In one example, an apparatus such as an authorization server and method for secure communication between constrained devices issues cryptographic communication rights among a plurality of constrained devices. Each of the plurality of constrained devices comprises no more than one cryptographic algorithm code module per cryptographic function. The method includes receiving a cryptographic communication rights request associated with at least a first of the plurality of constrained devices in response to a cryptographic algorithm update request, and includes providing a response including an identification of a subset of the plurality of constrained devices that have cryptographic communication rights with the identified first of the plurality of constrained devices. A software update server then updates the cryptographic code modules in the sub-set of the plurality of constrained devices.