组播通信的访问控制和密钥管理

IP组播是一种高效的多目标传输机制.随着网络的发展,组播在网络的应用占据着越来越重要的地位,其应用不断扩展,技术日益成熟.目前,组播作为一个崭新的学术研究领域,在组播路由算法、流量控制、可靠传输等方面的研究已有很多成果,而对于组播安全问题的研究特别是组播通信密钥的研究还很不成熟.本文通过研究绀播通信安全进行深入的研究,对比各种密钥管理方法,研究了可扩展的密钥管理方法.该密钥管理体系采用分层管理结构,采用子管理中心对各个子域进行管理,不仅可以高效地处理组播组成员动态加入和退出,同时,大大减少了密钥管理中心的负担.使该方法可以应用于大型、动态的组播系统.此外,该方法根据现有的网络和组播系统的要求,提出了控制中心由计算机组进行统一调度管理,避免了单点故障的问题,增加了系统的鲁棒性.     

Reliable Key Management and Data Delivery Method in Multicast Over Wireless IPv6 Networks

Multicast is an efficient way to reduce the required bandwidth of transmitting data simultaneously to a group of users in wireless IPv6 networks. Nevertheless, multicast suffers from two main drawbacks which can be looked from two perspectives, namely security and QoS. With regard to security, the main challenge is to provide security protection to multicast data, which can be achieved by using a secure key management process. Considering a highly dense environment where connection of users to the network is changing frequently due to join or leave operations, key updating approach may burden a network devices with a huge amount of complex encryption/decryption processes. From the QoS perspective, multicast transmission over WLAN offers a tradeoff between the transmission rate and the coverage. The transmission rate of multicast is confined by the user with the lowest data rate in the group which is called fixed base rate problem. To address the above mentioned problems, we propose and implement a lightweight key management and data delivery scheme for multicast over wireless IPv6 networks. The proposed solution is envisaged to reduce the complexity of key updating, while at the same time is able to address the fixed base rate problem. The performance evaluation (by means of analytical and test-bed implementation) of the proposed key management method indicates its efficiency in reducing communication, computation, and storage costs, while maintaining both forward and backward securities. Moreover, the proposed data delivery method is able to improve the throughput and QoS, with low packet loss and transmission delay.     

IP组播密钥管理技术研究

为了在IP组播中实现用户身份认证等安全管理,避免IP组播中的不安全因素,提出了一种运用门限技术和椭圆曲线密钥体制相结合的方案,构建一个IP组播服务系统并在其上分层实现了组播密钥的分发与恢复。最后通过实验测试给出了此方案的管理代价,证明了此方案可以很好地实现IP组播应用中的密钥管理,有效地解决了用户身份认证和授权管理问题,实现了安全IP组播。     

安全高效的空间信息网中密钥管理方案

空间信息网是卫星通信系统的进一步发展,安全高效的密钥管理是保障空间信息网内安全通信的关键。分析了空间信息网中密钥管理方案的安全需求,提出了按需建立密钥的思想,并依据该思想提出一个适用于空间信息网的安全高效的密钥管理方案。方案采用完全分布式的管理模式,每个结点管理并维护自己的密钥列表,方案具有认证安全性、前向保密性等安全性特征。仿真结果表明,与现有的空间信息网密钥管理方案相比,该方案在网络规模较大时能极大地降低通信开销,具有良好的通信效率。     

一种卫星网络中基于Agent的可靠组播传输协议

IP 组播技术是一种可以把单个数据信息同时分发到不同的用户去的网络技术。卫星网络固有的广播信道特性使得它很适合组播应用。然而目前针对卫星网络的可靠组播服务研究很少,虽然已经有一些关于地面Internet组播协议建议,但他们并不适合于卫星网络。在卫星网络组播传输中的一个关键技术是传输协议设计。该文提出一种基于Agent的宽带卫星网络可靠组播传输协议(ASMTP)。该协议利用接收端Agent来实现卫星组播,采用分组级FEC和本地差错恢复纠正传播中的非相关错误和相关错误。在ASMTP中,还实现了流量控制和拥塞控制机制。仿真结果表明,在卫星网络环境中,ASMTP性能优于MFTP(Multicast File Transport Protocol),同时具有较好的网络可扩展性。     

门限技术在组播密钥管理中的应用

目前组播协议以其节省带宽等优点被广泛认可,但在安全性和可靠性方面存在着一些问题。针对组播应用中所涉及到的密钥管理问题,提出一种运用动态门限技术和组播安全代理结合的方案,通过构建一个IP组播安全管理系统来实现组播密钥的分发和恢复,进而讨论了由成员加入和退出引起的密钥更新问题,最后针对该系统给出实验测试并讨论了采用此方案引起的更新代价,说明采用该方案可以较好地解决组播应用中的授权管理问题,实现安全组播。     

一种基于混合策略的动态组播密钥管理方案

组播密钥管理是当前组播安全研究的热点问题。在分析现有方案的基础上，考虑一种混合策略：将基于组的层次结构机制Iolus与基于密钥层次结构机制LKH的优点结合起来，提出了一种适合大型动态组播的可扩展的分层分组方式的密钥管理方案。该方案有效地降低了密钥更新的代价，具有较高的效率与较好的可扩展性．适合于解决大型动态组播的密钥管理问题。     

无线传感器网络中自治愈的群组密钥管理方案

 群组密钥管理的自治愈机制是保证无线传感器网络在不可靠信道上进行安全群组通信的重要 手段.基于采用双方向密钥链的群组密钥分发与撤销方法,提出了一个无线传感器网络中具有撤销能力的自治愈群组密钥管理方案.该方案实现了群组密钥的自治愈功能和节点撤销能力, 能够满足在较高丢包率的无线通信环境下传感器网络群组密钥管理的安全需求,确保了群组密钥保密性、前向保密性和后向保密性等安全属性.性能分析表明,该方案具有较小的计算和通信开销,能够适用于无线传感器网络.     

A scalable multicast key management scheme for heterogeneous wireless networks

Secure multicast applications require key management that provides access control. In wireless networks, where the error rate is high and the bandwidth is limited, the design of key management schemes should place emphasis on reducing the communication burden associated with key updating. A communication-efficient class of key management schemes is those that employ a tree hierarchy. However, these tree-based key management schemes do not exploit issues related to the delivery of keying information that provide opportunities to further reduce the communication burden of rekeying. In this paper, we propose a method for designing multicast key management trees that match the network topology. The proposed key management scheme localizes the transmission of keying information and significantly reduces the communication burden of rekeying. Further, in mobile wireless applications, the issue of user handoff between base stations may cause user relocation on the key management tree. We address the problem of user handoff by proposing an efficient handoff scheme for our topology-matching key management trees. The proposed scheme also addresses the heterogeneity of the network. For multicast applications containing several thousands of users, simulations indicate a 55%-80% reduction in the communication cost compared to key trees that are independent of the network topology. Analysis and simulations also show that the communication cost of the proposed topology-matching key management tree scales better than topology-independent trees as the size of multicast group grows.     

一种新的基于身份的安全组播密钥协商方案

密钥管理是安全组播的难点。该文提出了一个新的基于身份的密钥协商方案,并具体地分析了子组之间的通信过程,以及组成员动态变化时密钥的更新过程。结果表明该方案满足密钥协商安全性要求,且在降低计算和通信代价方面取得了较好的效果。     

基于LKH的组播密钥分发改进方案

文章在分析LKH算法的基础上,结合在小规模组播时PE算法性能较好的优势,设计了一种改进的组播密钥管理方案PE-RLKH方案,并给出相应的更新算法。通过对本方案和LKE方案的通信开销、密钥存储开销和计算开销的比较表明,该方案具有计算开销小,在保持一定的通信开销下能降低组密钥存储开销,具有较好的通信效率,可适用于较大规模的组播。     

Dynamics of key management in secure satellite multicast

Security is an important concern in today's information age and particularly so in satellite systems, where eavesdropping can be easily performed. This paper addresses efficient key management for encrypted multicast traffic transmitted via satellite. We consider the topic of encrypting traffic in large multicast groups, where the group size and dynamics have a significant impact on the network load. We consider life cycle key management costs of a multicast connection, and show for a logical key hierarchy (LKH) how member preregistration and periodic admission reduces the initialization cost, and how the optimum outdegree of a hierarchical tree varies with the expected member volatility and rekey factor. This improves network utilization, but encryption at the network layer can pose problems on satellite links. We, therefore, propose and analyze an interworking solution between multilayer Internet protocol security (IPSEC) and LKH that also reduces key management traffic while enabling interworking with performance enhancing modules used on satellite links.     

适合ad hoc网络无需安全信道的密钥管理方案

密钥管理问题是构建ad hoc安全网络系统首要解决的关键问题之一.针对ad hoc网络特点,提出了一个无需安全信道的门限密钥管理方案.该方案中,可信中心的功能由局部注册中心和分布式密钥生成中心共同实现,避免了单点失效问题;通过门限技术,网络内部成员相互协作分布式地生成系统密钥;利用基于双线性对的公钥体制实现了用户和分布式密钥生成中心的双向认证;通过对用户私钥信息进行盲签名防止攻击者获取私钥信息,从而可以在公开信道上安全传输.分析表明该方案达到了第Ⅲ级信任,具有良好的容错性,并能抵御网络中的主动和被动攻击,在满足ad hoc网络安全需求的情况下,极大地降低了计算和存储开销.     

WSN中同构模型下动态组密钥管理方案

研究了同构网络模型的组密钥管理问题,首次给出了一个明确的、更完整的动态组密钥管理模型,并提出了一种基于多个对称多项式的动态组密钥管理方案。该方案能够为任意多于2个且不大于节点总数的节点组成的动态多播组提供密钥管理功能,解决了多播组建立、节点加入、退出等所引发的与组密钥相关的问题。该方案支持节点移动,具有可扩展性,并很好地解决了密钥更新过程中多播通信的不可靠性。组成员节点通过计算获得组密钥,只需要少量的无线通信开销,大大降低了协商组密钥的代价。分析比较认为,方案在存储、计算和通信开销方面具有很好的性能,更适用于资源受限的无线传感器网络。     

Transport protocols in multicast via satellite

In a wide variety of broadband applications, there is a need to distribute information to a potentially large number of receiver sites that are widely dispersed from each other. Communication satellites are a natural technology option and are extremely well suited for carrying such services because of the inherent broadcast capability of the satellite channel. Despite the potential of satellite multicast, there exists little support for multicast services over satellite networks. Although several multicast protocols have been proposed for use over the Internet, they are not optimized for satellite networks. One of the key multicast components that is affected when satellite networks are involved in the communication is the transport layer. In this paper, we attempt to provide an overview of the design space and the ways in which the network deployment and application requirements affect the solution space for transport layer schemes in a satellite environment. We also highlight some of the issues that are critical in the development of next generation satellite multicast services. Copyright © 2004 John Wiley & Sons, Ltd.     

基于分级密钥管理的安全组播方案

该文提出了一个新的适用于大型动态组播群组的密钥管理方案,在分级结构中采用Hash链作 为数据传递密钥来实现层与层之间的数据传递,在子组内利用数字信封来实现密钥管理。此方案具有良好的计算、存储性能及动态安全性,为进一步研究提供了一个有价值的参考。     

一种改进的TLCH组播密钥管理方案

TLCH协议是一个适用于安全组播通信且可扩展性较好的组播密钥管理协议。它基于LKH的思想,采用双层的控制者的层次结构,并使用单向函数进行密钥更新,达到了较低的计算开销。使用hash函数对TLCH组播密钥管理方案中成员加入时的密钥更新算法进行改进。与原来的TLCH相比,改进后的TLCH可以进一步降低了通信开销。     

基于LKH混合树模型的新型组播密钥更新方案

安全组播是组播技术走向实用化必须解决的问题。在组成员动态变化时,设计一个高效的密钥管理方案是安全组播研究的主要问题。提出了一种基于新型混合树模型的组播密钥更新方案。该方案将GC的存储开销减小为4,同时,在成员加入或离开组时,由密钥更新引起的通信开销与nm保持对数关系(n为组成员数,m为每一族包含的成员数)。     

Hexagonal Clustered Trust Based Distributed Group Key Agreement Scheme in Mobile Ad Hoc Networks

Secure and efficient group communication among mobile nodes is one of the significant aspects in mobile ad hoc networks (MANETs). The group key management (GKM) is a well established cryptographic technique to authorise and to maintain group key in a multicast communication, through secured channels. In a secure group communication, a one-time session key is required to be shared between the participants by using distributed group key agreement (GKA) schemes. Due to the resource constraints of ad hoc networks, the security protocols should be communication efficient with less overhead as possible. The GKM solutions from various researches lacks in considering the mobility features of ad hoc networks. In this paper, we propose a hexagonal clustered one round distributed group key agreement scheme with trust (HT-DGKA) in a public key infrastructure based MANET environment. The proposed HT-DGKA scheme guarantees an access control with key authentication and secrecy. The performance of HT-DGKA is evaluated by simulation analysis in terms of key agreement time and overhead for different number of nodes. Simulation results reveal that the proposed scheme guarantees better performance to secure mobile ad hoc network. It is demonstrated that the proposed scheme possesses a maximum of 2250 ms of key agreement time for the higher node velocity of 25 m/s and lower key agreement overhead. Also, the HT-DGKA scheme outperforms the existing schemes in terms of successful message rate, packet delivery ratio, level of security, computation complexity, number of round, number of exponentiations and number of message sent and received that contribute to the network performance.

     

适于低轨卫星IP网络的核心群合并共享树组播算法

为了解决低轨卫星IP网络中现有典型源组播算法的信道资源浪费问题,该文提出了一种低树代价的组播算法,即核心群合并共享树(CCST)算法,包括动态近似中心(DAC)选核方法和核心群合并组播路径构建方法。DAC方法基于逻辑位置形成的虚拟静态、结构规则的网络拓扑选择核节点。在核心群合并方法中,以核节点作为初始核心群,通过核心群和剩余组成员的最短路径方法逐步扩展直至整棵组播树构建完成,从而使得组播树的树代价最小,大大提高了网络的传输带宽利用率和组播传输效率。最后,与低轨卫星IP网络中的其他几种典型算法进行了性能对比,仿真结果说明,CCST算法的树代价性能比其它算法有较大改善,而端到端传播时延略高。