CN101286838A - Design of a Large-Scale Dynamic Multicast Security Architecture - Google Patents
Design of a Large-Scale Dynamic Multicast Security Architecture Download PDFInfo
- Publication number
- CN101286838A CN101286838A CNA2007100488477A CN200710048847A CN101286838A CN 101286838 A CN101286838 A CN 101286838A CN A2007100488477 A CNA2007100488477 A CN A2007100488477A CN 200710048847 A CN200710048847 A CN 200710048847A CN 101286838 A CN101286838 A CN 101286838A
- Authority
- CN
- China
- Prior art keywords
- multicast
- group
- domain
- gcks
- leaf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及一种大规模网络环境下的动态安全组播系统构架,其特征在于,设计了一套新的动态安全组播系统构架,将整体组播划分为不同区域,使每个组内的成员发生变化后只对本组密钥进行更新,避免了由于频繁地组成员变化而造成的整体组密钥更新所带来的系统开销,实现了在各个子域内关于密钥管理和数据分发方面灵活的扩展机制,并在Kerberos的基础上实现了安全的认证机制,进而从控制安全和数据安全的观点对组播组进行管理。针对IPv6协议的特点和要求,实现了一套比较完整的组密钥管理机制,以适用于第二代中国教育科研网(CERNET2)及同类网络环境中绝大多数组播应用的安全性和实用性要求。
The present invention relates to a dynamic security multicast system framework under a large-scale network environment, and is characterized in that a set of new dynamic security multicast system framework is designed, and the overall multicast is divided into different areas, so that each group After the member changes, only the group key is updated, which avoids the system overhead caused by the overall group key update caused by frequent group member changes, and realizes flexibility in key management and data distribution in each sub-domain The expansion mechanism of Kerberos is implemented, and a secure authentication mechanism is implemented on the basis of Kerberos, and then the multicast group is managed from the perspective of control security and data security. According to the characteristics and requirements of the IPv6 protocol, a relatively complete set of group key management mechanism is implemented, which is suitable for the security and practicality of most multicast applications in the second generation China Education Research Network (CERNET2) and similar network environments. sexual demands.
Description
技术领域 technical field
本发明涉及一种大规模网络环境下的大规模动态安全组播系统构架。针对IPv6协议的特点和要求,实现了一套比较完整的组密钥管理机制,以适用于第二代中国教育科研网(CERNET2)及同类网络环境中绝大多数组播应用的安全性和实用性要求。The invention relates to a large-scale dynamic security multicast system framework under a large-scale network environment. According to the characteristics and requirements of the IPv6 protocol, a relatively complete set of group key management mechanism is implemented, which is suitable for the security and practicality of most multicast applications in the second generation China Education Research Network (CERNET2) and similar network environments. sexual demands.
背景技术 Background technique
Internet的迅猛发展和普及为组播业务发展提供了强大的市场动力,组播正变得日益流行。The rapid development and popularization of the Internet has provided a strong market force for the development of multicast services, and multicast is becoming increasingly popular.
组播是基于UDP/IP协议、面向多接收者的通信方式,相比单播能有效节省服务器资源和网络带宽。因特网组管理协议(IGMP)用于管理组播。IGMP不提供成员接入控制,用户只要获知特定业务使用的组播地址就可向路由器发送IGMP成员报告,不经审核地加入群组并获得UDP数据的拷贝。因此,现有组播通信并不保障数据的安全。保护组播数据机密、建立安全通信系统是安全组播研究的主要目标。Multicast is a multi-receiver-oriented communication method based on UDP/IP protocol. Compared with unicast, it can effectively save server resources and network bandwidth. The Internet Group Management Protocol (IGMP) is used to manage multicast. IGMP does not provide member access control. Users can send IGMP member reports to routers as long as they know the multicast address used by specific services, join the group without review and obtain a copy of UDP data. Therefore, the existing multicast communication does not guarantee data security. Protecting the confidentiality of multicast data and establishing a secure communication system are the main goals of secure multicast research.
IP组播的有以下几大特征:IP multicast has the following characteristics:
(1)所有成员能够接收到发往该组播地址的数据包;(1) All members can receive data packets sent to the multicast address;
(2)组播提供了一个开放的组模式,使得组成员不确定数据具体来自哪个成员;(2) Multicast provides an open group mode, so that group members are not sure which member the data comes from;
(3)任何主机能够向该组播地址发送数据包。(3) Any host can send data packets to this multicast address.
这三个特征反映出组播技术在本质上缺少网络层的访问控制,可以总结为缺乏对加入组控制,缺乏组成员发送、接收数据的控制,缺乏数据源真实性的验证。These three characteristics reflect that multicast technology lacks access control at the network layer in essence, which can be summarized as lack of control over joining a group, lack of control over data sent and received by group members, and lack of verification of the authenticity of data sources.
既然组播存在固有的不安全问题,作为一个安全组播体系结构就需要针对这些问题提供相应的安全服务。组安全策略、组密钥管理、数据源认证、组成员管理和访问控制以及组播数据的机密性是体系结构保证安全的重要内容。Since there are inherent insecurity problems in multicast, as a secure multicast architecture, it is necessary to provide corresponding security services for these problems. Group security policy, group key management, data source authentication, group member management and access control, and the confidentiality of multicast data are important contents of the architecture to ensure security.
在组播体系结构的设计方面,已有的工作主要有:In terms of the design of the multicast architecture, the existing work mainly includes:
专利CN03153932.7公开了一种实现组安全关联共享的方法。该专利中组播源节点只与该组中第一个发起创建SA请求的节点创建安全关联,生成共享CHILD_SA,组中其它节点再向组播源节点发起创建SA请求时,组播源节点通知该发起创建SA请求的节点从已生成共享CHILD_SA节点获取共享CHILD_SA。该方法能在IPsec框架下,支持组播通信中采用一个共享的安全关联。对于组播组中的成员节点,每次通信前都要首先创建共享CHILD_SA或与其他节点间的连接IKE_SA,当节点数目很大的时候会极大地影响性能和效率,因而不适用于大规模组播应用。Patent CN03153932.7 discloses a method for realizing group security association sharing. In this patent, the multicast source node only creates a security association with the first node in the group that initiates an SA creation request, and generates a shared CHILD_SA. When other nodes in the group initiate an SA creation request to the multicast source node, the multicast source node notifies The node that initiates the SA creation request obtains the shared CHILD_SA from the node that has generated the shared CHILD_SA. The method can support the adoption of a shared security association in the multicast communication under the IPsec framework. For member nodes in a multicast group, before each communication, a shared CHILD_SA or a connection IKE_SA with other nodes must first be created. When the number of nodes is large, performance and efficiency will be greatly affected, so it is not suitable for large-scale groups. broadcast application.
RFC3740中介绍了一种IETF组播安全体系结构。该体系结构具备了为大规模组播组通信提供许多方面的安全保证的功能,并考虑到了伸缩性对于大规模组播组的影响。但IETF结构的由于组成员变化造成的安全处理代价比较大,虽然可以通过增加分布式组播组的办法来降低该影响,但是相应增加了组播组部署的代价;在管理多个组播组的时候,存在额外的通信开销让对等实体进行联系以保证组播组之间的安全服务。An IETF multicast security architecture is introduced in RFC3740. This architecture has the function of providing many aspects of security guarantee for large-scale multicast group communication, and takes into account the impact of scalability on large-scale multicast groups. However, the cost of security processing due to the change of group members in the IETF structure is relatively high. Although the impact can be reduced by adding distributed multicast groups, the cost of multicast group deployment is correspondingly increased; when managing multiple multicast groups When , there is additional communication overhead for peer entities to communicate to ensure security services between multicast groups.
本专利以IETF结构为基础加以改进,设计了一套新的动态安全组播系统构架,将整体组播划分为不同区域,使每个组内的成员发生变化后只对本组密钥进行更新,避免了由于频繁地组成员变化而造成的整体组密钥更新所带来的系统开销,实现了在各个子域内关于密钥管理和数据分发方面灵活的扩展机制,并在Kerberos的基础上实现了安全的认证机制,进而从控制安全和数据安全的观点对组播组进行管理。本专利针对IPv6协议的特点和要求,实现了一套比较完整的组密钥管理机制,适用于CERNET2及同类网络中绝大多数组播应用的安全性和实用性要求。Based on the IETF structure, this patent improves and designs a new dynamic security multicast system architecture, which divides the overall multicast into different areas, so that only the group key is updated after the members in each group change. It avoids the system overhead brought by the overall group key update caused by frequent group member changes, realizes a flexible expansion mechanism for key management and data distribution in each sub-domain, and realizes on the basis of Kerberos Secure authentication mechanism, and then manage the multicast group from the viewpoint of control security and data security. According to the characteristics and requirements of the IPv6 protocol, this patent implements a relatively complete group key management mechanism, which is suitable for the security and practical requirements of most multicast applications in CERNET2 and similar networks.
发明内容 Contents of the invention
本发明的目的是通过定义不同的区域,各种互相独立的区域可以使用不同的群组密钥管理方案当系统中某个叶子域中成员发生变化时,只需本域内的密钥进行更新即可,从而大大减少因整体更新系统密钥而带来的开销。The purpose of the present invention is to define different areas, and various mutually independent areas can use different group key management schemes. When the members in a certain leaf domain in the system change, only the key in this domain needs to be updated. Yes, greatly reducing the overhead associated with rekeying the system as a whole.
本发明大规模动态组播安全体系构架设计,包括:系统框架设计方法;The large-scale dynamic multicast security system framework design of the present invention includes: a system framework design method;
本发明大规模动态组播安全体系构架设计,包括:密钥管理方案结构;The large-scale dynamic multicast security system architecture design of the present invention includes: a key management scheme structure;
本发明大规模动态组播安全体系构架设计,包括:临时跨接域服务器策略。The design of the large-scale dynamic multicast security system framework of the present invention includes: a temporary cross-connection domain server strategy.
本系统框架将整体组播域分为“主干”和“叶子”两部分:This system framework divides the overall multicast domain into two parts: "trunk" and "leaf":
A、主干域:由密钥产生器,密钥管理器,节点组控制器,策略和认证服务器,路由器等组成。主干域构成了密钥管理平台,在组播网络中,其包括和安全相关的协议(如Kerberos认证协议等)。主干域以节点组控制器和密钥服务器为边界,且不含任何成员主机。A. Backbone domain: composed of key generator, key manager, node group controller, policy and authentication server, router, etc. The backbone domain constitutes a key management platform, and in a multicast network, it includes protocols related to security (eg, Kerberos authentication protocol, etc.). The backbone domain is bounded by node group controllers and key servers and does not contain any member hosts.
B、叶子域:网络基础设施平台,包含用来构建网络的实体,由组播成员,子组控制器及针对基于IPv6组播网络的各种不同协议和实现组件等组成。每个叶子域都和一个边界节点组控制器和密钥服务器相关联,不同的叶子节点可能有不同的组密钥管理方案。B. Leaf domain: network infrastructure platform, including entities used to build the network, composed of multicast members, subgroup controllers, and various protocols and implementation components for IPv6-based multicast networks. Each leaf domain is associated with a border node group controller and key server, and different leaf nodes may have different group key management schemes.
根据系统框架的设计,组密钥管理方案包括组播密钥安全的一项策略和六项协议:组播组安全策略、组播组创建协议、组成员注册协议、组成员注销协议、组成员驱逐协议、组密钥更新协议、组撤销协议。According to the design of the system framework, the group key management scheme includes a strategy and six protocols for multicast key security: multicast group security policy, multicast group creation protocol, group member registration protocol, group member logout protocol, group member Eviction protocol, group key update protocol, group revocation protocol.
本发明在对于非音频、视频数据处理时,本系统完全可以满足性能方面的要求。而对于以一对多为主的视频组播应用时,可将数据发送终端(假设为A)跨过节点组控制器而直接连到主干网上,从而减少一次数据加解密的过程,基本可以满足应用要求,而并不影响安全性。When the present invention processes non-audio and video data, the system can fully meet performance requirements. For video multicast applications based on one-to-many, the data sending terminal (assumed to be A) can be directly connected to the backbone network across the node group controller, thereby reducing the process of data encryption and decryption once, which can basically meet application requirements without compromising security.
本专利可以使系统构架内成员发生变化时只对本叶子域内的组密钥进行更新,降低了系统总体开销,提高了效率,并实现了灵活的扩展机制,能够很好的满足大规模甚至超大规模网络组播安全性应用的需求。This patent can only update the group key in the leaf domain when the members in the system framework change, which reduces the overall system overhead, improves efficiency, and realizes a flexible expansion mechanism, which can well meet large-scale or even super-large-scale Network multicast security application requirements.
附图说明 Description of drawings
图1大规模动态安全组播组密钥管理结构图;Figure 1 is a large-scale dynamic secure multicast group key management structure diagram;
图2组密钥管理方案结构图;Fig. 2 Group key management scheme structure diagram;
图3临时跨接域服务器策略示意图;Figure 3 is a schematic diagram of a temporary crossover domain server strategy;
图4本构架下的动态组播运行示意图。Fig. 4 is a schematic diagram of dynamic multicast operation under this framework.
具体实施方式 Detailed ways
下面结合附图对本发明的技术方案作详细说明。The technical scheme of the present invention will be described in detail below in conjunction with the accompanying drawings.
图4显示了本构架下的动态组播运行示意图:Figure 4 shows a schematic diagram of dynamic multicast operation under this architecture:
组所有者或创建者(GO)与策略服务器(PS)交互(通过步骤1、2)得到策略令牌(PT)后,向主干域上某一组控制器和密钥服务器(GCKS)申请创建一个组播组实例(步骤3)。该GCKS称为初始GCKS(I-GCKS),I-GCKS在主干域内以主干域内组密钥发布安全组播内容。After the group owner or creator (GO) interacts with the policy server (PS) (through steps 1 and 2) to obtain the policy token (PT), it applies to a certain group of controllers and key servers (GCKS) on the backbone domain for creation A multicast group instance (step 3). The GCKS is called an initial GCKS (I-GCKS), and the I-GCKS publishes secure multicast content with the group key in the backbone domain in the backbone domain.
需要加入组播组的组成员(GM)向管理本叶子域的GCKS发送加入请求(RTJ)消息(步骤7、8),或者通过管理子组的S-GCKS向GCKS提出加入申请(步骤5、6、9、10)。The group member (GM) who needs to join the multicast group sends a join request (RTJ) message to the GCKS that manages the leaf domain (steps 7 and 8), or submits a join application to the GCKS through the S-GCKS that manages the subgroup (steps 5 and 8). 6, 9, 10).
退出组播组的GM向管理本叶子域的GCKS发送退出请求(RTD)消息,或者通过管理子组的子组控制器和密钥服务器(S-GCKS)向GCKS提出注销申请。The GM that exits the multicast group sends an exit request (RTD) message to the GCKS that manages the leaf domain, or submits a logout application to the GCKS through the subgroup controller and key server (S-GCKS) that manages the subgroup.
GO根据驱逐GM标识生成新的PT,GCKS根据PT向驱逐成员发送拒绝加入(R_J)消息。GO generates a new PT according to the eviction GM ID, and GCKS sends a refusal to join (R_J) message to the eviction member according to the PT.
在组成员发生变更的基础上,GCKS进行组密钥更新操作,但各个叶子域内的组成员变更导致的组密钥更新操作,将局限在该叶子域内,不会导致其他叶子域和主干域的性能下降。On the basis of the change of group members, GCKS performs the group key update operation, but the group key update operation caused by the group member change in each leaf domain will be limited to the leaf domain, and will not cause other leaf domains and backbone domains. Performance drops.
主干域内各个GCKS在I-GCKS的控制下进行成员更新和定时更新操作(步骤4)。主干域内的组密钥更新局限在主干域内。Each GCKS in the backbone domain performs membership update and timing update operations under the control of the I-GCKS (step 4). Group key updates in the backbone domain are restricted to the backbone domain.
叶子域内安全组播内容发送到管理该叶子域的GCKS后,GCKS将内容通过叶子域内组密钥解密后,再用主干域组密钥加密后在主干域内发布。主干域中各GCKS接受到组播数据后,用主干域组密钥解密后再用本叶子域内组密钥加密,然后在本叶子域内发布(步骤11)。After the secure multicast content in the leaf domain is sent to the GCKS that manages the leaf domain, GCKS decrypts the content with the group key in the leaf domain, encrypts it with the group key of the backbone domain, and publishes it in the backbone domain. After each GCKS in the backbone domain receives the multicast data, it decrypts it with the group key in the backbone domain, encrypts it with the group key in the leaf domain, and publishes it in the leaf domain (step 11).
Claims (5)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100488477A CN101286838A (en) | 2007-04-11 | 2007-04-11 | Design of a Large-Scale Dynamic Multicast Security Architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100488477A CN101286838A (en) | 2007-04-11 | 2007-04-11 | Design of a Large-Scale Dynamic Multicast Security Architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101286838A true CN101286838A (en) | 2008-10-15 |
Family
ID=40058823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100488477A Pending CN101286838A (en) | 2007-04-11 | 2007-04-11 | Design of a Large-Scale Dynamic Multicast Security Architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101286838A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573395A (en) * | 2015-01-29 | 2015-04-29 | 上海理想信息产业(集团)有限公司 | Big data platform safety assessment quantitative analysis method |
| CN106603441A (en) * | 2017-01-05 | 2017-04-26 | 盛科网络(苏州)有限公司 | Multicast message processing method and switch chip in distributed link aggregation network |
| CN108989028A (en) * | 2018-07-16 | 2018-12-11 | 哈尔滨工业大学(深圳) | Group cipher distribution management method, apparatus, electronic equipment and storage medium |
| CN109753805A (en) * | 2018-12-28 | 2019-05-14 | 北京东方国信科技股份有限公司 | A kind of method of big data safety coefficient evaluation and test |
| CN111031495A (en) * | 2020-01-06 | 2020-04-17 | 南通大学 | Multicast communication system and method for 6LowPAN Internet of things communication network |
| CN112100606A (en) * | 2020-09-28 | 2020-12-18 | 邓燕平 | Online education processing method based on cloud big data calculation and online education platform |
-
2007
- 2007-04-11 CN CNA2007100488477A patent/CN101286838A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573395A (en) * | 2015-01-29 | 2015-04-29 | 上海理想信息产业(集团)有限公司 | Big data platform safety assessment quantitative analysis method |
| CN104573395B (en) * | 2015-01-29 | 2017-04-12 | 上海理想信息产业(集团)有限公司 | Big data platform safety assessment quantitative analysis method |
| CN106603441A (en) * | 2017-01-05 | 2017-04-26 | 盛科网络(苏州)有限公司 | Multicast message processing method and switch chip in distributed link aggregation network |
| CN106603441B (en) * | 2017-01-05 | 2019-09-20 | 盛科网络(苏州)有限公司 | Multicast message processing method and exchange chip in distributed aggregated link network |
| CN108989028A (en) * | 2018-07-16 | 2018-12-11 | 哈尔滨工业大学(深圳) | Group cipher distribution management method, apparatus, electronic equipment and storage medium |
| CN109753805A (en) * | 2018-12-28 | 2019-05-14 | 北京东方国信科技股份有限公司 | A kind of method of big data safety coefficient evaluation and test |
| CN111031495A (en) * | 2020-01-06 | 2020-04-17 | 南通大学 | Multicast communication system and method for 6LowPAN Internet of things communication network |
| CN111031495B (en) * | 2020-01-06 | 2021-07-30 | 南通大学 | A multicast communication system and method for 6LowPAN IoT communication network |
| CN112100606A (en) * | 2020-09-28 | 2020-12-18 | 邓燕平 | Online education processing method based on cloud big data calculation and online education platform |
| CN112100606B (en) * | 2020-09-28 | 2021-12-17 | 武汉厚溥数字科技有限公司 | Online education processing method based on cloud big data calculation and online education platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dondeti et al. | Scalable secure one-to-many group communication using dual encryption | |
| Ballardie | Scalable multicast key distribution | |
| US6901510B1 (en) | Method and apparatus for distributing and updating group controllers over a wide area network using a tree structure | |
| US7434046B1 (en) | Method and apparatus providing secure multicast group communication | |
| US7383436B2 (en) | Method and apparatus for distributing and updating private keys of multicast group managers using directory replication | |
| Mittra | Iolus: A framework for scalable secure multicasting | |
| US7660983B1 (en) | Method and apparatus for creating a secure communication channel among multiple event service nodes | |
| US7260716B1 (en) | Method for overcoming the single point of failure of the central group controller in a binary tree group key exchange approach | |
| Hardjono et al. | Multicast and group security | |
| CN101286838A (en) | Design of a Large-Scale Dynamic Multicast Security Architecture | |
| CN101692637A (en) | Key management method for multicast | |
| Liyanage et al. | Secure hierarchical virtual private LAN services for provider provisioned networks | |
| CN101635724A (en) | Method and system for realizing multicast member authentication | |
| Li et al. | Distributed key management scheme for peer‐to‐peer live streaming services | |
| Brown et al. | Internet multicast tomorrow | |
| Li et al. | A survey on key management for multicast | |
| Laganier et al. | Hipernet: a decentralized security infrastructure for large scale grid environments | |
| Hardjono et al. | Secure and scalable inter-domain group key management for N-to-N multicast | |
| Zhu et al. | A secure multicast model for peer-to-peer and access networks using the host identity protocol | |
| Dondeti | Efficient private group communication over public networks | |
| Fesehaye et al. | SNC: scalable NDN-based conferencing architecture | |
| Roh et al. | Key management scheme for providing the confidentiality in mobile multicast | |
| Jing et al. | CERNET2 super-scale dynamic multicast network-based security system framework principles | |
| Li et al. | An IPv6 Security Multicast System Based on CA Authentication | |
| WO2004036867A1 (en) | Multi-path secured network communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081015 |