1. Field of the Invention
This invention relates to computer networks. In particular, the invention relates to conference security.
2. Description of Related Art
Group-oriented security is typically directed to either the application layer or the network layer. Approaches for the application layer employ user authentication techniques either separately or integrated into a conference key distribution scheme. Approaches for the network layer achieve group security through the distribution and management of cryptographic keys using techniques collectively referred to as group key management (GKM).
Although these approaches provide some level of security for group-oriented activities, they are inadequate for multicast or conferences that require a high level of security and flexibility in conference management. Examples of these desired features include source identity and authentication, data confidentiality, participation non-repudiation, sender/receiver non-repudiation, cheater detection and identification, secure conference joining, and secure member ejection.
Therefore there is a need in the technology to provide a simple and efficient method to provide secure group activity in a network environment.
The present invention is directed to a method and apparatus for securing a session in a system having application and network layers. A multicast conference secure architecture (MCSA) acts as an intermediary at the session layer between an application layer and a network layer. By providing an intermediary at the session layer, many protocols and applications at the application and network layers can be maintained separately and independently. The MCSA includes a session manager and a security storage. The session is managed by a session manager. Security components used in the session are provided by a security storage.
According to one embodiment of the present invention, the session manager includes a conference session manager interfacing to the application layer and a multicast session manager interfacing to the network layer. The security storage includes storages of the conference keys, the group keys, the session directory, and a security association database. A session is initiated by an initiator session manager. An authorizer is appointed to manage the distribution of the group key to be used in the encryption and decryption of the messages transferred during the session. Conference keys are generated and distributed to users in the session when the users become the members of the session.
Other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments of the invention in conjunction with the accompanying figures.