Shared distribution of digital products using multicast

Broadband connectivity enables effective distribution of interactive multimedia content over the Internet. The successful deployment of future multimedia applications with high bandwidth requirements will depend on business models that efficiently allocate network resources based on user demands and preferences. We present a market-based allocation framework to complement existing network protocols in a scalable and feasible manner. The model exploits the redundancy of the network to share digital products among hierarchies of communities that share common demand profiles. Quality of service-based multicast is used as the underlying network protocol. While significant advances have been made in terms of the technological protocols, corresponding business models have not been explored extensively. We outline such a model accounting for the current market structure. The highlights of the business model we propose are shared distribution, hierarchy of communities and bundling of products by local distributors. Our model leads to the NP-hard problem of computation of Steiner arborescences, and we outline feasible solution heuristics.     

Sender access and data distribution control for inter-domain multicast groups

The classical IP multicast model makes it impossible to restrict the forwarded data to that originated by an authorized sender. Without effective sender access control, an adversary may exploit the existing IP multicast model, where a sender can send multicast data without prior authentication and authorization. Even a group key management protocol that efficiently distributes the encryption and the authentication keys to the receivers will not be able to prevent an adversary from spoofing the sender address or replaying any previously sent data and hence, flooding the Data Distribution Tree. This can create an efficient Denial of Service attack.In this paper, we propose an architecture for sender access control and data distribution control in inter-domain multicast groups. For sender access control, the Protocol for Carrying Authentication for Network Access, encapsulating Extensible Authentication Protocol packets, is used to authenticate a sender and to establish an IPsec Security Association between the sender and the Access Router to cryptographically authenticate each packet. This access control architecture is then extended to support inter-domain multicast groups by making use of Diameter agents. An inter-domain Data Distribution Tree (DDT) is distributed over different domains. Hence, sender access control will be meaningless without protecting the whole DDT. We have protected the DDT from several attacks generated by a compromised network entity by carrying the multicast data in one or a series of Multicast Security Associations (MSA). Two alternate solutions have been developed that detect and stop forwarding of any forged packet by utilizing multiple checkpoints in the DDT. The first method uses a centralized MSA for the whole DDT while the second method uses a number of small-sized MSAs. Next, the two methods have been compared with respect to different features, such as establishment and maintenance costs, delivery time, etc. The MSA method has been compared with Keyed HIP (KHIP), and we have established that MSA-based methods reasonably outperform KHIP. Finally, the security properties of MSA construction using the GDOI protocol have been validated using the AVISPA tool. Two attacks have been detected by AVISPA, which we have fixed by modifying the GDOI protocol. The security properties of the data transmission method through MSAs using the Authentication Header (AH) protocol have also been analyzed.     

大型分布式组播访问控制系统MDAC

组播安全领域的研究主要集中在端到端的数据保护方面。针对大型组播系统访问控制问题的研究成果不多,已有的研究结果存在很多局限。提出了基于SPKI技术的组播分布式访问控制系统MDAC,和现有的其它方案相比,MDAC不仅具有优越的性能,而且具备分布式、支持非对称组播、授权委托和隐私保护等特性。     

基于哈夫曼树的无证书公钥广播加密方案

现有的无证书广播加密方案是向用户传输相同的信息量,没有权限的概念。基于哈夫曼树,引入权值,提出了一种新的无证书公钥广播加密方案,实现了对不同权限的用户传输不同的信息量。与已有的广播方案相比,该方案平均计算密钥量少,降低了通信开销,灵活性更高。     

SOPCA 条件接收系统的设计与应用

数字电视条件接收系统是广泛电视信息安全的关键环节,目前国内实用的系统均为国外公司的产品,不利于国家信息安全的管理。在现有DVB（Digital Video Broadcasting)标准的基础上,提出了SOPCA （Software Platform of Connecting Appliance)条件接收系统,实现了节目传输流加扰、节目管理、用户管理、分层加密机制和IC卡控制等关键技术,完成了在自主知识产权的SOPCA嵌入式操作系统和硬件平台上的原型机应用。经过总体结构和具体性能的综合分析比较,在功能上优于其它同类系统,最后对系统功能的进一步完善进行了探讨。     

A hierarchical group key management scheme for secure multicast increasing efficiency of key distribution in leave operation

This paper proposes an efficient protocol and associate algorithm for group key management in secure multicast. This protocol is based on a hierarchy approach in which the group is logically divided into subgroups. The group key is organized using member secrets assigned to each member and server secrets assigned to each subgroup, and the inverse value of the member secrets are also used to manage the group key when a member leaves. In this case, each member in a single subgroup needs to store the inverse values of the other members in that subgroup with the exception of its own. When a member joins the group, after updating the previous group key in the server, the new key is sent to all existing group members, and the inverse value of the new member is sent to subgroup members (where there is a join), by exploiting IP multicast. Most importantly, the server just sends the inverse value of the leaving member to the subgroups when a member leaves. Then, the group key is updated by each remaining member in the subgroups by using that inverse value. Consequently, the benefits are two-fold. First, only one key needs to be generated by the server at each event. Second, not only the computational overhead is reduced but also new key information can be multicast to all members simultaneously. This paper describes the details of our novel protocol and the related algorithm.     

An efficient protocol for secure multicast key distribution in the presence of adaptive adversaries

In this paper, an efficient construction of multicast key distribution schemes based on semantically secure symmetric-key encryption schemes and cryptographically strong pseudo-random number generators is presented and analyzed. The proposed scheme is provably secure against adaptive adversaries leveraging the security amplification technique defined over the logical key hierarchy structures. Our protocol tolerates any coalition of revoked users; in particular, we do not assume any limit on the size or structure of the coalition. The proposed scheme is efficient as a performance of Join or Leave procedure requires 2 log(N) multicast activities defined over a sibling ancestor node set, 2 log(N) internal state updates of the underlying pseudo-random number generator and 2 log(N) symmetric-key encryption activities for N users in a session.     

基于公钥广播加密的安全组播方案

应用公钥广播加密进行安全组播的难点是如何更有效地权衡实现代价和安全性.通过引入身份标志区分各个接收者,并利用一组接收者的身份标志代替一般公钥广播加密方案中的组公钥,缩短了系统公钥参数的长度.将新的公钥广播加密方案应用到安全组播通信的过程表明,该方案有效降低了计算和通信代价,且达到了抗选择密文攻击的语义安全性.     

基于代理的分布式大型动态组播密钥管理协议

参照分布式方法代表性协议Iolus提供的组播密钥管理安全框架和因特网组管理协议IGMP,设计了一种新的分布式密钥管理体系结构,组播组由一些分布的组播子组构成,采用一种改进的LKH协议实现子组内密钥管理,提出了一种基于代理的分布式的大型动态组播密钥管理协议,并通过增加签名标记改进了现有密钥管理协议对成员身份认证的不足。与LKH、Iolus协议相比．该文协议降低了“1影响N”问题,具有较好的可扩展性,有效降低了协议通信延迟和带宽等负载。     

嵌入式系统加密技术在数字电视中的应用

为了使更多的嵌入式系统的原创者能有效地保护自己的开发成果和知识产权,介绍了嵌入式系统加密芯片 DM2016的结构、特点及其在数字电视加密领域的应用,同时给出了 BlowFish 算法在嵌入式主系统中的加密方法及应用。     

一种基于调度的VOD系统的研究与实现

传统的视频点播(Video-On-Demand,VOD)系统中,服务器为每个用户请求分配一个独立的信道。这样过多的用户经常会造成系统的服务器I/O带宽或网络带宽的瓶颈。对服务器信道调度方案的设计是缓解这一瓶颈问题的一种有效方法。介绍了一种采用了可控多播(Controlled Multieast,CM)信道调度方案的系统的实现。测试结果表明,该系统可以节约带宽,增大视频点播服务的用户数目,较好地缓解传统VOD系统中的服务器I/O或网络带宽瓶颈问题。     

AD9788在多业务数字分布系统中的应用

介绍了一种采用单片高速数模转换器AD9788实现将多业务数字分布系统中两种不同制式多载波数字基带信号转换成模拟中频信号的实现方案,该方案具有较强的实用性和参考价值。     

Secure three-party key distribution protocol for fast network access in EAP-based wireless networks

In this paper, we present a solution that reduces the time spent on providing network access in multi-domain mobile networks where the authentication process is based on the Extensible Authentication Protocol (EAP). The goal is to achieve fast and smooth handoffs by reducing the latency added by the authentication process. This process is typically required when a mobile user moves from one authenticator to another regardless of whether the new authenticator is in the same domain (intra-domain) or different domain (inter-domain). To achieve an efficient solution to this problem, it has been generally recognized that a fast and secure key distribution process is required. We propose a new fast re-authentication architecture that employs a secure three-party key distribution protocol which reduces the number of message exchanges during the network access control process. Our approach is proved to preserve security and verified by means of a formal tool. The resulting performance benefits are shown through our extensive simulations.     

数字电视机顶盒EPG系统的设计与实现

作为数字电视机顶盒的重要交互式业务,电子节目指南的好坏对机顶盒的功能和性能有着重大的影响,故此设计了一种高效的数字电视EPG系统.该系统在PSI/SI信息接收过程中,采用了与传统方法不同的收表顺序,针对EIT表section较多的客观事实,提出了一种section拼接算法实现section随机且无丢失的快速接收和拼接.在存储过程中,采用树状链表结构实现PSI/SI同级别信息的联合存储,方便了PSI/SI信息的查询.该EPG系统实现了电视节目信息的快速直观展示.     

A fast algorithm for Huffman decoding based on a recursion Huffman tree

This paper focuses on the time efficiency of Huffman decoding. In this paper, we utilize numerical interpretation to speed up the decoding process. The proposed algorithm firstly transforms the given Huffman tree into a recursion Huffman tree. Then, with the help of the recursion Huffman tree, the algorithm has the possibility to decode more than one symbol at a time if the minimum code length is less than or equal to half of the width of the processing unit. When the minimum code length is larger than the half of the width of the processing unit, the proposed method can still increase the average symbols decoded in one table access (thus speeding up the decoding time). In fact, the experimental results of the test files show that the average number of decoded symbols at one time for the proposed method ranges from 1.91 to 2.13 when the processing unit is 10. The experimental comparisons show that, compared to the conventional binary tree search method and the level-compressed Huffman decoding method, the decoding time of the proposed method is a great improvement.     

基于覆盖组播的应用层组通信服务系统

网络层组播是提供一对多或者多对多通信的最佳方式,但是由于其在技术上和非技术上的原因难以在Inteme上部署。设计和实现了一种基于覆盖组播的组通信服务系统,为组通信应用提供组播服务。这个系统独立于路由器的组播机制,能够快速实现与应用系统的集成,而且能够利用多种传输协议,为构建基于Internet的组通信应用系统提供了有效的支持。     

无线网络中动态组密钥管理方案

在无线网络环境中,在对一组用户服务时,需要为其分配一个组共享密钥。好的密钥管理方案可以极大减少网络通信量,提高系统效率。论文分析了密钥管理的现状及存在的问题,然后提出了一种无线网络中基于物理拓扑结构的逻辑密钥树方案,并对此方案进行设计和性能分析,仿真结果表明此方案能有效减少网络通信量。     

一种基于分配的车队自组网节点接入机制

通过分析自组网中不同接入机制对网络通信性能产生的影响,根据车队自身的特点,针对车队自组网的组织形式提出了一种基于分配的节点接入机制。该机制将竞争信息与业务信息相分离,有效地克服了车队自组网中竞争信息对正常业务信息造成干扰的问题,提高了车队通信的性能。