基于LKH树的安全多播密钥管理

简要介绍安全多播中的密钥管理问题,重点描述基于LKH树的安全多播密钥管理机制及其实现。     

一种适合大型动态多播的密钥管理方案

分析了已有基于两层结构的密钥管理方案的优缺点,在此基础上综合了上述方案和PE方案的特点,提出了一个新的密钥管理方案,并给出了相应的更新算法。通过对本方案和其他方案的密钥存储量、加密计算量、网络通信量等性能的分析结果表明,该方案在组控制器和子组控制器方面都具有良好的通信效率、较低的计算开销和可扩展性,适用于大型的动态多播环境。     

一种改进LKH的组播密钥管理方案

逻辑密钥树方案有效地减轻了组播通信中组成员及组控制器的负担,但组通信过程中的开销较大。提出了一种新的组播密钥管理方案,该方案根据组成员失效概率大小,将失效概率大的组成员置于右子树中右孩子节点处,而根节点和左孩子为相同组成员,从而构建逻辑密钥二叉树,这与现存LKH方案中密钥树的创建过程不同。通过对逻辑密钥二叉树的构造以及仿真实验的分析,均说明该方案在节点失效后的密钥更新量、节点的存储量比LKH方案要小,网络的抵抗性能好。     

安全组播密钥管理方案研究

随着组播应用的不断发展,其安全性尤其是组播密钥管理成为热点问题。本文对基于逻辑密钥树的集中控制方案进行了分析和改进。改进方案在不增加组播成员密钥的存储量的情况下,能够降低密钥更新所需要的网络流量和带宽占用,具有一定的可行性。     

多层卫星网络组密钥管理研究进展

为保证多层卫星网络的通信安全,使用组密钥对通信进行加密是一个普遍而有效的方法。设计适合卫星网络的组密钥管理方案,是确保卫星通信安全的关键问题之一。本文介绍了多层卫星网络的概况,对现有多层卫星网络组密钥管理方案进行了分类,详细分析了几类典型的组密钥管理方案,指出了存在的问题,并对以后的研究方向作了展望。     

高级加密标准AES及其实现技巧

介绍美国联邦信息处理标准(FIPS)草案——高级加密标准AES,用ANSIC高效实现了此算法,并给出了其执行性能。     

基于逻辑密钥树的密钥管理方案及实现

逻辑密钥树方案是一种集中式的组播密钥管理方案,有效地减轻了组管理器和组成员的负担,但是却没有优化组通信初始化的过程。提出了密钥树的初始化过程,利用DH算法,有效减少了初始化过程中的加密开销和发送的消息数量。还分析了逻辑密钥树方案的加入和离开操作,组控制器和组成员拥有的密钥数,需要单播和广播的消息数,以及在算法上实现了组管理器在成员加入和退出时所要进行的密钥树的更新过程。     

A comparative performance analysis of reliable group rekey transport protocols for secure multicast

In this paper, we present a new scalable and reliable key distribution protocol for group key management schemes that use logical key hierarchies (LKH) for scalable group rekeying. Our protocol called WKA-BKR is based upon two ideas—weighted key assignment and batched key retransmission—both of which exploit the special properties of LKH and the group rekey transport payload to reduce the bandwidth overhead of the reliable key delivery protocol. Using both analytic modeling and simulation, we compare the performance of WKA-BKR with that of other rekey transport protocols, including a recently proposed protocol based on proactive FEC. Our results show that for most network loss scenarios, the bandwidth used by WKA-BKR is lower than that of the other protocols.     

大规模移动自组网安全群组通信研究

移动自组网中的安全群组通信需要处理群组成员关系的动态性、成员位置的动态性、以及网络分区和合并等情况。如何高效地处理这些情况是移动自组网安全群组通信中要解决的重要问题。针对成员关系动态性、成员位置动态性和网络分区和合并带来的问题,提出研究与设计一种移动自组网中的“虚拟动态骨干网”模型。主要从组成员认证和组密钥管理两方面进行了研究,并基于虚拟动态骨干网提出了初步的解决方案。     

Ad Hoc网络密钥管理方案综述

密钥管理作为加密和认证的基础,在Ad Hoc网络安全中扮演着重要的角色。研究Ad Hoc网络的特点及面临的安全威胁,根据网络的通信方式,对Ad Hoc网络中的密钥管理方案进行分类,详细介绍具有代表性的方案的基本思想,并对其优缺点进行分析比较。最后对Ad Hoc网络密钥管理的难点和发展趋势进行了总结。     

组播密钥管理中一种新的密钥更新策略

为节约存储空间和整体处理时间,首先基于KOR提出一种新的密钥更新策略和协议（KOR^＋）,并与KOR作了比较。其次,在密钥树是满和平衡的条件下,对采用KOR^＋及UOR策略的密钥服务器分别建立平均加密代价公式。最后,用解析方法导出它们的最优密钥树度数。     

组播密钥管理中一种新的密钥更新策略*

为节约存储空间和整体处理时间,首先基于KOR提出一种新的密钥更新策略和协议(KOR+),并与KOR作了比较。其次,在密钥树是满和平衡的条件下,对采用KOR+及UOR策略的密钥服务器分别建立平均加密代价公式。最后,用解析方法导出它们的最优密钥树度数。     

A hybrid scheme for multicast authentication over lossy networks

For multicast communication, authentication is a challenging problem, since it requires that a large number of recipients must verify the data originator. Many of multicast applications are running over IP networks, in which several packet losses could occur. Therefore, multicast authentication protocols must resist packet loss. Other requirements of multicast authentication protocols are: to perform authentication in real-time and to have low communication and computation overheads. In the present paper, a hybrid scheme for authenticating real-time data applications, in which low delay at the sender is acceptable, is proposed. In order to provide authentication, the proposed scheme uses both public key signature and hash functions. It is based on the idea of dividing the stream into blocks of m packets. Then a chain of hashes is used to link each packet to the one preceding it. In order to resist packet loss, the hash of each packet is appended to another place in the stream. Finally, the first packet is signed. The proposed scheme resists packet loss and is joinable at any point. The proposed scheme is compared to other multicast authentication protocols. The comparison shows that the proposed scheme has the following advantages: first, it has low computation and communication overheads. Second, it has reasonable buffer requirements. Third, the proposed scheme has a low delay at the sender side and no delay at the receiver side, assuming no loss occurs. Finally, its latency equals to zero, assuming no loss occurs.     

移动因特网中安全组播通信的密钥管理研究

比较了各种确保安全组播通信的密钥管理算法和方案,针对移动环境下移动频繁、可靠性差的特点,讨论了在RingNet结构下移动因特网的组播密钥管理问题。     

Multimedia security in group communications: recent progress in key management,authentication, and watermarking

Multicast is an internetwork service that provides efficient delivery of data from a source to multiple receivers. It reduces the bandwidth requirements of the network and the computational overhead of the host devices. This makes multicast an ideal technology for communication among a large group of participants. Secure group communications involves many service types include teleconferencing, pay TV and real-time delivery of stock quotes. IP multicast is the traditional mechanism to support multicast communications. Multicast security includes group membership control, secure key distribution, secure data transfer and copyright protection. This paper is an overview of the schemes proposed for group key management, authentication and watermarking in wired networks with fixed members and wireless networks with mobile members.A preliminary version of this paper was presented at the IASTED International Conference on Communications and Computer Networks, Cambridge, MA 4-6 November 2002.     

一卡多用安全管理平台

"一卡多用"操作系统是智能卡发展的必然趋势,如何实现应用的动态下载、更新和删除便成为了一个关键问题。分析了卡操作系统层次结构和多应用系统体系结构,并建立了多应用管理平台,详细地设计了应用操作数据(AOD)和应用操作证书(AOC)的内容与实现机制,最后分析整个系统的安全性保证。通过此方案的实施,安全地实现了"一卡多用"系统中应用的动态下载、更新和删除。     

基于安全与纠错算法的增强型蓝牙基带研究与实现

基于蓝牙在安全、纠错和抗干扰方面的不足,分析和改进了蓝牙协议数据链路层的跳频和纠错算法.分析了基于高级加密标准(AES)迭代型分组密码算法构造的新型跳频序列的性能,仿真结果表明该序列具有良好的安全性、均匀性和相关性.针对蓝牙DM分组,采用了融合交织编码和前向纠错的增强型纠错机制,并基于Gillbert-Elliott信道模型进行了仿真.结果表明该增强型纠错机制大大提高了数据传输的抗干扰能力.提出了基于AES的跳频序列发生器和融合交织编码的增强型纠错机制的ASIC实现结构,并运用低功耗和资源优化技术,给出了VLSI实现结果.基于改进算法IP,实现了高安全、强纠错的增强型蓝牙基带,并结合标准蓝牙基带进行了性能分析.最后,采用基于平台的设计方法,搭建了蓝牙SoC系统平台,并进行了实测.     

Using AVL trees for fault-tolerant group key management

In this paper we describe an efficient algorithm for the management of group keys for group communication systems. Our algorithm is based on the notion of key graphs, previously used for managing keys in large Internet-protocol multicast groups. The standard protocol requires a centralized key server that has knowledge of the full key graph. Our protocol does not delegate this role to any one process. Rather, members enlist in a collaborative effort to create the group key graph. The key graph contains n keys, of which each member learns log₂n of them. We show how to balance the key graph, a result that is applicable to the centralized protocol. We also show how to optimize our distributed protocol, and provide a performance study of its capabilities. Published online: 26 October 2001     

基于代理重加密的消息队列遥测传输协议端到端安全解决方案

针对消息队列遥测传输(MQTT)协议缺乏保护物联网(IoT)设备间通信信息的内置安全机制,以及MQTT代理在新的零信任安全理念下的可信性受到质疑的问题,提出了一种基于代理重加密实现MQTT通信中发布者与订阅者间端到端数据安全传输的解决方案.首先,使用高级加密标准(AES)对传输数据进行对称加密,以确保数据在整个传输过程...     

独立群密钥更新模型研究

针对群组密钥更新中非更新成员参与共享密钥计算增加交互延时的问题,提出了一种独立密钥更新模型,通过门限密钥共享秘密乘积机制和双线性对设计一种独立群组密钥管理方案,群组成员具有满足密钥独立性的解密密钥。公开加密密钥更新不会破坏非更新成员解密密钥的有效性,使得非更新成员不参与密钥加入/退出操作,减少密钥更新延时和计算开销,符合独立密钥更新模型,适用于计算和延时受限的无线网络场景。