| A key component of the IP Security architecture is the Internet Key Exchange Daemon. IKE is invoked to establish keys and security related parameters between hosts in order to protected the exchanged application data with them. The IKE concept can not be used for securing group communication based on IP multicast services since it is only addressed to pairwise security. For negotiation and controlled distribution of group security data and membership management the Multicast Internet Key Exchange is introduced.One of the main challenges of securing multicast communication is source authentication, or enabling receivers of multicast data to verify that the received data originated with the claimed source and was not modified enroute. A very efficient scheme, TESLA, which is based on initial loose time synchronization between the sender and the receivers, followed by delayed release of keys by the sender, is introduced. This paper proposes several substantial modifications and improvements to TESLA. One modification allows receivers to authenticate most packets as soon as they arrive (whereas TESLA requires buffering packets at the receiver side, and provides delayed authentication only). Other modifications improve the scalability of the scheme, reduce the space overhead for multiple instances, increase its resistance to denial-of-service attacks, and more.The main contribution of the thesis is to describe a protocol suite and an API geared for securing collaborative applications. The API is base on the extensions of Diffie-Hellman key agreement developed in the CLIQUES project. Its core services provide authenticated group key agreement in relatively small dynamic peer groups.Through analyzing for MIKE, model design and prototype implementation, it is conclusive that MIKE is not only correct in theory but also feasible in practice. If combined with VPN, MIKE will be applied widely.
|
PDF Full Text Request