基于智能卡的组播内容保护与支付系统

内容保护问题是实现数字内容网上交易的关键问题。传统的组播密钥管理都假设所有合法组用户可以知道组密钥,这种假设对于商业组播是不现实的。该文设计的组播内容保护和支付系统假设智能卡是安全的,所有攻击者包括持卡人都无法获知智能卡中的私钥和组密钥。系统使用最近提出基于身份加密方案,从而避免了公钥证书的使用。系统可以保证数字内容的安全传输,同时具有用户身份认证、内容认证和密钥管理方面的简单性,系统还支持用户的匿名消费。     

一种安全组播传输策略

IP组播建立在一个非封闭的传输系统上,为了实现安全组播,除了密钥加密信息,还需要下层的通讯子网提供支持,这样才能彻底实现安全封闭的组播通讯。其中讨论了一些流行的密钥管理框架,密钥更新方案以及用户管理机制。通过这些方案可以防止信息泄漏、Dos攻击、组攻击、伪造信息,从而实现了组播的安全通讯。     

门限技术在组播密钥管理中的应用

目前组播协议以其节省带宽等优点被广泛认可,但在安全性和可靠性方面存在着一些问题。针对组播应用中所涉及到的密钥管理问题,提出一种运用动态门限技术和组播安全代理结合的方案,通过构建一个IP组播安全管理系统来实现组播密钥的分发和恢复,进而讨论了由成员加入和退出引起的密钥更新问题,最后针对该系统给出实验测试并讨论了采用此方案引起的更新代价,说明采用该方案可以较好地解决组播应用中的授权管理问题,实现安全组播。     

主密钥在组播密钥管理中的应用

本文在改进的RSA体制基础上给出主密钥的生成算法,并在主密钥的基础上提出了主密钥管理方案,该方案将参与组播的成员分成若干子组,每个子组的密钥生成、分发和更新由一个主密钥控制器完成。当成员变化时,设计的密钥更新策略同时满足前向安全和后向安全,这就解决了组通信中的密钥管理问题,实现了安全的组播。同时该方案使得每个用户只需存储和管理一个密钥,就能与组内或组外的用户进行安全通信,降低了用户的负载。因此主密钥管理方案能适用于大规模的、在网络中广泛分布的和动态的组。     

异构无线网络中基于标识的匿名认证协议

针对异构无线网络中的认证协议的安全问题,提出一种基于CPK算法和改进的ECDH算法的双向认证和密钥协商协议,引入用户的临时认证身份和临时通信身份实现用户的身份匿名;提出采用临时通信身份有序对防止重认证过程中的重放攻击,并且在协议设计中规避了密钥泄漏带来的风险。分析表明该协议具有身份认证、会话密钥安全、匿名性等安全属性。     

基于身份的SIP认证与密钥协商机制研究

对SIP中的安全威胁和已有安全机制进行了分析,提出一种基于身份的SIP认证与密钥协商方案,通过3次交互实现双向认证,并在该过程中完成密钥协商.方案不需要公钥证书,以用户身份标识作为公钥,降低了计算复杂度和通信开销,保证了SIP消息传递过程中的完整性和真实性.     

基于动态身份远程用户认证方案的研究

针对基于动态身份远程用户认证,可有效防止用户关键信息泄露,保证已认证用户通过授权获取网络服务.针对Wen-Li提出的基于动态身份远程用户认证与密钥协商方案进行安全性分析,指出该方案存在安全缺陷,可能导致泄露用户部分关键信息,进而遭受网络攻击.在保留Wen-Li方案优点基础上提出一种改进的远程用户认证方案,重新设计了认证过程中的会话密钥和密钥确认消息,与Wen-Li方案相比,改进方案能够抵御中间人攻击以及盗窃智能卡攻击,并增强了方案的前向安全性.     

基于新一代国密算法的贵服通电子卡密钥管理方案

针对日益快速发展的移动互联网应用模式,本文提出基于国密对称与非对称算法相结合,支持线下与线上一体化应用的广电金卡电子卡密钥管理方案。方案采用对称算法实现用户身份的标记化和唯一标识,结合二维码技术实现用户标识的可视化与线下的扫码认证;采用非对称算法完成用户线上身份认证和关键交易数据的完整性、抗抵赖等安全保护;本文还给出了常用的安全流程和密码协议,提出了密钥系统管理的要求和实现方法。     

基于AKA的IMS接入认证机制

IP多媒体子系统(IMS)作为3G网络的核心控制平台,其安全问题正面临着严峻的挑战。IMS的接入认证机制的实现作为整个IMS安全方案实施的第一步,是保证IMS系统安全的关键。基于认证和密钥协商(AKA)的IMS接入认证机制是由因特网工程任务组(IETF)制定,并被3GPP采用,广泛应用于3G无线网络的鉴权机制。此机制基于"提问/回答"模式实现对用户的认证和会话密钥的分发,由携带AKA参数的SIP消息在用户设备(UE)和IMS网络认证实体之间进行交互,按照AKA机制进行传输和协商,从而实现用户和网络之间的双向认证,并协商出后续通信所需的安全性密钥对。     

基于身份认证的BACnet/IP分析与改进

为了解决BACnet/IP身份认证存在多种可攻击漏洞和密钥泄露带来的安全问题,提出了一种安全增强的BACnet/IP-SA协议认证方案。研究协议身份认证消息流模型,基于着色Petri网理论和CPNTools对身份认证消息流建模,采用Dolev-Yao攻击者模型和形式化分析方法对BACnet/IP进行安全性分析,发现协议漏洞并提出改进方案。BACnet/IP-SA协议使用设备的伪身份来保护真实身份信息,使用PUF响应进行认证,通过多信息集合的验证值来验证端身份的真实性并生成会话密钥。结合BAN逻辑和非形式化方法,对协议的安全性进行了证明。实验结果表明,所提方案能有效抵抗多类攻击和密钥泄露带来的安全威胁,在减少计算开销的同时增强了协议身份认证的安全性。     

组播通信的访问控制和密钥管理

IP组播是一种高效的多目标传输机制.随着网络的发展,组播在网络的应用占据着越来越重要的地位,其应用不断扩展,技术日益成熟.目前,组播作为一个崭新的学术研究领域,在组播路由算法、流量控制、可靠传输等方面的研究已有很多成果,而对于组播安全问题的研究特别是组播通信密钥的研究还很不成熟.本文通过研究绀播通信安全进行深入的研究,对比各种密钥管理方法,研究了可扩展的密钥管理方法.该密钥管理体系采用分层管理结构,采用子管理中心对各个子域进行管理,不仅可以高效地处理组播组成员动态加入和退出,同时,大大减少了密钥管理中心的负担.使该方法可以应用于大型、动态的组播系统.此外,该方法根据现有的网络和组播系统的要求,提出了控制中心由计算机组进行统一调度管理,避免了单点故障的问题,增加了系统的鲁棒性.     

基于LKH混合树的组播密钥更新方案

IP组播通信越来越得到广泛的应用，其密钥动态管理是一个值得关注的问题。本文主要对组播密钥更新方案进行分析，并对基于LKH密钥树的更新方案进行了改进。     

Protection of MPEG‐2 Multicast Streaming in an IP Set‐Top Box Environment

The widespread use of the Internet has led to the problem of intellectual property and copyright infringement. Digital rights management (DRM) technologies have been developed to protect digital content items. Digital content can be classified into static content (for example, text or media files) and dynamic content (for example, VOD or multicast streams). This paper deals with the protection of a multicast stream on set‐top boxes connected to an IP network. In this paper, we examine the following design and architectural issues to be considered when applying DRM functions to multicast streaming service environments: transparent streaming service and large‐scale user environments. To address the transparency issue, we introduce a ‘selective encryption scheme'. To address the second issue, a ‘key packet insertion scheme’ and ‘hierarchical key management scheme’ are introduced. Based on the above design and architecture, we developed a prototype of a multicasting DRM system. The analysis of our implementation shows that it supports transparent and scalable DRM multicasting service in a large‐scale user environment.     

Key Management in Secure Satellite Multicast Using Key Hypergraphs

Satellite networks play an important role in today’s information age because they can provide the global coverage services. Information security is an important concern in satellite multicast communications, where eavesdropping can be performed much easier than the fixed terrestrial networks. In this work, a novel multicast key management scheme based on key hypergraph for satellite networks on a predefined communication scenario is proposed. We use logical key hierarchy and distributed-logical key hierarchy as reference models for performance comparisons. It is shown that the proposed multicast key management scheme is scalable to large dynamic groups and minimizes satellite bandwidth usage.     

Multicast support for mobile hosts using Mobile IP: Design issues and proposed architecture

In this paper, we consider the problem of providing multicast to mobile hosts using Mobile IP for network routing support. Providing multicast in an internetwork with mobile hosts is made difficult because many multicast protocols are inefficient when faced with frequent membership or location changes. This basic difficulty can be handled in a number of ways, but three main problems emerge with most solutions. The tunnel convergence problem, the duplication problem, and the scoping problem are identified in this paper and a set of solutions are proposed. The paper describes an architecture to support IP multicast for mobile hosts using Mobile IP. The basic unicast routing capability of Mobile IP is used to serve as the foundation for the design of a multicast service facility for mobile hosts. We believe that our scheme is transparent to higher layers, simple, flexible, robust, scalable, and, to the extent possible, independent of the underlying multicast routing facility. For example, our scheme could interoperate with DVMRP, MOSPF, CBT, or PIM in the current Internet. Where differences exist between the current version of IP (IPv4) and the next generation protocol (IPv6), these differences and any further optimizations are discussed. This revised version was published online in June 2006 with corrections to the Cover Date.     

Internet上实现多方实时会谈的一种方案

文章说明ＩＰＭｕｌｔｉｃａｓｔ 机制是实现Ｉｎｔｅｒｎｅｔ 上多方会谈实时通信的一种好方法， 重点介绍Ｉｎｔｅｒｎｅｔ 上基于ＩＰＭｕｌｔｉｃａｓｔ 的多方交谈实时通信的方法、实现过程及关键问题的解决方案， 最后给出实验结果并作了简单的分析。     

Design and evaluation of multicast GFR for supporting TCP/IP over hybrid wired/wireless ATM

The major challenges of designing multicast traffic control protocols for a combined wired/wireless network are the varying transmission characteristics (bandwidth, error, and propagation delay) of the wireless and wired media, and the different, possibly conflicting frame rate requests from multiple sources. To address these issues, in this paper we design and evaluate new unicast and multicast guaranteed frame rate (GFR) schemes for supporting TCP/IP traffic over a combined wired/wireless ATM network. We first propose a new, flexible weighted buffer management, and a frame‐based virtual spacing (VS) mechanism implementing weighted fair queueing. The unicast GFR scheme is based on the integration of the new weighted buffer management, and either cell‐based or frame‐based VS. It is then extended to support multicast GFR flows. The multicast scheme presented in this paper is the first multicast GFR scheme appeared in the literature. These schemes are carefully evaluated over several network configuration, supporting heterogeneous TCP/IP traffic with various frame rates. Simulation results show that the new schemes guarantee the minimum rates requested, provide excellent fairness, and achieve reasonably high efficiency. The new schemes may be extended to provide differentiated service in both IP and mobile IP frame work. This revised version was published online in July 2006 with corrections to the Cover Date.     

A novel key management scheme for dynamic multicast communications

Secure multicasting allows the sender to deliver an identical secret to an arbitrary set of recipients through an insecure broadcasting channel, whereas the unintended recipients cannot obtain the secret. A practical approach for securing multicast communications is to apply a session key to encrypt the transmitted data. However, the challenges of secure multicast are to manage the session keys possessed by a dynamic group of recipients and to reduce the overhead of computation and transmission when the membership is changed. In this paper, we propose a new key management scheme for dynamic multicast communication, which is based on privacy homomorphism and Chinese remainder theorem. Our scheme can efficiently and securely deliver an identical message to multiple recipients. In particular, the complexity of the key update process in our scheme is O(1). Copyright © 2008 John Wiley & Sons, Ltd.