Community of interest-based secured communications over IPsec

摘要

A method and system for establishing secure communications between endpoints includes transmitting a first message including a token having one or more entries each corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint. The method includes receiving a second message including a second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user and including an encryption key and a validation key associated with the second endpoint. The method includes, for each community of interest associated with both users, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint. The method also includes generating a shared secret based on the key pair, transmitting a third message including the created key pair to the second endpoint, and initializing tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the endpoints.

主权项

1. A method of establishing secure communications between endpoints, the method comprising:
transmitting, by a processor of a first endpoint, from the first endpoint to a second endpoint a first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key; receiving, at the processor of the first endpoint, from the second endpoint a second message, distinct from the first message, including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with corresponding community of interest key; for each community of interest associated with both the first user and the second user, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint; creating, by the processor of the first endpoint, a key pair at the first endpoint and generating a shared secret based on the key pair; transmitting by the processor of the first endpoint, a third message, distinct from the first and second messages, including the created key pair to the second endpoint, thereby allowing the second endpoint to derive the shared secret; initializing, by the processor of the first endpoint, a tunnel between the first and second endpoints, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the first and second endpoints.