Many emerging applications e.g., teleconference, real-time information services, pay per view, distributed interactive simulation, and collaborative work are based upon a group communications model, i.e., they require packet delivery from one or more authorized senders to a very large number of authorized receivers. As a result, securing group communications i.e., providing confidentiality, integrity, and authenticity of messages delivered between group members will become a critical networking issue. In this paper, we present a novel solution to the scalability problem of group multicast key management. We formalize the notion of a secure group as a triple U; K; R where U denotes a set of users, K a set of keys held by the users, and R a user-key relation. We then introduce key graphs to specify secure groups. For a special class of key graphs, we present three strategies for securely distributing rekey messages after a join leave, and specify protocols for joining and leaving a secure group. The re keying strategies and join leave protocols are implemented in a prototype group key server we have built.