Abstract: Methods of automatically populating a secure group list in a key variable loader and of providing keys to a secure group are presented. After a user selects a secure group and encryption algorithm using inputs of the loader, the loader provides a group identifier and corresponding key for the group. The group identifier, encryption algorithm, and key are transmitted to a portable communication device over a physical connection between the two while a device identifier of the communication device is transmitted concurrently to the loader. The key variable loader automatically populates a stored list of subscribers of the group with the device identifier. When it is desired to transmit a new key to all of or fewer than all of the subscribers, one of the subscribers is connected with the loader and used to wirelessly transmit a new key to the remaining subscribers.

Abstract: Disclosed is a method for encrypted communications. A first IPsec endpoint selects a security association (SA) from a security association database (SAD) by using a selector and then extracts an indexing parameter from SA. The indexing parameter is used to determine an active key location from a key storage database (KSD). Data packets are then encrypted using a key from the active key location. The first IPsec endpoint also forms a security parameter index (SPI) in a header of the data packet by using a keyID from the active key location and transmits the encrypted data packet with the header indicating the SPI to a second IPsec endpoint.

Abstract: A source endpoint includes a security association database; a processing device and an interface operatively coupled to: receive a first packet requiring security processing; retrieve from the first packet a destination endpoint data address for a destination endpoint that is to receive the first packet; determine an address translation; apply the address translation to the retrieved destination endpoint data address to generate a destination endpoint security address, and create an entry in a storage device, wherein the entry corresponds only to the destination endpoint and comprises the generated destination endpoint security address and a set of security parameters. The source endpoint further indexes the storage device to obtain the security parameters for security processing of the first packet to generate a secured first packet; and sends the secured first packet to the destination endpoint.

Abstract: A method for managing a packet in a communication system between two or more endpoints, a sender and one or more recipients, comprises receiving a first packet comprising a source identifier that uniquely identifies a sender of the first packet and a current source time assigned to the first packet by the sender, determining a received time for the first packet, retrieving a cached source time assigned by the sender to a second packet that was received prior to receiving the first packet, and determining whether to discard or process the first packet based on the current source time, the received time, and the cached source time. The current source time, the received time, and the cached time, in addition to predetermined parameters such as a maximum age and an anti-replay window allows a recipient to determine whether to process or discard a packet.

Abstract: Methods of automatically populating a secure group list in a key variable loader and of providing keys to a secure group are presented. After a user selects a secure group and encryption algorithm using inputs of the loader, the loader provides a group identifier and corresponding key for the group. The group identifier, encryption algorithm, and key are transmitted to a portable communication device over a physical connection between the two while a device identifier of the communication device is transmitted concurrently to the loader. The key variable loader automatically populates a stored list of subscribers of the group with the device identifier. When it is desired to transmit a new key to all of or fewer than all of the subscribers, one of the subscribers is connected with the loader and used to wirelessly transmit a new key to the remaining subscribers.

Abstract: Disclosed is a method for encrypted communications. A first IPsec endpoint selects a security association (SA) from a security association database (SAD) by using a selector and then extracts an indexing parameter from SA. The indexing parameter is used to determine an active key location from a key storage database (KSD). Data packets are then encrypted using a key from the active key location. The first IPsec endpoint also forms a security parameter index (SPI) in a header of the data packet by using a keyID from the active key location and transmits the encrypted data packet with the header indicating the SPI to a second IPsec endpoint.

Abstract: Key management methods and communication protocol adapted to reduce the burden placed upon a key delivery device (e.g., KVL) operator. The KVL (101, 401) receives KMM frames (800) including a target destination field (826) and a key management message field (830). Key management messages (KMMs) to be delivered to various targets are included within the key management message fields. The KVL identifies targets either from target destination identifiers in the target destination field (if the KMM is to be delivered encrypted or “black” transfer to target) or from target destination identifiers in the KMM itself (if the KMM is to delivered unencrypted or “red” transfer to target). The KVL determines candidate devices to be targets if they correspond to the target destination identifiers and if so, the KVL automatically delivers the proper key management messages to the respective targets. Key management messages are not delivered to candidate devices not determined to be targets.