Event management in distributed computing system
US-12155753-B2 · Nov 26, 2024 · US
Secure session for a group of network nodes
US9705856B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9705856-B2 |
| Application number | US-201214413276-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 27, 2012 |
| Priority date | Jul 27, 2012 |
| Publication date | Jul 11, 2017 |
| Grant date | Jul 11, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods ( 500 ) of a network node ( 111 ) for creating and joining secure sessions for members ( 111 - 114 ) of a group of network nodes are provided. The methods comprise receiving an identity certificate and an assertion for the network node as well as a secret group key for the group. The method for creating a session further comprises creating ( 501 ) a session identifier and a secret session key for the session, and sending ( 502 ) an encrypted and authenticated broadcast message comprising the session identifier. The method for joining a session further comprises sending an encrypted and authenticated discovery message comprising the identity certificate and the assertion, and receiving an encrypted and authenticated discovery response message from another network node which is a member of the group. The disclosed combined symmetric key and public key scheme is based on the availability of three credentials at each node, i.e., the identity certificate, the assertion, and the secret group key, which are received from a trusted entity. Further, a computer program, a computer program product, and a network node are provided.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method of a network node, for creating a secure session for members of a group of network nodes, the method comprising: receiving, from a trusted entity over a channel established based on an identity certificate of the trusted entity: an identity certificate for the network node, an assertion for the network node, certifying a role of the network node within the group, and a secret group key for the group; creating a session identifier and a secret session key for the secure session; sending a broadcast message comprising the session identifier, which broadcast message is encrypted and authenticated using the group key; receiving a discovery message from a further network node of the group of network nodes; and sending a discovery response message comprising the secret session key to the further network node in an event the further network node is not on a revocation list provided by the trusted entity. 2. The method according to claim 1 , wherein the discovery message comprises an identity certificate of the further network node and an assertion of the further network node being encrypted and authenticated using the group key, the method further comprising: determining whether the assertion of the further network node is valid, and under the condition that the further network node is not on the revocation list and that the assertion of the further network node is valid, sending the discovery response message to the further network node, wherein the discovery response message is encrypted and authenticated using a public key of the identity certificate of the further network node. 3. The method according to claim 1 , wherein the identity certificate is unique for each network node and comprises a public key and a corresponding private key. 4. The method according to claim 1 , wherein the assertion is unique for each network node and certifies that the network node is a member of the group and the role of the network node within the group. 5. The method according to claim 1 , wherein the group key is unique for each group of network nodes and is symmetric. 6. The method according to claim 1 , wherein the identity certificate is received from the trusted entity during a registration phase. 7. The method according to claim 1 , wherein the group key and the assertion are received from the trusted entity during a group creation or a group join phase. 8. The method according to claim 1 , wherein the group key and the assertion are received from an authorized member of the group during a group creation or a group join phase. 9. A non-transitory computer readable storage medium, having stored thereon, computer-executable instructions that when executed by a computing device, cause the computing device to perform the method according to claim 1 . 10. A computer program product comprising a non-transitory computer readable storage medium, the computer readable storage medium having the computer-executable instructions according to claim 9 embodied therein. 11. A method of a network node, for joining a secure session for members of a group of network nodes, the method comprising: receiving, from a trusted entity over a channel established based on an identity certificate of the trusted entity: an identity certificate for the network node, an assertion for the network node, certifying a role of the network node within the group, and a secret group key for the group; sending a discovery message comprising the identity certificate for the network node and the assertion for the network node, which discovery messages is encrypted and authenticated using the group key; and receiving a discovery response message from another network node which is a member of the group in an event the network node is not on a revocation list provided by the trusted entity, and which discovery response message comprises a secret session key for the secure session and is encrypted and authenticated using a public key of the identity certificate of the network node. 12. The method according to claim 11 , wherein the discovery message further comprises a session identifier and the secret session key comprised in the discovery response message corresponds to the session identifier. 13. A network node comprising: a receiver being arranged for receiving, from a trusted entity over a channel established based on an identity certificate of the trusted entity: an identity certificate for the network node, an assertion for the network node, certifying a role of the network node within a group of network nodes, and a secret group key for the group; a processor; and a transmitter, wherein, in response to a request to create a secure session for members of the group: the processor is arranged for creating a session identifier and a secret session key for the secure session, and the transmitter is arranged for sending a broadcast message comprising the session identifier, which broadcast message is encrypted and authenticated using the group key, and wherein, in response to a request to join an existing secure session for members of the group: the transmitter is arranged for sending a discovery message comprising the identity certificate for the network node and the assertion for the network node, which discovery message is encrypted and authenticated using the group key, and the receiver is further arranged for receiving a discovery response message from another network node which is a member of the group in an event the network node is not on a revocation list provided by the trusted entity, and which discovery response message comprises a secret session key for the secure session and is encrypted and authenticated using the public key of the identity certificate of the network node. 14. The network node according to claim 13 , wherein: the receiver is further arranged for receiving another discovery message from a further network node, which another discovery message comprises an identity certificate of the further network node and an assertion of the further network node and is encrypted and authenticated using the group key, and the processor is further arranged for: determining whether the further network node is on a revocation list provided by the trusted entity, and determining whether the assertion of the further network node is valid, and wherein the transmitter is further arranged for sending, under the condition that the further network node is not on the revocation list and that the assertion of the further network node is valid, another discovery response message to the further network node, which another discovery response message comprises the secret session key and is encrypted and authenticated using the public key of the identity certificate of the further network node. 15. The network node according to claim 13 , wherein the discovery message further comprises a session identifier and the secret session key comprised in the discovery response message corresponds to the session identifier. 16. The network node according to claim 13 , wherein the identity certificate is unique for each network node and comprises a public key and a corresponding private key. 17. The network node according to claim 13 , wherein the assertion is unique for each network node and certifies that the network node is a member of the group and the role of the network node within the group. 18. The network node according to claim 13 , wherein the group key is unique for each group of network nodes and is symmetric. 19. T
Assignees
Inventors
Classifications
involving conference or group key (network architectures or network communication protocols for key management in group communication in a packet data network H04L63/065) · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
for group communications (cryptographic mechanisms or cryptographic arrangements for key management involving conference or group key H04L9/0833) · CPC title
Conducting the conference, e.g. admission, detection, selection or grouping of participants, correlating users to one or more conference sessions, prioritising transmission · CPC title
Setup of application sessions (admission control or resource allocation in data switching networks H04L47/70) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9705856B2 cover?
- Methods ( 500 ) of a network node ( 111 ) for creating and joining secure sessions for members ( 111 - 114 ) of a group of network nodes are provided. The methods comprise receiving an identity certificate and an assertion for the network node as well as a secret group key for the group. The method for creating a session further comprises creating ( 501 ) a session identifier and a secret sessi…
- Who is the assignee on this patent?
- Gehrmann Christian, Ohlsson Oscar, Seitz Ludwig, and 1 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/062. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).