Design of secure multicast key management schemes withcommunication budget constraint

We study the problem of distributing cryptographic keys to a secure multicast group with a single sender and multiple receivers. We show that the problem of designing key distribution model with specific communication overhead can be posed as a constraint optimization problem. Using the formulation, we show how to minimize the number of keys to be stored by the group controller. An explicit design algorithm with given key update communication budget is also presented     

Power proximity based key management for secure multicast in ad hoc networks

As group-oriented services become the focal point of ad hoc network applications, securing the group communications becomes a default requirement. In this paper, we address the problem of group access in secure multicast communications for wireless ad hoc networks. We argue that energy expenditure is a scarce resource for the energy-limited ad hoc network devices and introduce a cross-layer approach for designing energy-efficient, balanced key distribution trees to perform key management. To conserve energy, we incorporate the network topology (node location), the “power proximity” between network nodes and the path loss characteristics of the medium in the key distribution tree design. We develop new algorithms for homogeneous as well as heterogeneous environments and derive their computational complexity. We present simulation studies showing the improvements achieved for three different but common environments of interest, thus illustrating the need for cross-layer design approaches for security in wireless networks. Loukas Lazos received the B.S. and M.S. degrees from the Electrical Engineering Department, National Technical University of Athens, Athens, Greece, in 2000 and 2002, respectively. He is currently working towards the Ph.D. degree in the Electrical Engineering Department, University of Washington, Seattle. His current research interests focus on cross-layer designs for energy-efficient key management protocols for wireless ad-hoc networks, as well as secure localization systems for sensor networks. Radha Poovendran received the Ph.D. degree in electrical engineering from the University of Maryland, College Park, in 1999. He has been an Assistant Professor in the Electrical Engineering Department, University of Washington, Seattle, since September 2000. His research interests are in the areas of applied cryptography for multiuser environment, wireless networking, and applications of information theory to security. Dr. Poovendran is a recipient of the Faculty Early Career Award from the National Science Foundation (2001), Young Investigator Award from the Army Research Office (2002), Young Investigator Award from the Office of Naval Research (2004), and the 2005 Presidential Early Career Award for Scientists and Engineers, for his research contributions in the areas of wired and wireless multiuser security.     

An efficient heterogeneous key management approach for secure multicast communications in ad hoc networks

In a mobile wireless ad hoc network, mobile nodes cooperate to form a network without using any infrastructure such as access points or base stations. Instead, the mobile nodes forward packets for each other, allowing communication among nodes outside wireless transmission range. As the use of wireless networks increases, security in this domain becomes a very real concern. One fundamental aspect of providing confidentiality and authentication is key distribution. While public-key encryption has provided these properties historically, ad hoc networks are resource constrained and benefit from symmetric key encryption. In this paper, we propose a new key management mechanism to support secure group multicast communications in ad hoc networks. The scheme proposes a dynamic construction of hierarchical clusters based on a novel density function adapted to frequent topology changes. The presented mechanism ensures a fast and efficient key management with respect to the sequential 1 to n multicast service.     

Key management approaches to offer data confidentiality for secure multicast

Multicasting is an efficient way to deliver data to a large group of users in applications such as Internet stock quotes, audio and music delivery, file and video distribution, etc. Many of these applications require the security feature of data confidentiality, which is not readily offered by the "open" nature of multicast. In order to offer such confidentiality, the encryption and decryption keys must be constantly changed upon a membership change. In this article, after discussing some performance criteria to offer secure multicast, we present a number of the proposed key management schemes for data confidentiality. We categorize these schemes into four groups: key tree-based approaches, contributory key agreement schemes supported by the Diffie-Hellman algorithm, computational number theoretic approaches, and secure multicast framework approaches. Through examples, we describe the operation of the schemes and compare their performances.     

基于网格的组密钥管理

目前,尚未有一个综合的信任机制解决方案来满足网格安全与信任需求.网格中,群组通信是实现大规模信息资源共享的一种重要方式,但是如何保障组播的安全性却是一个十分复杂的问题.而组密钥管理策略是保障组播安全性的重要方式之一,所以对基于网格的组密钥管理的研究非常迫切.     

Host mobility key management in dynamic secure group communication

The key management has a fundamental role in securing group communications taking place over vast and unprotected networks. It is concerned with the distribution and update of the keying materials whenever any changes occur in the group membership. Wireless mobile environments enable members to move freely within the networks, which causes more difficulty to design efficient and scalable key management protocols. This is partly because both member location dynamic and group membership dynamic must be managed concurrently, which may lead to significant rekeying overhead. This paper presents a hierarchical group key management scheme taking the mobility of members into consideration intended for wireless mobile environments. The proposed scheme supports the mobility of members across wireless mobile environments while remaining in the group session with minimum rekeying transmission overhead. Furthermore, the proposed scheme alleviates 1-affect-n phenomenon, single point of failure, and signaling load caused by moving members at the core network. Simulation results shows that the scheme surpasses other existing efforts in terms of communication overhead and affected members. The security requirements studies also show the backward and forward secrecy is preserved in the proposed scheme even though the members move between areas.     

A secure multicast protocol for the internet's multicast backbone

In this paper we propose a secure and efficient multicast protocol where the key management is distributed to local groups. The proposed protocol takes advantage of MBone topology to maintain scalability and efficiency at the same time. Copyright © 2001 John Wiley & Sons, Ltd.     

A novel key management scheme for dynamic multicast communications

Secure multicasting allows the sender to deliver an identical secret to an arbitrary set of recipients through an insecure broadcasting channel, whereas the unintended recipients cannot obtain the secret. A practical approach for securing multicast communications is to apply a session key to encrypt the transmitted data. However, the challenges of secure multicast are to manage the session keys possessed by a dynamic group of recipients and to reduce the overhead of computation and transmission when the membership is changed. In this paper, we propose a new key management scheme for dynamic multicast communication, which is based on privacy homomorphism and Chinese remainder theorem. Our scheme can efficiently and securely deliver an identical message to multiple recipients. In particular, the complexity of the key update process in our scheme is O(1). Copyright © 2008 John Wiley & Sons, Ltd.     

Fingerprint multicast in secure video streaming.

Digital fingerprinting is an emerging technology to protect multimedia content from illegal redistribution, where each distributed copy is labeled with unique identification information. In video streaming, huge amount of data have to be transmitted to a large number of users under stringent latency constraints, so the bandwidth-efficient distribution of uniquely fingerprinted copies is crucial. This paper investigates the secure multicast of anticollusion fingerprinted video in streaming applications and analyzes their performance. We first propose a general fingerprint multicast scheme that can be used with most spread spectrum embedding-based multimedia fingerprinting systems. To further improve the bandwidth efficiency, we explore the special structure of the fingerprint design and propose a joint fingerprint design and distribution scheme. From our simulations, the two proposed schemes can reduce the bandwidth requirement by 48% to 87%, depending on the number of users, the characteristics of video sequences, and the network and computation constraints. We also show that under the constraint that all colluders have the same probability of detection, the embedded fingerprints in the two schemes have approximately the same collusion resistance. Finally, we propose a fingerprint drift compensation scheme to improve the quality of the reconstructed sequences at the decoder's side without introducing extra communication overhead.     

A key management scheme for secure group communication using binomial key trees

Numerous emerging applications, such as teleconferencing, board meetings, pay-per-view and scientific discussions, rely on a secure group communication model. Scalable group rekeying is an important issue in the secure group communication model as the nature of the group is dynamic. The number of encryptions performed and rekey messages constructed should be minimized to carry out updating of the group key, and secure delivery of the group key should be carried out in an efficient manner. In this paper, we propose a new scheme to manage the secure group using the binomial key tree approach. In this scheme, the number of encryptions performed and rekey messages constructed during membership change are fewer compared to the scheme proposed by Wong and others. Further, it is not required to balance the tree after each membership change. We show that, for a large group, the average encryption cost and rekey message cost are independent of the size of the group for join operation and logarithmic in size of the group for leave operation. Hence our scheme is scalable. Copyright © 2010 John Wiley & Sons, Ltd.     

A scalable multicast key management scheme for heterogeneous wireless networks

Secure multicast applications require key management that provides access control. In wireless networks, where the error rate is high and the bandwidth is limited, the design of key management schemes should place emphasis on reducing the communication burden associated with key updating. A communication-efficient class of key management schemes is those that employ a tree hierarchy. However, these tree-based key management schemes do not exploit issues related to the delivery of keying information that provide opportunities to further reduce the communication burden of rekeying. In this paper, we propose a method for designing multicast key management trees that match the network topology. The proposed key management scheme localizes the transmission of keying information and significantly reduces the communication burden of rekeying. Further, in mobile wireless applications, the issue of user handoff between base stations may cause user relocation on the key management tree. We address the problem of user handoff by proposing an efficient handoff scheme for our topology-matching key management trees. The proposed scheme also addresses the heterogeneity of the network. For multicast applications containing several thousands of users, simulations indicate a 55%-80% reduction in the communication cost compared to key trees that are independent of the network topology. Analysis and simulations also show that the communication cost of the proposed topology-matching key management tree scales better than topology-independent trees as the size of multicast group grows.     

一种安全组播传输策略

IP组播建立在一个非封闭的传输系统上,为了实现安全组播,除了密钥加密信息,还需要下层的通讯子网提供支持,这样才能彻底实现安全封闭的组播通讯。其中讨论了一些流行的密钥管理框架,密钥更新方案以及用户管理机制。通过这些方案可以防止信息泄漏、Dos攻击、组攻击、伪造信息,从而实现了组播的安全通讯。     

一种新型的ASON安全组播信令协议

针对自动变换光网络组播信令过程中存在的安全威胁,提出了一种高效的基于GMPLS RSVP-TE的安全组播信令协议。该协议采用P2MP(point-to-multipoint)信令模型,通过数字签名和消息反馈等安全机制,对信令消息中的不变对象和重要可变对象实施保护。考虑到组播成员的动态变化特性,采用高效的组密钥管理策略保证组通信的前向安全性和后向安全性。经仿真实验及分析表明,该协议在保证安全建立组播树的同时,取得了较好的连接阻塞性能和较低的密钥更新时延。     

Securing multicast in DVB-RCS satellite systems

While TV broadcasting is probably the best known application of satellite technology, satellite service providers are now expanding their services to include Internet data transmission. Consequently, security of satellite data is becoming an important issue. This article examines the current DVB-RCS security standard and identifies the principal gaps in the provision of secure multicast over DVB-RCS. The main contribution of this article is a proposal for adapting the current DVB-RCS two-way satellite standard to provide secure multicast services over satellites.     

Transport protocols in multicast via satellite

In a wide variety of broadband applications, there is a need to distribute information to a potentially large number of receiver sites that are widely dispersed from each other. Communication satellites are a natural technology option and are extremely well suited for carrying such services because of the inherent broadcast capability of the satellite channel. Despite the potential of satellite multicast, there exists little support for multicast services over satellite networks. Although several multicast protocols have been proposed for use over the Internet, they are not optimized for satellite networks. One of the key multicast components that is affected when satellite networks are involved in the communication is the transport layer. In this paper, we attempt to provide an overview of the design space and the ways in which the network deployment and application requirements affect the solution space for transport layer schemes in a satellite environment. We also highlight some of the issues that are critical in the development of next generation satellite multicast services. Copyright © 2004 John Wiley & Sons, Ltd.     

A secure authentication with key agreement scheme using ECC for satellite communication systems

Recently, Liu et al came up with an authentication with key agreement scheme for securing communication over the low‐earth‐orbit satellite communication systems. However, this paper demonstrates that this scheme cannot provide perfect forward secrecy or defend against the smart card stolen attack, and has some very bad design defects, making it unpractical. Thus, to design a truly secure authentication scheme for satellite communication systems, this paper presents a new scheme, making use of the advantages of elliptic curve cryptography and symmetric cryptography. The security analyses by the widely used BAN logic and heuristic discussions demonstrate that our new scheme possesses perfect security properties and can defend against various well‐known malicious attacks. Moreover, our new scheme allows users to update passwords locally in accordance with their wishes, achieving a good user experience.     

A multicast key management scheme based on characteristic values of members

A new collusion attack on Pour-like schemes is proposed in this paper. Then, we present a collusion-free centralized multicast key management scheme based on characteristic values of members. The re-keying method that other group members calculate new keys when a member is joining or leaving is also designed. It achieves forward secrecy and backward secrecy. Compared with typical existing centralized schemes, the storage of Group Key Controller (GKC) in our scheme halves the storage overhead of others, and communication overhead of GKC is 2 in case of joining re-keying. Especially, the leaving re-keying overhead is log₂ n, and the overall performance is excellent.     

无线传感器网络中基于EBS的高效安全的群组密钥管理方案

为了保证无线传感器网络(WSN)群组通信的安全性,设计了一种基于EBS的群组密钥管理方案.提出方案首先通过合并链状簇和星型簇简化无线传感器网络的拓扑结构,然后通过增加网络被捕获时所需入侵节点的数量来防止攻击者通过少量共谋节点得到所有管理密钥,之后利用图染色算法对分配密钥组合的节点进行排序,并依据海明距离和EBS方法对网络中的传感器节点进行管理密钥分配.在此基础上给出了对传感器节点的加入和离开事件进行处理的方法.在有效性和性能分析阶段,首先通过2个实验分别对提出方案中共谋攻击的可能性和入侵节点数量对网络抵抗共谋攻击能力的影响进行分析,实验结果表明提出方案增强了WSN抵抗共谋攻击的能力;然后对提出方案和SHELL在加入事件和离开事件时的系统代价进行比较,结果表明提出方案所需的密钥更新消息数量和传感器节点存储量均小于SHELL方案.     

Distributed servers approach for large-scale secure multicast

In order to offer backward and forward secrecy for multicast applications (i.e., a new member cannot decrypt the multicast data sent before its joining and a former member cannot decrypt the data sent after its leaving), the data encryption key has to be changed whenever a user joins or leaves the system. Such a change has to be made known to all the current users. The bandwidth used for such re-key messaging can be high when the user pool is large. We propose a distributed servers approach to minimize the overall system bandwidth (and complexity) by splitting the user pool into multiple groups each served by a (logical) server. After presenting an analytic model for the system based on a hierarchical key tree, we show that there is an optimal number of servers to achieve minimum system bandwidth. As the underlying user traffic fluctuates, we propose a simple dynamic scheme with low overhead where a physical server adaptively splits and merges its traffic into multiple groups each served by a logical server so as to minimize its total bandwidth. Our results show that a distributed servers approach is able to substantially reduce the total bandwidth required as compared with the traditional single-server approach, especially for those applications with a large user pool, short holding time, and relatively low bandwidth of a data stream, as in the Internet stock quote applications.