More and more confidential information is being kept on networked computers, and at the same time computers are becoming more connected. Computer networks often include a well-protected internal network joined to an uncontrolled network such as the Internet. The world-wide computer access now available is both exhilarating, because of the increased availability of information, and sobering because of the security risks inherent in so open a system. Ensuring the privacy, integrity and authenticity of data in these days of interconnected systems becomes ever more important.
One way to ensure security is to make use of trusted groups. A trusted group is a group of entities that have made mutual recognition agreements with each other. Sometimes an authority separate from the group itself, such as a Certification Authority (CA), makes decisions about who is to be trusted. CA's are often organized into trusted groups known as certification hierarchies. Once an entity is a member of a trusted group, it may safely share information with other members of its trusted group.
When cryptographic connections are established between network communication endpoints, state information (e.g., a security association, cryptographic context, security context, cipher suite, and/or the like) is maintained by each endpoint. For instance, such cryptographic state information is maintained by each endpoint in a connection across a firewall.
When one member of a trusted group has the cryptographic information for a connection, the other members of the group do not automatically have access to that information. But there are times when another member of the trusted group should receive access to the connection because the original entity is not available, such as when a proxy server becomes unavailable and another proxy server would replace it online. Within some existing systems the original cryptographic connection is lost when the original entity goes offline, and the tedious process of making a new safe cryptographic connection must be repeated to bring up a new member of the trusted group. An unencrypted connection could theoretically be used, putting a new machine online immediately, but since unencrypted connection information is quite vulnerable to theft and misuse that could breach security, this is often inadvisable.
Thus, it would be an advancement in the art to provide improved ways to efficiently allow members of a trusted computing group to share cryptographic information. For instance, to permit one endpoint to transparently share multiple computing entities in such a way that the other endpoint cannot distinguish between the multiple entities, it would be beneficial for the multiple entities to share their cryptographic context information. Moreover, because the other members of the group are known to be trustworthy, it would be beneficial to skip checks which must be performed when dealing with less-well-known entities.
Such improvements are disclosed and claimed herein.