Secure group communications

US 8,300,830 B2
Filed: 07/15/2010
Issued: 10/30/2012
Est. Priority Date: 08/05/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing secure communication in a system including a group management device, at least one subgroup management device, and at least one receiving device, wherein at least one subgroup management device is associated with at least receiving device, the method comprising the steps of:

establishing a temporary secure communication path between the group management device and the at least one receiving device;

generating a key chain corresponding to the at least one receiving device, wherein the key chain includes a predetermined number of keys and having each key related to at least another key by at least one inverse of a one-way function, wherein the predetermined number of keys is agreed upon by the group management device and the at least one receiving device;

storing the generated key chain at the group management device and the at least one receiving device;

tearing down the temporary secure communication path subsequent to the storing of the generated key chain;

providing at least one key in the generated key chain to the at least one subgroup management device associated with the at least one receiving device;

using the generated key chain, authenticating the at least one subgroup management device; and

establishing another secure communication path between the group management device and the at least one subgroup management device and the at least one subgroup management device and the at least one receiving device associated with the at least one subgroup management device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device for use in a system with multiple receiving units, and multiple intermediate units each configured to communicate with the device and at least some of the multiple receiving units, includes a communication module configured to send information toward and receive information from the receiving units and the intermediate units, a memory, and a processor coupled to the memory and the communication module. The processor is configured to: cause the communication module to send information toward each of the receiving units sufficient for the receiving units to obtain a key chain corresponding to that receiving unit, each key chain containing a plurality of keys, each key in each key chain being related to other keys in the respective key chains by at least one inverse of a one-way function; select a key from a key chain associated with a particular receiving unit and stored in the memory; and cause the communication module to send the selected key, and an indication of which receiving unit the selected key is associated with, toward the intermediate unit associated with the particular receiving unit.

Citations

39 Claims

1. A method for providing secure communication in a system including a group management device, at least one subgroup management device, and at least one receiving device, wherein at least one subgroup management device is associated with at least receiving device, the method comprising the steps of:
- establishing a temporary secure communication path between the group management device and the at least one receiving device;
  
  generating a key chain corresponding to the at least one receiving device, wherein the key chain includes a predetermined number of keys and having each key related to at least another key by at least one inverse of a one-way function, wherein the predetermined number of keys is agreed upon by the group management device and the at least one receiving device;
  
  storing the generated key chain at the group management device and the at least one receiving device;
  
  tearing down the temporary secure communication path subsequent to the storing of the generated key chain;
  
  providing at least one key in the generated key chain to the at least one subgroup management device associated with the at least one receiving device;
  
  using the generated key chain, authenticating the at least one subgroup management device; and
  
  establishing another secure communication path between the group management device and the at least one subgroup management device and the at least one subgroup management device and the at least one receiving device associated with the at least one subgroup management device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, further comprising:
    - at the group management devicecommunicating, via the temporary secure communication path, a seed to the at least one receiving device;
      
      using at least one of a first one inverse of a one-way function, generating another seed based on the communicated seed;
      
      using at least one of a second one inverse of a one-way function, generating at least one key in the key chain based on the communicated seed and generating other keys in the key chain based on the generated seed;
      
      wherein the at least one of the first one inverse of a one-way function is different from the at least one of the second one inverse of a one-way function.
  - 3. The method according to claim 2, wherein the communicated seed is a primary seed and the at least one of the first one inverse of a one-way function is configured to generate a most senior key in the key chain based on the primary seed.
  - 4. The method according to claim 3, further comprising:
    - continuing to generate seeds until the number of seeds is equal to the predetermined number of keys.
  - 5. The method according to claim 3, whereinthe primary seed is a most senior seed;
    - keys in the generated key chain are configured to be arranged in a sequential order starting from a most senior key to a most junior key, wherein the most senior key is generated based on the most senior seed;
      
      each next-most senior seed is generated based on the most senior seed using the at least one of a first one inverse of a one-way function;
      
      each next-most senior key is generated based on the next-most senior seed using at least one of the second one inverse of a one-way function;
      
      the most junior key is generated based on a prior-least senior seed using the at least one of the second one inverse of a one-way function.
  - 6. The method according to claim 5, wherein the step of providing further comprisesproviding a key in the key chain, corresponding to the at least one receiving device, to the at least one subgroup management device associated with the at least one receiving device in a reverse order of keys arranged in the key chain, wherein the most-junior key is provided first.
  - 7. The method according to claim 5, further comprising:
    - detecting a change in the at least one subgroup management device associated with the at least one receiving device;
      
      providing at least one next key in the key chain corresponding to the at least one receiving device to the changed subgroup management device;
      
      authenticating the changed subgroup management device by comparing the at least one next key provided to the changed subgroup management device and at least one next key in the key chain stored at the at least one receiving device associated with the changed subgroup management device.
  - 8. The method according to claim 7, further comprising:
    - using the group management device, tracking each key provided to the at least one subgroup management device associated with the at least one receiving device.
  - 9. The method according to claim 7, wherein the detecting of the change in the at least one subgroup management device is selected from a group consisting of:
    - after the change in the at least one subgroup management device and before the change in the at least one subgroup management device.
  - 10. The method according to claim 9, wherein the detecting of the change in the at least one subgroup management device further comprisesreceiving an indication of a new subgroup management device.
  - 11. The method according to claim 9, wherein the detecting of the change in the at least one subgroup management device further comprisesusing the group management device, generating a command to replace a current subgroup management device with a new subgroup management device.
  - 12. The method according to claim 1, wherein the number of keys in the key chain corresponding to the at least one receiving device is different from the number of keys in a key chain corresponding to at least another receiving device.
  - 13. The method according to claim 1, wherein the at least one subgroup management device and the associated at least one receiving device are configured to communicate using keys in the key chain provided to the at least one subgroup management device and stored at the associated at least one receiving device.

14. A computer program product stored on a non-transitory computer-readable medium, for use with a computer configured to providing secure communication in a system including a group management device, at least one subgroup management device, and at least one receiving device, wherein at least one subgroup management device is associated with at least receiving device, the computer program product having computer-executable instructions for causing the computer to:
- establish a temporary secure communication path between the group management device and the at least one receiving device;
  
  generate a key chain corresponding to the at least one receiving device, wherein the key chain includes a predetermined number of keys and having each key related to at least another key by at least one inverse of a one-way function, wherein the predetermined number of keys is agreed upon by the group management device and the at least one receiving device;
  
  store the generated key chain at the group management device and the at least one receiving device;
  
  tear down the temporary secure communication path subsequent to the storing of the generated key chain;
  
  provide at least one key in the generated key chain to the at least one subgroup management device associated with the at least one receiving device;
  
  using the generated key chain, authenticate the at least one subgroup management device; and
  
  establish another secure communication path between the group management device and the at least one subgroup management device and the at least one subgroup management device and the at least one receiving device associated with the at least one subgroup management device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The computer program product according to claim 14, further comprising executable instructions for causing the computer to:
    - communicate, via the temporary secure communication path, a seed to the at least one receiving device;
      
      using at least one of a first one inverse of a one-way function, generate another seed based on the communicated seed;
      
      using at least one of a second one inverse of a one-way function, generate at least one key in the key chain based on the communicated seed and generating other keys in the key chain based on the generated seed;
      
      wherein the at least one of the first one inverse of a one-way function is different from the at least one of the second one inverse of a one-way function.
  - 16. The computer program product according to claim 15, wherein the communicated seed is a primary seed and the at least one of the first one inverse of a one-way function is configured to generate a most senior key in the key chain based on the primary seed.
  - 17. The computer program product according to claim 16, further comprising executable instructions for causing the computer to:
    - continue to generate seeds until the number of seeds is equal to the predetermined number of keys.
  - 18. The computer program product according to claim 16, whereinthe primary seed is a most senior seed;
    - keys in the generated key chain are configured to be arranged in a sequential order starting from a most senior key to a most junior key, wherein the most senior key is generated based on the most senior seed;
      
      each next-most senior seed is generated based on the most senior seed using the at least one of a first one inverse of a one-way function;
      
      each next-most senior key is generated based on the next-most senior seed using at least one of the second one inverse of a one-way function;
      
      the most junior key is generated based on a prior-least senior seed using the at least one of the second one inverse of a one-way function.
  - 19. The computer program product according to claim 18, further comprising executable instructions for causing the computer to:
    - provide a key in the key chain, corresponding to the at least one receiving device, to the at least one subgroup management device associated with the at least one receiving device in a reverse order of keys arranged in the key chain, wherein the most junior key is provided first.
  - 20. The computer program product according to claim 18, further comprising executable instructions for causing the computer to:
    - detect a change in the at least one subgroup management device associated with the at least one receiving device;
      
      provide at least one next key in the key chain corresponding to the at least one receiving device to the changed subgroup management device; and
      
      authenticate the changed subgroup management device by comparing the at least one next key provided to the changed subgroup management device and at least one next key in the key chain stored at the at least one receiving device associated with the changed subgroup management device.
  - 21. The computer program product according to claim 20, further comprising executable instructions for causing the computer to:
    - using the group management device, track each key provided to the at least one subgroup management device associated with the at least one receiving device.
  - 22. The computer program product according to claim 20, wherein the detection of the change in the at least one subgroup management device is selected from a group consisting of:
    - after the change in the at least one subgroup management device and before the change in the at least one subgroup management device.
  - 23. The computer program product according to claim 22, wherein the detection of the change in the at least one subgroup management device further comprises executable instructions for causing the computer to:
    - receive an indication of a new subgroup management device.
  - 24. The computer program product according to claim 22, wherein the detection of the change in the at least one subgroup management device further comprises executable instructions for causing the computer to:
    - using the group management device, generate a command to replace a current subgroup management device with a new subgroup management device.
  - 25. The computer program product according to claim 24, wherein the number of keys in the key chain corresponding to the at least one receiving device is different from the number of keys in a key chain corresponding to at least another receiving device.
  - 26. The computer program product according to claim 24, wherein the at least one subgroup management device and the associated at least one receiving device are configured to communicate using keys in the key chain provided to the at least one subgroup management device and stored at the associated at least one receiving device.

27. A system for providing secure communication in a system including a group management device, at least one subgroup management device, and at least one receiving device, wherein at least one subgroup management device is associated with at least receiving device, comprising:
- a communication device configured to provide communication between the group management device, the at least one subgroup management device, and the at least one receiving device;
  
  a memory; and
  
  a processor coupled to the communication device and the memory and configured tocause the communication device to establish a temporary secure communication path between the group management device and the at least one receiving device;
  
  generate a key chain corresponding to the at least one receiving device, wherein the key chain includes a predetermined number of keys and having each key related to at least another key by at least one inverse of a one-way function, wherein the predetermined number of keys is agreed upon by the group management device and the at least one receiving device;
  
  store in memory the generated key chain at the group management device and the at least one receiving device;
  
  tear down the temporary secure communication path subsequent to the storing of the generated key chain;
  
  provide at least one key in the generated key chain to the at least one subgroup management device associated with the at least one receiving device;
  
  using the generated key chain, authenticate the at least one subgroup management device; and
  
  cause the communication device to establish another secure communication path between the group management device and the at least one subgroup management device and the at least one subgroup management device and the at least one receiving device associated with the at least one subgroup management device.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The system according to claim 27, wherein the processor is further configured tocause the communication device to communicate, via the temporary secure communication path, a seed to the at least one receiving device;
    - using at least one of a first one inverse of a one-way function, generate another seed based on the communicated seed;
      
      using at least one of a second one inverse of a one-way function, generate at least one key in the key chain based on the communicated seed and generating other keys in the key chain based on the generated seed;
      
      wherein the at least one of the first one inverse of a one-way function is different from the at least one of the second one inverse of a one-way function.
  - 29. The system according to claim 28, wherein the communicated seed is a primary seed and the at least one of the first one inverse of a one-way function is configured to generate a most senior key in the key chain based on the primary seed.
  - 30. The system according to claim 29, wherein the processor is further configured tocontinue to generate seeds until the number of seeds is equal to the predetermined number of keys.
  - 31. The system according to claim 29, whereinthe primary seed is a most senior seed;
    - keys in the generated key chain are configured to be arranged in a sequential order starting from a most senior key to a most junior key, wherein the most senior key is generated based on the most senior seed;
      
      each next-most senior seed is generated based on the most senior seed using the at least one of a first one inverse of a one-way function;
      
      each next-most senior key is generated based on the next-most senior seed using at least one of the second one inverse of a one-way function;
      
      the most junior key is generated based on a prior-least senior seed using the at least one of the second one inverse of a one-way function.
  - 32. The system according to claim 31, wherein the processor is further configured toprovide a key in the key chain, corresponding to the at least one receiving device, to the at least one subgroup management device associated with the at least one receiving device in a reverse order of keys arranged in the key chain, wherein the most junior key is provided first.
  - 33. The system according to claim 31, wherein the processor is further configured todetect a change in the at least one subgroup management device associated with the at least one receiving device;
    - provide at least one next key in the key chain corresponding to the at least one receiving device to the changed subgroup management device;
      
      authenticate the changed subgroup management device by comparing the at least one next key provided to the changed subgroup management device and at least one next key in the key chain stored at the at least one receiving device associated with the changed subgroup management device.
  - 34. The system according to claim 33, wherein the processor is further configured tousing the group management device, track each key provided to the at least one subgroup management device associated with the at least one receiving device.
  - 35. The system according to claim 33, wherein the detection of the change in the at least one subgroup management device is selected from a group consisting of:
    - after the change in the at least one subgroup management device and before the change in the at least one subgroup management device.
  - 36. The system according to claim 35, wherein the detection of the change in the at least one subgroup management device further comprisesreceiving an indication of a new subgroup management device.
  - 37. The system according to claim 36, wherein the detection of the change in the at least one subgroup management device further comprisesusing the group management device, generating a command to replace a current subgroup management device with a new subgroup management device.
  - 38. The system according to claim 27, wherein the number of keys in the key chain corresponding to the at least one receiving device is different from the number of keys in a key chain corresponding to at least another receiving device.
  - 39. The system according to claim 27, wherein the at least one subgroup management device and the associated at least one receiving device are configured to communicate using keys in the key chain provided to the at least one subgroup management device and stored at the associated at least one receiving device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Rockstar Bidco LP (Rockstar Consortium Inc.)
Inventors
Dondeti, Lakshminath
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US12/804,216
Publication Number

US 20100290625A1
Time in Patent Office

838 Days
Field of Search

None
US Class Current

380/278
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 9/0833   involving conference or gro...

H04L 9/50   using hash chains, e.g. blo...

Secure group communications

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Secure group communications

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links