providing a secure gateway group including a plurality of members of the secure gateway group that share common security data;

generating, by use of a processor, a different private identity for each of the plurality of members of the secure gateway group, and sending the private identity for each of the plurality of members of the secure gateway group to the corresponding member;

obtaining a sender secure private identity corresponding to a source of network traffic;

obtaining a receiver secure public identity corresponding to a destination of the network traffic, the destination being a particular member of the secure gateway group;

using a processor to generate an encryption key using the sender secure private identity and the receiver secure public identity in a Tate pairing, wherein the encryption key being generated using the Tate pairing based on an elliptic curve;

encrypting a data packet of the network traffic using the encryption key; and

sending the encrypted data packet to the destination of the network traffic within the secure gateway group in a secure point-to-point network communication, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the disclosed subject matter provide methods and systems for improved efficiency and security in secure gateway-to-secure gateway network communication. Embodiments provide systems and methods for generating a sender secure gateway private identity, obtaining a receiver secure gateway public identity, generating an encryption key using the sender secure gateway private identity and the receiver secure gateway public identity, encrypting a data packet using the encryption key, and sending the encrypted data packet to a receiver secure gateway. Embodiments also provide systems and methods for generating a receiver secure gateway private identity, obtaining a sender secure gateway public identity, generating a decryption key using the receiver secure gateway private identity and the sender secure gateway public identity, receiving an encrypted data packet from a sender secure gateway, and decrypting the data packet using the decryption key.

Citations

25 Claims

1. A computer-implemented method comprising:
- providing a secure gateway group including a plurality of members of the secure gateway group that share common security data;
  
  generating, by use of a processor, a different private identity for each of the plurality of members of the secure gateway group, and sending the private identity for each of the plurality of members of the secure gateway group to the corresponding member;
  
  obtaining a sender secure private identity corresponding to a source of network traffic;
  
  obtaining a receiver secure public identity corresponding to a destination of the network traffic, the destination being a particular member of the secure gateway group;
  
  using a processor to generate an encryption key using the sender secure private identity and the receiver secure public identity in a Tate pairing, wherein the encryption key being generated using the Tate pairing based on an elliptic curve;
  
  encrypting a data packet of the network traffic using the encryption key; and
  
  sending the encrypted data packet to the destination of the network traffic within the secure gateway group in a secure point-to-point network communication, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet.
- View Dependent Claims (2, 3)
- - 2. The method as claimed in claim 1 including registering a sender secure gateway with a key server.
  - 3. The method as claimed in claim 1 wherein a key server maintains a security parameter for the secure gateway group.

4. A computer-implemented method comprising:
- providing a secure gateway group including a plurality of members of the secure gateway group that share common security data;
  
  generating, by use of a processor, a different private identity for each of the plurality of members of the secure gateway group, and sending the private identity for each of the plurality of members of the secure gateway group to the corresponding member;
  
  obtaining a receiver secure private identity corresponding to a destination of network traffic, the destination being a particular member of the secure gateway group;
  
  obtaining a sender secure public identity corresponding to a source of the network traffic;
  
  using a processor to generate a decryption key using the receiver secure private identity and the sender secure public identity in a Tate pairing, wherein the decryption key being generated using the Tate pairing based on an elliptic curve;
  
  receiving an encrypted data packet of the network traffic at the destination within the secure gateway group in a secure point-to-point network communication from the source of the network traffic, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet; and
  
  decrypting the data packet at the destination within the secure gateway group using the decryption key.
- View Dependent Claims (5, 6)
- - 5. The method as claimed in claim 4 including registering a receiver secure gateway with a key server.
  - 6. The method as claimed in claim 4 wherein a key server maintains a security parameter for the secure gateway group.

7. An apparatus comprising:
- means for providing a secure gateway group including a plurality of members of the secure gateway group that share common security data;
  
  means for generating, by use of a processor, a different private identity for each of the plurality of members of the secure gateway group, and sending the private identity for each of the plurality of members of the secure gateway group to the corresponding member;
  
  means for obtaining a sender secure private identity corresponding to a source of network traffic;
  
  means for obtaining a receiver secure public identity corresponding to a destination of the network traffic, the destination being a particular member of the secure gateway group;
  
  means for using a processor to generate an encryption key using the sender secure private identity and the receiver secure public identity in a Tate pairing, wherein the encryption key being generated using the Tate pairing based on an elliptic curve;
  
  means for encrypting a data packet of the network traffic using the encryption key; and
  
  means for sending the encrypted data packet to the destination of the network traffic within the secure gateway group in a secure point-to-point network communication, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet.
- View Dependent Claims (8, 9)
- - 8. The apparatus as claimed in claim 7 including means for registering a sender secure gateway with a key server.
  - 9. The apparatus as claimed in claim 7 wherein a key server maintains a security parameter for the secure gateway group.

10. An apparatus comprising:
- means for providing a secure gateway group including a plurality of members of the secure gateway group that share common security data;
  
  means for generating, by use of a processor, a different private identity for each of the plurality of members of the secure gateway group, and sending the private identity for each of the plurality of members of the secure gateway group to the corresponding member;
  
  means for obtaining a receiver secure private identity corresponding to a destination of network traffic, the destination being a particular member of the secure gateway group;
  
  means for obtaining a sender secure public identity corresponding to a source of the network traffic;
  
  means for using a processor to generate a decryption key using the receiver secure private identity and the sender secure public identity in a Tate pairing, wherein the decryption key being generated using the Tate pairing based on an elliptic curve;
  
  means for receiving an encrypted data packet of the network traffic at the destination within the secure gateway group in a secure point-to-point network communication from the source of the network traffic, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet; and
  
  means for decrypting the data packet at the destination within the secure gateway group using the decryption key.
- View Dependent Claims (11, 12)
- - 11. The apparatus as claimed in claim 10 including means for registering a receiver secure gateway with a key server.
  - 12. The apparatus as claimed in claim 10 wherein a key server maintains a security parameter for the secure gateway group.

13. An apparatus comprising:
- a sender secure gateway being one of a plurality of members of a secure gateway group that share common security data, the sender secure gateway being a source of network traffic, the sender secure gateway being operable to obtain a sender secure gateway private identity from a key server, the key server having generated a different private identity for each of the plurality of members of the secure gateway group and having sent the private identity for each of the plurality of members of the secure gateway group to the corresponding member, the sender secure gateway being configured to obtain a receiver secure gateway public identity corresponding to a destination of the network traffic, the destination being a particular member of the secure gateway group, the sender secure gateway being configured to generate an encryption key using the sender secure gateway private identity and the receiver secure gateway public identity in a Tate pairing, wherein the encryption key being generated using the Tate pairing based on an elliptic curve, the sender secure gateway being configured to encrypt a data packet of the network traffic using the encryption key; and
  
  the sender secure gateway being configured to send the encrypted data packet to the destination of the network traffic within the secure gateway group in a secure point-to-point network communication, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet.
- View Dependent Claims (14, 15)
- - 14. The apparatus as claimed in claim 13 wherein the sender secure gateway is further operable to register with the key server.
  - 15. The apparatus as claimed in claim 13 wherein the key server is further operable to maintain a security parameter for the secure gateway group.

16. An apparatus comprising:
- a receiver secure gateway being one of a plurality of members of a secure gateway group that share common security data, the receiver secure gateway being a destination of network traffic, the receiver secure gateway being operable to obtain a receiver secure gateway private identity from a key server, the key server having generated a different private identity for each of the plurality of members of the secure gateway group and having sent the private identity for each of the plurality of members of the secure gateway group to the corresponding member, the receiver secure gateway being configured to obtain a sender secure gateway public identity corresponding to a source of the network traffic, the source being a particular member of the secure gateway group, the receiver secure gateway being configured to generate a decryption key using the receiver secure gateway private identity and the sender secure gateway public identity in a Tate pairing, wherein the decryption key being generated using the Tate pairing based on an elliptic curve, the receiver secure gateway being configured to receive an encrypted data packet from the source of the network traffic in a secure point-to-point network communication; and
  
  the receiver secure gateway being configured to decrypt the data packet using the decryption key, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet.
- View Dependent Claims (17, 18)
- - 17. The apparatus as claimed in claim 16 wherein the receiver secure gateway is further operable to register with the key server.
  - 18. The apparatus as claimed in claim 16 wherein the key server is further operable to maintain a security parameter for the secure gateway group.

19. An article of manufacture comprising at least one non-transitory machine readable storage medium having one or more computer programs stored thereon and operable on one or more computing systems to:
- generate a different private identity for each of a plurality of members of a secure gateway group and to send the private identity for each of the plurality of members of the secure gateway group to the corresponding member;
  
  obtain a sender secure gateway private identity corresponding to a source of network traffic;
  
  obtain a receiver secure gateway public identity corresponding to a destination of the network traffic, the destination being a particular member of a secure gateway group that includes a plurality of members that share common security data;
  
  generate an encryption key using the sender secure gateway private identity and the receiver secure gateway public identity in a Tate pairing, wherein the encryption key being generated using the Tate pairing based on an elliptic curve;
  
  encrypt a data packet of the network traffic using the encryption key; and
  
  send the encrypted data packet to the-destination of the network traffic within the secure gateway group in a secure point-to-point network communication, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet.
- View Dependent Claims (20)
- - 20. The article of manufacture according to claim 19 further operable to register a sender secure gateway with a key server.

21. An article of manufacture comprising at least one non-transitory machine readable storage medium having one or more computer programs stored thereon and operable on one or more computing systems to:
- generate a different private identity for each of a plurality of members of a secure gateway group and to send the private identity for each of the plurality of members of the secure gateway group to the corresponding member;
  
  obtain a receiver secure gateway private identity corresponding to a destination of network traffic, the destination being a particular member of a secure gateway group including a plurality of members that share common security data;
  
  obtain a sender secure gateway public identity corresponding to a source of the network traffic;
  
  generate a decryption key using the receiver secure gateway private identity and the sender secure gateway public identity in a Tate pairing, wherein the decryption key being generated using the Tate pairing based on an elliptic curve;
  
  receive an encrypted data packet of the network traffic at the destination within the secure gateway group in a secure point-to-point network communication from the source of the network traffic, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet; and
  
  decrypt the data packet at the destination within the secure gateway group using the decryption key.
- View Dependent Claims (22)
- - 22. The article of manufacture according to claim 21 further operable to register a receiver secure gateway with a key server.

23. A system comprising:
- a key server to generate a different private identity for each of a plurality of members of a secure gateway group that shares common security data, the key server to send the private identity for each of the plurality of members of the secure gateway group to the corresponding member; and
  
  a plurality of members of the secure gateway group that shares common security data, the plurality of members being in data communication with the key server via a network, the plurality of members of the secure gateway group being operable to;
  
  obtain a sender secure gateway private identity corresponding to a source of network traffic;
  
  obtain a receiver secure gateway public identity corresponding to a destination of the network traffic, the destination being a particular member of the secure gateway group;
  
  generate an encryption key using the sender secure gateway private identity and the receiver secure gateway public identity in a Tate pairing, wherein the encryption key being generated using the Tate pairing based on an elliptic curve;
  
  encrypt a data packet of the network traffic using the encryption key; and
  
  send the encrypted data packet to the destination of the network traffic within the secure gateway group in a secure point-to-point network communication, members of the secure gateway group other than the destination of the network traffic being unable to decrypt the encrypted data packet.
- View Dependent Claims (24, 25)
- - 24. The system according to claim 23 wherein each secure gateway is operable to register with the key server.
  - 25. The system according to claim 23 wherein the key server is operable to maintain a security parameter for the secure gateway group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Fluhrer, Scott
Primary Examiner(s)
ZIA, SYED

Application Number

US11/379,920
Publication Number

US 20070248225A1
Time in Patent Office

2,185 Days
Field of Search

None
US Class Current

380/277
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/065   for group communications cr...

H04L 9/0833   involving conference or gro...

System and method for encrypted group network communication with point-to-point privacy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for encrypted group network communication with point-to-point privacy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links