The lack of security mechanisms for IP multicast has impeded the large scale commercial deployment of applications such as pay-per-view information dissemination services and real-time videoconferencing. In this report, we describe the design and implementation of a scalable mechanism for secure multicast. It relies on a trusted, centralized security manager to authenticate participants and distribute keys. To ensure that participants are unable to access session data sent before they join or after they leave the group, the security manager rekeys the participants of the session in response to group membership changes. To avoid an excess of rekeying traffic that would be caused by frequent membership changes, we introduce an epoch-based rekeying protocol, wherein rekeying takes place at most once per a fixed duration of time called an epoch. We use the SRM reliable multicast protocol to disseminate rekeying messages. To minimize disruption of the session at participants caused by loss of rekey messages (and their consequent inability to decrypt session data), the usage of new keys is delayed by an additional epoch. This technique maximizes the probability of the reliable multicast mechanism delivering the rekey message to all participants. The key distribution protocol and the corresponding objects have been implemented in the MASH toolkit as reusable modules. Performance studies reveal the bottleneck in our system to be the bandwidth consumed by rekeying traffic. Based on our observations, we propose an extension to our scheme that would go a long way towards achieving true global scalability for secure multicast groups.