数字媒体有条件接收技术综述

从数字媒体有条件接收系统面临的新问题出发,对数字视频加密、密钥管理、盗版追踪和数字媒体内容保护四个方面技术存在的问题、研究现状进行了介绍和分析,并对各项技术的发展趋势进行了阐述。     

一种基于视频转码与IP组播的媒体推送系统设计

为了减轻源节点负载,提高带宽利用率,提出了一种新型媒体推送系统设计.所提系统结合了视频转码与IP组播技术特点,一方面继承IP组播的带宽优势,另一方面实现了多种格式及码率用户间的数据共享.在所提系统的具体组织形式上,提出了顺序模式与上传模式,并对两种组织模式进行了建模分析.在仿真实验中,对所提系统和现行系统进行了仿真实现和比较,结果显示,所提系统在带宽消耗和源节点负载性能上具有一定的优势.     

Shared distribution of digital products using multicast

Broadband connectivity enables effective distribution of interactive multimedia content over the Internet. The successful deployment of future multimedia applications with high bandwidth requirements will depend on business models that efficiently allocate network resources based on user demands and preferences. We present a market-based allocation framework to complement existing network protocols in a scalable and feasible manner. The model exploits the redundancy of the network to share digital products among hierarchies of communities that share common demand profiles. Quality of service-based multicast is used as the underlying network protocol. While significant advances have been made in terms of the technological protocols, corresponding business models have not been explored extensively. We outline such a model accounting for the current market structure. The highlights of the business model we propose are shared distribution, hierarchy of communities and bundling of products by local distributors. Our model leads to the NP-hard problem of computation of Steiner arborescences, and we outline feasible solution heuristics.     

网络编码下的网络电视条件接收系统关键技术

网络编码的主要优点是提高网络吞吐量、均衡网络负载以及提高带宽利用率,尤其适合无线网络、Ad Hoc、P2P以及流媒体传输等领域,在构建IP网络电视方面具有巨大的潜力。研究在网络编码下构建网络电视的条件接收系统,提出了一种基于随机网络编码(RLNC)和SPOC模型的轻量级加密方法和一种高效的层次组密钥分发管理方案。所提方案具有加密数据量非常小的优点,适合用于网络电视实时流媒体加密,同时结合MPEG多分辨率的特点,可以针对各种付费用户,根据不同的收费提供不同网络视频质量。性能分析表明,所提方案利用网络编码提高了网络吞吐量,同时加密数据量远小于传统的IP网络电视加密方法,层次组密钥分发管理方案有效解决了密钥分发问题。     

Sender access and data distribution control for inter-domain multicast groups

The classical IP multicast model makes it impossible to restrict the forwarded data to that originated by an authorized sender. Without effective sender access control, an adversary may exploit the existing IP multicast model, where a sender can send multicast data without prior authentication and authorization. Even a group key management protocol that efficiently distributes the encryption and the authentication keys to the receivers will not be able to prevent an adversary from spoofing the sender address or replaying any previously sent data and hence, flooding the Data Distribution Tree. This can create an efficient Denial of Service attack.In this paper, we propose an architecture for sender access control and data distribution control in inter-domain multicast groups. For sender access control, the Protocol for Carrying Authentication for Network Access, encapsulating Extensible Authentication Protocol packets, is used to authenticate a sender and to establish an IPsec Security Association between the sender and the Access Router to cryptographically authenticate each packet. This access control architecture is then extended to support inter-domain multicast groups by making use of Diameter agents. An inter-domain Data Distribution Tree (DDT) is distributed over different domains. Hence, sender access control will be meaningless without protecting the whole DDT. We have protected the DDT from several attacks generated by a compromised network entity by carrying the multicast data in one or a series of Multicast Security Associations (MSA). Two alternate solutions have been developed that detect and stop forwarding of any forged packet by utilizing multiple checkpoints in the DDT. The first method uses a centralized MSA for the whole DDT while the second method uses a number of small-sized MSAs. Next, the two methods have been compared with respect to different features, such as establishment and maintenance costs, delivery time, etc. The MSA method has been compared with Keyed HIP (KHIP), and we have established that MSA-based methods reasonably outperform KHIP. Finally, the security properties of MSA construction using the GDOI protocol have been validated using the AVISPA tool. Two attacks have been detected by AVISPA, which we have fixed by modifying the GDOI protocol. The security properties of the data transmission method through MSAs using the Authentication Header (AH) protocol have also been analyzed.     

大型分布式组播访问控制系统MDAC

组播安全领域的研究主要集中在端到端的数据保护方面。针对大型组播系统访问控制问题的研究成果不多,已有的研究结果存在很多局限。提出了基于SPKI技术的组播分布式访问控制系统MDAC,和现有的其它方案相比,MDAC不仅具有优越的性能,而且具备分布式、支持非对称组播、授权委托和隐私保护等特性。     

基于公钥的可逆数字水印

为了提高可逆数字水印的安全性和透明性,增加嵌入容量,提出了一种基于公钥的可逆数字水印。该方法首先对载体图像直方图中峰值点与左右两侧的零值点之间的像素点进行移位,然后提取载体图像的特征值,将该特征值与经过混沌系统加密的数字水印进行异或处理后,采用公钥将其嵌入到处理后的载体图像内。图像的验证过程是嵌入过程的逆过程,验证完成后,根据峰值点及其与零值点之间的关系将移位的像素点复原,即可完全复原原始图像。采用公钥系统和混沌系统充分保证了系统的安全性,峰值点与其两侧的零值点之间的像素移位既保证了能够嵌入更多的信息和较高的峰值信噪比,又保证了所有的像素点都能被认证。通过对大量的图像进行仿真分析,结果显示该方法具有较高的安全性,与同类方法相比,能够嵌入更多的信息量,同时具有更高的透明性。     

基于哈夫曼树的无证书公钥广播加密方案

现有的无证书广播加密方案是向用户传输相同的信息量,没有权限的概念。基于哈夫曼树,引入权值,提出了一种新的无证书公钥广播加密方案,实现了对不同权限的用户传输不同的信息量。与已有的广播方案相比,该方案平均计算密钥量少,降低了通信开销,灵活性更高。     

Stateless key distribution for secure intra and inter-group multicast in mobile wireless network

Group communication has become an important component in wireless networks. In this paper, we focus on the environments in which multiple groups coexist in the system, and both intra and inter-group multicast traffic must be protected by secret keys. We propose a mechanism that integrates polynomials with stateless secret updates to achieve personal key share distribution and efficient key refreshment during group changes. The proposed mechanism distributes keys via true broadcast. Compared to previous approaches, the proposed mechanism has the following advantages: (1) The adoption of symmetric encryption/decryption for multicast traffic matches the limited processing capability of wireless nodes. (2) The stateless feature of key distribution matches the properties of mobile wireless networks including frequent topology changes and temporary connection disruptions. (3) Special mechanisms are designed to reduce the communication overhead during key updates and provide protection against both intra and inter-group impersonation. The storage, computation, and communication overhead of the proposed mechanism is investigated. Analysis and simulation are conducted to demonstrate the improvements over previous approaches.     

SOPCA 条件接收系统的设计与应用

数字电视条件接收系统是广泛电视信息安全的关键环节，目前国内实用的系统均为国外公司的产品，不利于国家信息安全的管理。在现有DVB（Digital Video Broadcasting)标准的基础上，提出了SOPCA （Software Platform of Connecting Appliance)条件接收系统，实现了节目传输流加扰、节目管理、用户管理、分层加密机制和IC卡控制等关键技术，完成了在自主知识产权的SOPCA嵌入式操作系统和硬件平台上的原型机应用。经过总体结构和具体性能的综合分析比较，在功能上优于其它同类系统，最后对系统功能的进一步完善进行了探讨。     

A hierarchical group key management scheme for secure multicast increasing efficiency of key distribution in leave operation

This paper proposes an efficient protocol and associate algorithm for group key management in secure multicast. This protocol is based on a hierarchy approach in which the group is logically divided into subgroups. The group key is organized using member secrets assigned to each member and server secrets assigned to each subgroup, and the inverse value of the member secrets are also used to manage the group key when a member leaves. In this case, each member in a single subgroup needs to store the inverse values of the other members in that subgroup with the exception of its own. When a member joins the group, after updating the previous group key in the server, the new key is sent to all existing group members, and the inverse value of the new member is sent to subgroup members (where there is a join), by exploiting IP multicast. Most importantly, the server just sends the inverse value of the leaving member to the subgroups when a member leaves. Then, the group key is updated by each remaining member in the subgroups by using that inverse value. Consequently, the benefits are two-fold. First, only one key needs to be generated by the server at each event. Second, not only the computational overhead is reduced but also new key information can be multicast to all members simultaneously. This paper describes the details of our novel protocol and the related algorithm.     

An efficient protocol for secure multicast key distribution in the presence of adaptive adversaries

In this paper, an efficient construction of multicast key distribution schemes based on semantically secure symmetric-key encryption schemes and cryptographically strong pseudo-random number generators is presented and analyzed. The proposed scheme is provably secure against adaptive adversaries leveraging the security amplification technique defined over the logical key hierarchy structures. Our protocol tolerates any coalition of revoked users; in particular, we do not assume any limit on the size or structure of the coalition. The proposed scheme is efficient as a performance of Join or Leave procedure requires 2 log(N) multicast activities defined over a sibling ancestor node set, 2 log(N) internal state updates of the underlying pseudo-random number generator and 2 log(N) symmetric-key encryption activities for N users in a session.     

基于条件分布信息量的不完备决策表属性约简

通过分析目前信息观下不完备信息系统属性约简,针对已提出的几种信息熵存在随着属性的增加系统分类能力减弱的不足,从条件属性确定的容差类在决策属性划分上的分布出发,给出不完备决策表的条件分布信息量的定义;同时,定义了新的属性重要度,并以此为启发信息设计属性约简算法。通过实验说明了该算法对不完备决策表属性约简是可行的。     

基于可信度的分布式组播密钥管理研究

局部分布式组播密钥管理将安全信息限制在若干个服务器节点上,如果这些节点本身可信度不高,将会导致整个网络的安全受到威胁。在局部分布式组播密钥管理中引入了服务器节点的可信度机制,通过可信度的计算来维护一个可信度较高的密钥更新服务器组。仿真结果表明,引入可信度机制,可以提高Ad hoc网络中密钥更新的成功率以及减少更新延迟时间,从而达到提高整个网络安全的目的。     

基于公钥广播加密的安全组播方案

应用公钥广播加密进行安全组播的难点是如何更有效地权衡实现代价和安全性.通过引入身份标志区分各个接收者,并利用一组接收者的身份标志代替一般公钥广播加密方案中的组公钥,缩短了系统公钥参数的长度.将新的公钥广播加密方案应用到安全组播通信的过程表明,该方案有效降低了计算和通信代价,且达到了抗选择密文攻击的语义安全性.     

嵌入式系统加密技术在数字电视中的应用

为了使更多的嵌入式系统的原创者能有效地保护自己的开发成果和知识产权,介绍了嵌入式系统加密芯片 DM2016的结构、特点及其在数字电视加密领域的应用,同时给出了 BlowFish 算法在嵌入式主系统中的加密方法及应用。     

基于代理的分布式大型动态组播密钥管理协议

参照分布式方法代表性协议Iolus提供的组播密钥管理安全框架和因特网组管理协议IGMP,设计了一种新的分布式密钥管理体系结构,组播组由一些分布的组播子组构成,采用一种改进的LKH协议实现子组内密钥管理,提出了一种基于代理的分布式的大型动态组播密钥管理协议,并通过增加签名标记改进了现有密钥管理协议对成员身份认证的不足。与LKH、Iolus协议相比．该文协议降低了“1影响N”问题,具有较好的可扩展性,有效降低了协议通信延迟和带宽等负载。     

一种基于调度的VOD系统的研究与实现

传统的视频点播(Video-On-Demand,VOD)系统中,服务器为每个用户请求分配一个独立的信道。这样过多的用户经常会造成系统的服务器I/O带宽或网络带宽的瓶颈。对服务器信道调度方案的设计是缓解这一瓶颈问题的一种有效方法。介绍了一种采用了可控多播(Controlled Multieast,CM)信道调度方案的系统的实现。测试结果表明,该系统可以节约带宽,增大视频点播服务的用户数目,较好地缓解传统VOD系统中的服务器I/O或网络带宽瓶颈问题。     

基于关键节点时延约束低代价组播路由算法

针对时延约束下低代价组播树的构建方法,提出了一种基于关键节点的时延约束低代价组播路由算法.该算法对已有的动态时延优化的链路选择函数进行改进,并加入关键节点和关键次数的概念.在首次选择目的节点时,重点考虑关键节点和关键次数因素,降低了选择低代价链路的时间复杂性,再利用改进后的链路选择函数依次选择节点加入树中,进而产生满足要求的组播树.实验仿真结果表明,该算法不仅能正确构建出时延约束低代价组播树,且与其他算法相比,构成组播树所需平均时间更少.     

数字电视机顶盒EPG系统的设计与实现

作为数字电视机顶盒的重要交互式业务,电子节目指南的好坏对机顶盒的功能和性能有着重大的影响,故此设计了一种高效的数字电视EPG系统.该系统在PSI/SI信息接收过程中,采用了与传统方法不同的收表顺序,针对EIT表section较多的客观事实,提出了一种section拼接算法实现section随机且无丢失的快速接收和拼接.在存储过程中,采用树状链表结构实现PSI/SI同级别信息的联合存储,方便了PSI/SI信息的查询.该EPG系统实现了电视节目信息的快速直观展示.