Secure session for a group of network nodes

US 9,705,856 B2
Filed: 07/27/2012
Issued: 07/11/2017
Est. Priority Date: 07/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method of a network node, for creating a secure session for members of a group of network nodes, the method comprising:

receiving, from a trusted entity over a channel established based on an identity certificate of the trusted entity;

an identity certificate for the network node,an assertion for the network node, certifying a role of the network node within the group, anda secret group key for the group;

creating a session identifier and a secret session key for the secure session;

sending a broadcast message comprising the session identifier, which broadcast message is encrypted and authenticated using the group key;

receiving a discovery message from a further network node of the group of network nodes; and

sending a discovery response message comprising the secret session key to the further network node in an event the further network node is not on a revocation list provided by the trusted entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods (500) of a network node (111) for creating and joining secure sessions for members (111-114) of a group of network nodes are provided. The methods comprise receiving an identity certificate and an assertion for the network node as well as a secret group key for the group. The method for creating a session further comprises creating (501) a session identifier and a secret session key for the session, and sending (502) an encrypted and authenticated broadcast message comprising the session identifier. The method for joining a session further comprises sending an encrypted and authenticated discovery message comprising the identity certificate and the assertion, and receiving an encrypted and authenticated discovery response message from another network node which is a member of the group. The disclosed combined symmetric key and public key scheme is based on the availability of three credentials at each node, i.e., the identity certificate, the assertion, and the secret group key, which are received from a trusted entity. Further, a computer program, a computer program product, and a network node are provided.

Citations

21 Claims

1. A method of a network node, for creating a secure session for members of a group of network nodes, the method comprising:
- receiving, from a trusted entity over a channel established based on an identity certificate of the trusted entity;
  
  an identity certificate for the network node,an assertion for the network node, certifying a role of the network node within the group, anda secret group key for the group;
  
  creating a session identifier and a secret session key for the secure session;
  
  sending a broadcast message comprising the session identifier, which broadcast message is encrypted and authenticated using the group key;
  
  receiving a discovery message from a further network node of the group of network nodes; and
  
  sending a discovery response message comprising the secret session key to the further network node in an event the further network node is not on a revocation list provided by the trusted entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, whereinthe discovery message comprises an identity certificate of the further network node and an assertion of the further network node being encrypted and authenticated using the group key, the method further comprising:
    - determining whether the assertion of the further network node is valid, andunder the condition that the further network node is not on the revocation list and that the assertion of the further network node is valid, sending the discovery response message to the further network node, wherein the discovery response message is encrypted and authenticated using a public key of the identity certificate of the further network node.
  - 3. The method according to claim 1, wherein the identity certificate is unique for each network node and comprises a public key and a corresponding private key.
  - 4. The method according to claim 1, wherein the assertion is unique for each network node and certifies that the network node is a member of the group and the role of the network node within the group.
  - 5. The method according to claim 1, wherein the group key is unique for each group of network nodes and is symmetric.
  - 6. The method according to claim 1, wherein the identity certificate is received from the trusted entity during a registration phase.
  - 7. The method according to claim 1, wherein the group key and the assertion are received from the trusted entity during a group creation or a group join phase.
  - 8. The method according to claim 1, wherein the group key and the assertion are received from an authorized member of the group during a group creation or a group join phase.
  - 9. A non-transitory computer readable storage medium, having stored thereon, computer-executable instructions that when executed by a computing device, cause the computing device to perform the method according to claim 1.
  - 10. A computer program product comprising a non-transitory computer readable storage medium, the computer readable storage medium having the computer-executable instructions according to claim 9 embodied therein.

11. A method of a network node, for joining a secure session for members of a group of network nodes, the method comprising:
- receiving, from a trusted entity over a channel established based on an identity certificate of the trusted entity;
  
  an identity certificate for the network node,an assertion for the network node, certifying a role of the network node within the group, anda secret group key for the group;
  
  sending a discovery message comprising the identity certificate for the network node and the assertion for the network node, which discovery messages is encrypted and authenticated using the group key; and
  
  receiving a discovery response message from another network node which is a member of the group in an event the network node is not on a revocation list provided by the trusted entity, and which discovery response message comprises a secret session key for the secure session and is encrypted and authenticated using a public key of the identity certificate of the network node.
- View Dependent Claims (12)
- - 12. The method according to claim 11, wherein the discovery message further comprises a session identifier and the secret session key comprised in the discovery response message corresponds to the session identifier.

13. A network node comprising:
- a receiver being arranged for receiving, from a trusted entity over a channel established based on an identity certificate of the trusted entity;
  
  an identity certificate for the network node,an assertion for the network node, certifying a role of the network node within a group of network nodes, anda secret group key for the group;
  
  a processor; and
  
  a transmitter,wherein, in response to a request to create a secure session for members of the group;
  
  the processor is arranged for creating a session identifier and a secret session key for the secure session, andthe transmitter is arranged for sending a broadcast message comprising the session identifier, which broadcast message is encrypted and authenticated using the group key, and wherein, in response to a request to join an existing secure session for members of the group;
  
  the transmitter is arranged for sending a discovery message comprising the identity certificate for the network node and the assertion for the network node, which discovery message is encrypted and authenticated using the group key, andthe receiver is further arranged for receiving a discovery response message from another network node which is a member of the group in an event the network node is not on a revocation list provided by the trusted entity, and which discovery response message comprises a secret session key for the secure session and is encrypted and authenticated using the public key of the identity certificate of the network node.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The network node according to claim 13, wherein:
    - the receiver is further arranged for receiving another discovery message from a further network node, which another discovery message comprises an identity certificate of the further network node and an assertion of the further network node and is encrypted and authenticated using the group key, andthe processor is further arranged for;
      
      determining whether the further network node is on a revocation list provided by the trusted entity, anddetermining whether the assertion of the further network node is valid, and wherein the transmitter is further arranged for sending, under the condition that the further network node is not on the revocation list and that the assertion of the further network node is valid, another discovery response message to the further network node, which another discovery response message comprises the secret session key and is encrypted and authenticated using the public key of the identity certificate of the further network node.
  - 15. The network node according to claim 13, wherein the discovery message further comprises a session identifier and the secret session key comprised in the discovery response message corresponds to the session identifier.
  - 16. The network node according to claim 13, wherein the identity certificate is unique for each network node and comprises a public key and a corresponding private key.
  - 17. The network node according to claim 13, wherein the assertion is unique for each network node and certifies that the network node is a member of the group and the role of the network node within the group.
  - 18. The network node according to claim 13, wherein the group key is unique for each group of network nodes and is symmetric.
  - 19. The network node according to claim 13, wherein the receiver is further arranged for receiving the identity certificate from the trusted entity during a registration phase.
  - 20. The network node according to claim 13, wherein the receiver is further arranged for receiving the group key and the assertion from the trusted entity during a group creation or a group join phase.
  - 21. The network node according to claim 13, wherein the receiver is further arranged for receiving the group key and the assertion from an authorized member of the group during a group creation or a group join phase.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Gehrmann, Christian, Seitz, Ludwig, Ohlsson, Oscar
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US14/413,276
Publication Number

US 20150195261A1
Time in Patent Office

1,810 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/1822   Conducting the conference, ...

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/0823   using certificates cryptogr...

H04L 67/141   Setup of application sessio...

H04L 9/0833   involving conference or gro...

H04L 9/3263   involving certificates, e.g...

Secure session for a group of network nodes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure session for a group of network nodes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links