节点文献

安全组播通信技术的研究与实现

Research and Implement on Secure Multicast Communication Technology

【作者】 李洋

【导师】 杨义先;

【作者基本信息】 北京邮电大学 , 信号与信息处理, 2009, 博士

【摘要】 随着通信技术以及社会信息化的飞速发展过程中,尤其是Internet的快速普及,产生了越来越多的群组通信的需求。这些应用需要在多个计算机之间进行交互,而组播正是针对这种问题提出的一种新的,高效的网络传输方案,可以大大缩小通信延迟,节省网络带宽资源。然而组播中存在的一些问题限制了其应用,其中安全性就是最重要的影响因素之一。本文的研究工作正是基于此背景开展的。通常,安全组播通信涉及到的安全需求包括以下两点:组播通信中的密钥管理、组播通信数据的源认证。另外,如何构建易用且适用于各种环境的安全组播体系结构也是目前期待解决的一个问题。本文从以上各方面进行了深入的研究,提出了一些新的改进算法和思路。本文的主要创新点归纳如下:1.提出了一种基于PRF和XOR运算的组播密钥更新改进算法。根据算法的设计思想,全部更新密钥通过PRF计算生成,并且密钥间保持一定的相关性;组播的密钥更新报文通过PRF和XOR共同计算生成,替代了常规的加解密运算。除保证安全性之外,明显的降低了通信开销、计算开销和存储开销。Linux下原型验证系统的仿真结果表明,本改进算法在一定程度上提高了安全组播密钥管理的性能。2.提出了一种组播组内多个组播会话共享密钥树的密钥更新方案,使更新开销与组播会话数量无关,基于典型的集中式组播密钥管理方案,有效解决具有多个组播会话组播组的密钥更新效率低下的问题。本方案中组成员的私密钥作为共享密钥树的叶节点,组播会话的组密钥作为共享密钥树的扩展根节点。本方案采用的密钥更新算法利用PRF和XOR运算生成更新密钥和密钥更新数据。Linux下原型机系统的仿真结果表明,本方案较传统方案明显的提高了组播组内多个组播会话的通信场景下密钥更新的性能。3.给出了一种认证树联合TESLA的组播源认证方案。本方案结合了认证树和TESLA算法各自的优点,利用认证树算法构造数据报组,利用TESLA算法公开延迟时间间隔的特性可以较好的保证数据报组摘要值的真实性。在分析了安全性,性能并在与典型算法进行比较之后,本方案证明了不仅计算,通信和存储开销均做到较小,而且还实现了零延迟的实时源认证,能够适应各种网络环境,良好的应对报文突发丢失。经理论推导证明,即便在丢包概率较高的应用场景中,报文也几乎都能够实现源认证,明显的提高了组播通信中源认证的可靠性。4.给出了一种基于TLS(DTLS)的安全组播方案。本方案能基于已有的TLS(DTLS)协议和设施,在其基础上扩展添加组密钥管理和组播通信安全功能模块,方便、快速的提供一种整合的组播通信安全机制,保护组播数据的机密性和完整性,并支持抗重放,组认证,源认证等安全机制。并且,本方案能以API调用接口的形式向应用程序提供组密钥管理和数据安全服务。本方案的所有功能均在应用程序进程空间内执行,支持集中式和分布式,不存在多播依赖性。5.提出了一种应用树形结构进行组播密钥管理和分发的方案。利用4-way handshake协商PTK作为树形结构叶节点的密钥,组播密钥分发用户生成的GTK作为树形结构根节点的密钥,ATK作为树形结构其余节点的密钥,引入ATK的作用在于将组播密钥分发用户与参与组播的用户之间的关系由星型结构转变为树型结构,由ATK来达到组播密钥更新的安全性和高效性。并进一步基于树型结构,采用单向函数优化密钥更新算法,密钥更新过程中用哈希计算来替换加解密计算,再次降低组播密钥分发用户管理组播组的开销。组播通信的应用需求日益增多,其安全问题的研究也将随着应用领域的广泛而逐渐深入,得到长足的发展。

【Abstract】 Along with rapid development on communication technology and society informationization, especially on fast internet popularization, more and more requirements of group communication are brought out. These application requirements need information to be exchanged among multiple computers, and multicast is a new and high efficiency network transportation solution aiming at it. The multicast can greatly reduce communication delay and save neteork bandwith resource.However, some problems of multicast restrict its application scene, security consideration is one of the most important influencing factors, and the research work in this paper is just carried out basing on it. Usually, the mainly security requirement of multicast include 2 points as below: key management and source authentication of multicast communication. In addition, how to construct a secure multicast architecture with characters of easy using and suitable for various environments is a question expecting to solve now. The research work in this paper is further on according to above areas and some improved algorithms and thoughts are put forward.The main innovations of the thesis are as follows:1. An optimized rekeying algorithm in secure multicast based on PRF and XOR operation was presented in this paper. According to algorithm design concept, all updated keys with relativity were generated by PRF operation, and rekeying messages in multicast were generated by PRF and XOR operation together instead of conventional encryption and decryption. The communication cost, computation cost and storage cost are obviously decreased besides the ensurence of security. The simulation results of prototype under Linux verify that the optimized algorithm improves key management performance to some extent in secure multicast.2. A re-keying solution using shared key tree among multicast sessions in same multicast group was presented in this paper to make re-keying cost be independent of multicast sessions amount, and solve the problem that group with multiple sessions had low efficiency when key was updated. In this solution, leaves and extended root nodes in shared key tree respectively contained private keys of group members and group keys of multicast sessions. According to the key update algorithm used in this solution, updated keys and re-keying data were generated by PRF and XOR operations together. The simulation results of prototype system under Linux show that this solution obviously improves re-keying performance to some extent under communication circumstance with multiple sessions in same group compared to conventional solution.3. A multicast source authentication method using authentication tree combined with TESLA was presented in this paper. The advantage of authentication tree and TESLA were adopted simultaneously, the former was utilized to construct datagram group and latter was utilized to ensure authenticity of MAC value of datagram group according to key disclosure delay. After analysising security, performance and comparing with typical algorithms, not only computation, communication and storage cost were proved to be low, but also datagram burst loss could be well resisted in various communication environments. Even if in application scene with high datagram loss probability, almost all datagrams could be achieved source authentication via theory deduction. This method obviously enhanced source authentication reliability in multicast communication.4. A secure multicast scheme based on TLS (DTLS) was presented in this paper. Group key management and multicast transportation security function module were extended and added on existing TLS (DTLS) protocol and facilities. According to this, confidentiality, integrality, anti-replay, group authentication, source authentication, etc for datagram could be conveniently realized by this integrated secure multicast mechanism. In addition, the API provided by this scheme could be called by application layer program to offer group key management and data security service. All functions of this scheme could be implemented in process space of application layer program and supported centralized and distributed pattern without depending on IP multicast.5. A group key management and distribution scheme based on tree structure was presented in this paper. The PTK value of the leave nodes on tree were generated through UWB 4-way handshake negotiation, the GTK value of the root node was generated by user who established multicast group, the ATK value of the other nodes were generated to change relationship between user who established multicast group and users who joined multicast group from star structure to tree structure and achieved the goal that security and efficiency were ensured in group key updating process. Further more, the rekeying algorithm was optimized using one-way function based on tree structure, replacing encryption (decryption) calculation to hash calculation and decreasing group key management cost of user who established multicast group once more. The application requirement of multicast communication is increasing day by day, the research work on seurity issues of it will be further on and make considerable progress with the extention of its application.

节点文献中: