Browse Prior Art Database

A METHOD FOR A RESILIENT CENTRALIZED KEY MANAGEMENT MODEL USING KEY PRE-GENERATION

IP.com Disclosure Number: IPCOM000243192D
Publication Date: 2015-Sep-17
Document File: 6 page(s) / 3M

Publishing Venue

The IP.com Prior Art Database

Related People

Amjad Inamdar: AUTHOR [+4]

Abstract

A solution is presented herein that involves a key server in centralized key management model pre-generate an ordered list of each key type for current and future use, and distribute these multiple key instances to redundant key servers and potentially to group members. A set of key servers in the centralized model keeps a record of an emergency key, that when used indicates an urgency that the set of key servers will soon be unsynchronized. This makes the centralized key management model resilient to network outages by ensuring uninterrupted secure communication among group members even when there is a communication outage between key servers, or between group members and key servers.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 39% of the total text.

Page 01 of 6

A METHOD FOR A RESILIENT CENTRALIZED KEY MANAGEMENT MODEL USING KEY PRE-GENERATION

AUTHORS:

Amjad Inamdar
Amit Garg
Lewis Chen

Brian Weis

CISCO SYSTEMS, INC.

ABSTRACT

    A solution is presented herein that involves a key server in centralized key management model pre-generate an ordered list of each key type for current and future use, and distribute these multiple key instances to redundant key servers and potentially to group members. A set of key servers in the centralized model keeps a record of an emergency key, that when used indicates an urgency that the set of key servers will soon be unsynchronized. This makes the centralized key management model resilient to network outages by ensuring uninterrupted secure communication among group members even when there is a communication outage between key servers, or between group members and key servers.

DETAILED DESCRIPTION

    In a centralized key management model such as Group Domain of Interpretation GDOI (RFC 6407), a centralized key server distributes keys and policies to authenticated group members. The key can be a group key or pair-wise key.

    A problem with this model is that the central key server becomes a single point of failure. Use of redundant key servers requires co-ordination and synchronisation between them. A communication outage between redundant key servers can make them to go out of sync and independently generate and distribute different keys to their group members. This leads to secure communication outage between group members served by different key servers.

Copyright 2015 Cisco Systems, Inc.

1


Page 02 of 6

    The term group member herein is used to refer the entities that use/consume the key generated by central key server.

    The term key server is used to refer the entity that generates and distributes the key to group members. A primary key server is responsible for generating new keys. A redundant key server accepts new keys from a primary key server, but may in the future become the primary key server if the primary key server becomes unreachable.

    In a centralized key management model, a primary key server generates only a single instance of each key type and distributes to redundant key servers, after which all the key servers distribute the key to the group members registered to them. The primary key server generates the new instance of each key type only when the existing key is about to expire.

    Presented herein is an approach involving pre-generation of a predetermined or configurable ordered number of instances of each key type that can last multiple key lifetimes, and distribution of these multiple key instances to redundant key servers as shown in FIG. 1 below. Each pre-generated key in the ordered list would have the configured lifetime, so having the list of pre-configured keys will ensure key server synchronization for the duration of "number of keys" times "lifetime of one key".

2

Copyright 2015 Cisco Systems, Inc.


Page 03 of 6

FIG. 1

    With this approach,...