Design And Implementation Of Security Mechanism For Layered Multicast

IP multicast, especially layered multicast, is an important network technology, which provides an efficient transmission mechanism for group application. Multicast saves network bandwidth in the process of one-to-many and many-to-many network communication. However, multicast has not been used widely until now, partly because of its lack of necessary security guarantees while keeping its simplicity and openness characteristic. While multicasting, users can join in the multicast group and send messages arbitrarily. Thus, it's necessary to design a security mechanism for multicast.This thesis designs and implements a set of security mechanism for the layered multicast in consideration with its security problems. Aiming at data integrity, confidentiality, and authentication, this thesis starts with access control, group key management, and multicast source authentication to design and implement a security mechanism of the layered multicast.As for access control, multicast management server, which both the sender and receiver must be authenticated by, is allocated in a network. Multicast packet filter in the router, which illegal multicast packets are blocked by, is installed. MLD protocol and PIM-SM protocol are extended in order to forbid illegal receivers and untrusted routers joining into the group. As for group key management, because of the difference of data stream received by the receivers among the layered multicasts, a layered group key structure is designed. This structure guarantees that, while multicast packets are protected, the users which can only obtain the packets in the lower layer are prevented from attaining the packets in the higher layer. At the same time, the hierarchy structure is used to overcome the problems of the size and cross-domain of multicast group. And there are different group keys in the different domains. While updating group keys, those in the same domain are only updated. Moreover, the cross-domain key is exploited to make the inter-domain data secure. The one-way multi-trapdoor function based on discrete logarithms is designed to reduce the communication and calculation overheads while updating group keys. As for multicast source authentication, the hash-chaining tree is constructed in terms of the relationship among the cumulative layered multicast packets. Thus, the source of all the multicast packets is not only quickly authenticated, but also the meaningless packets can be detected and discarded as soon as possible. And the group key management and multicast source authentication are coordinated.To verify the feasibility, security, and performance of this security mechanism, a layered multicast system for the secure video is implemented, and the security and performance are analyzed according to the results.