CN101286838A - Design of large-scale dynamic multicasting security system framework - Google Patents
Design of large-scale dynamic multicasting security system framework Download PDFInfo
- Publication number
- CN101286838A CN101286838A CNA2007100488477A CN200710048847A CN101286838A CN 101286838 A CN101286838 A CN 101286838A CN A2007100488477 A CNA2007100488477 A CN A2007100488477A CN 200710048847 A CN200710048847 A CN 200710048847A CN 101286838 A CN101286838 A CN 101286838A
- Authority
- CN
- China
- Prior art keywords
- group
- multicast
- gcks
- leaf
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a dynamic secure multicast system architecture in large-scale network environment, which is characterized in that a new set of dynamic secure multicast system architecture is designed; the dynamic secure multicast system architecture divides whole multicast into different areas, only updates the encryption key of a group after the members of each group are changed, avoids system expense brought by the update of the encryption key of whole group caused by frequent changes of group members, realizes the flexible extension mechanism with respect to the encryption key management and data distribution of each subarea, realizes the safe certification mechanism based on Kerberos, so as to carry out management of multicast from the viewpoints of controlling safety and data safety. According to the characteristics and requirements of IPv6 protocol, a set of relatively complete group encryption key management mechanism is realized to be applicable to the requirement for safety and practicability of most multicasts in China Education and Research NET of second generation (CERNET2) and similar network environments.
Description
Technical field
The present invention relates to the extensive dynamic security multi-cast system framework under a kind of large-scale network environment.At the characteristics and the requirement of IPv6 agreement, realized the more complete group key management mechanism of a cover, with fail safe and the practicality requirement that is applicable to most multicast application in second generation CERNET (CERNET2) and the homogeneous network environment.
Background technology
The fast development of Internet and popularize to the multicast service development powerful market forces, the multicast increased popularity that just becoming is provided.
Multicast is based on the UDP/IP agreement, towards many recipients' communication mode, compare clean culture and can effectively save the server resource and the network bandwidth.Internet Group Management Protocol (IGMP) is used for managing multicast.IGMP does not provide member's access control, just can send IGMP member's report to router as long as the user is known the multicast address that specific transactions uses, without examining the copy that ground adds group and obtains UDP message.Therefore, existing cast communication does not ensure the safety of data.Protect the multicast packet secret, set up the main target that safe communication system is safe multicasting research.
The IP multicast following several big feature arranged:
(1) all members can receive the packet that mails to this multicast address;
(2) multicast provides the group mode of an opening, makes group membership's uncertain data specifically from which member;
(3) any main frame can send packet to this multicast address.
These three features reflect that multicasting technology lacks the access control of network layer in itself, can be summarized as shortage to the control of adding group, lack the control that the group membership sends, receives data, lack the checking of data source authenticity.
Since there is intrinsic unsafe problems in multicast, just need provide corresponding security service at these problems as a safe multicasting architecture.The confidentiality of group security strategy, group key management, data source authentication, group membership management and access control and multicast packet is the important content that architecture guarantees safety.
At the design aspect of multicast architecture, existing work mainly contains:
Patent CN03153932.7 discloses a kind of method that security association is shared that realizes organizing.First node of initiating establishment SA request was created security association during the multicast source node was only organized with this in this patent, generate and share CHILD_SA, when multicast source node initiation establishment SA request, the node that the multicast source node notifies this initiation to create the SA request obtains shared CHILD_SA from generating shared CHILD_SA node to other node again in the group.This method can support to adopt in the cast communication a shared security association under the IPsec framework.For the member node in the multicast group, all at first create before each communication share CHILD_SA or with other internodal IKE_SA of connection, when interstitial content is very big, can greatly influence performance and efficient, thereby not be suitable for extensive multicast application.
Introduced a kind of IETF security of multicast architecture among the RFC3740.This architecture has possessed for extensive multicast group communication provides the function of the safety assurance of many aspects, and has considered the influence of retractility for extensive multicast group.But the IETF structure because the group membership changes the safe handling cost cause greatly, though can reduce this influence by the way that increases the distributed multicast group, the corresponding cost that has increased the multicast group deployment; In a plurality of multicast group of management, exist extra communication overhead to get in touch to guarantee the security service between the multicast group by peer-entities.
This patent is that the basis is improved with the IETF structure, designed the new dynamic security multi-cast system framework of a cover, whole multicast is divided into zones of different, after being changed, the interior member of each group only this group key is upgraded, avoided owing to group membership continually changes the overhead that whole group key management brought that causes, realized in each subdomain about extension mechanism flexibly aspect key management and the data distribution, and on the basis of Kerberos, realized safe authentication mechanism, and then multicast group is managed from the viewpoint of control safety and data security.This patent has been realized the more complete group key management mechanism of a cover at the characteristics and the requirement of IPv6 agreement, is applicable to the fail safe and the practicality requirement of most multicast application in CERNET2 and the homogeneous network.
Summary of the invention
The objective of the invention is by defining different zones, various mutual distinct area can use different group key management schemes when the member changes in certain leaf domains in the system, only need key in this territory to upgrade and get final product, thereby significantly reduce the expense of bringing because of the whole updating system key.
Large-scale dynamic multicasting security system framework design of the present invention comprises: the system framework method for designing;
Large-scale dynamic multicasting security system framework design of the present invention comprises: the key managing project structure;
Large-scale dynamic multicasting security system framework design of the present invention comprises: interim cross-over connection domain server strategy.
The native system framework is divided into " trunk " and " leaf " two parts with whole multicast domain:
A, backbone domain: by key generator, key management unit, groups of nodes controller, strategy and certificate server, compositions such as router.Backbone domain has constituted the key management platform, and in multicast network, it comprises and the relevant agreement of safety (as the kerberos authentication agreement etc.).Backbone domain is the border with groups of nodes controller and key server, and does not contain any member's main frame.
B, leaf domains: the network infrastructure platform, comprise and be used for the entity of building network, by multicast member, sub-group controller and at based on the various different agreements of IPv6 multicast network with realize composition such as assembly.Each leaf domains all is associated with a boundary node group controller and key server, and different leaf nodes has different group key management schemes.
According to the design of system framework, the group key management scheme comprises a strategy and six agreements of multicast key safety: multicast group security strategy, multicast group establishment agreement, group membership's log-in protocol, group membership nullify agreement, the group membership expels agreement, group key management agreement, group to cancel agreement.
The present invention is for non-audio, video data processing the time, and native system can satisfy the requirement of aspect of performance fully.And for a pair of when mostly being main video multicast application, data can be sent terminal (being assumed to be A) strides across the groups of nodes controller and directly links on the backbone network, thereby reduce the process of a data encrypting and deciphering, can satisfy application requirements substantially, and not influence fail safe.
This patent can make when the member changes in the system architecture and only the group key in this leaf domains be upgraded, reduced the overall system expense, improve efficient, and realized extension mechanism flexibly, can be good at satisfying the demand of extensive even ultra-large network multicast security application.
Description of drawings
The extensive dynamic security multicast group of Fig. 1 cipher key management structure figure;
Fig. 2 group key management schematic structure diagram;
The interim cross-over connection domain server of Fig. 3 strategy schematic diagram;
Dynamic multicast operation schematic diagram under this framework of Fig. 4.
Embodiment
Below in conjunction with accompanying drawing technical scheme of the present invention is elaborated.
Fig. 4 has shown the dynamic multicast operation schematic diagram under this framework:
After the group owner or founder (GO) obtained tactful token (PT) with strategic server (PS) mutual (by step 1,2), a multicast group example (step 3) was created in a certain group controller and key server (GCKS) application on backbone domain.This GCKS is called initial GCKS (I-GCKS), and I-GCKS issues the safe multicasting content with group key in the backbone domain in backbone domain.
Need the group membership (GM) who adds multicast group to send (RTJ) message (step 7,8) that joins request to the GCKS of this leaf domains of management, perhaps the S-GCKS by management group proposes to add application (step 5,6,9,10) to GCKS.
The GM that withdraws from multicast group sends to the GCKS of this leaf domains of management and withdraws from request (RTD) message, and perhaps sub-group controller and the key server (S-GCKS) by management group proposes to nullify application to GCKS.
GO generates new PT according to expulsion GM sign, and GCKS sends refusal according to PT to the expulsion member and adds (R_J) message.
On the basis that the group membership changes, GCKS carries out the group key management operation, but the group membership in each leaf domains changes the group key management operation that causes, and will be confined in this leaf domains, can not cause the decreased performance of other leaf domains and backbone domain.
Each GCKS carries out member's renewal and regularly upgrades operation (step 4) in the backbone domain under the control of I-GCKS.Group key management in the backbone domain is confined in the backbone domain.
After the safe multicasting content sent to the GCKS of this leaf domains of management in the leaf domains, GCKS encrypted the back with the backbone domain group key again and issues in backbone domain after content is deciphered by group key in the leaf domains.After each GCKS receives multicast packet in the backbone domain,, in this leaf domains, issue (step 11) then with encrypting with group key in this leaf domains again after the deciphering of backbone domain group key.
Claims (5)
1 one kinds of large-scale dynamic multicasting security system framework designs, it is characterized in that, in the large scale network system, characteristics and requirement at the IPv6 agreement, whole multicast domain is divided into " trunk " and " leaf " two parts, make when multicast member changes in the system architecture and only the group key in this leaf domains is upgraded, reduced the overall system expense, improved efficient, and realized extension mechanism flexibly, can be good at satisfying the demand of extensive even ultra-large network multicast security application.
2 a kind of large-scale dynamic multicasting security system framework designs as claimed in claim 1 is characterized in that it is as follows that whole multicast domain is divided into " trunk " and " leaf " two parts method:
A, backbone domain: by key generator, key management unit, groups of nodes controller, strategy and certificate server, compositions such as router.Backbone domain has constituted the key management platform, and in multicast network, it comprises and the relevant agreement of safety (as the kerberos authentication agreement etc.).Backbone domain is the border with groups of nodes controller and key server, and does not contain any member's main frame.
B, leaf domains: the network infrastructure platform, comprise and be used for the entity of building network, by multicast member, sub-group controller and at based on the various different agreements of IPv6 multicast network with realize composition such as assembly.Each leaf domains all is associated with a boundary node group controller and key server, and different leaf nodes has different group key management schemes.
3 a kind of large-scale dynamic multicasting security system framework designs as claimed in claim 2, it is characterized in that the group key management scheme comprises a strategy and six agreements of multicast key safety: multicast group security strategy, multicast group establishment agreement, group membership's log-in protocol, group membership nullify agreement, the group membership expels agreement, group key management agreement, group to cancel agreement.
4 a kind of large-scale dynamic multicasting security system framework designs as claimed in claim 1, it is characterized in that, for with a pair of when mostly being main video multicast application, data can be sent terminal (being assumed to be A) strides across the groups of nodes controller and directly links on the backbone network, thereby reduce the process of a data encrypting and deciphering, substantially can satisfy application requirements, and not influence fail safe.
5 as the described a kind of large-scale dynamic multicasting security system framework design of claim 1 to 4, it is characterized in that the dynamic multicast operational process under this framework is as follows:
After GO and PS mutual (by step 1,2) obtained PT, a multicast group example (step 3) was created in a certain GCKS application on backbone domain.This GCKS is called initial GCKS (I-GCKS), and I-GCKS issues the safe multicasting content with group key in the backbone domain in backbone domain.
Need the GM that adds multicast group to send RTJ message (step 7,8) to the GCKS of this leaf domains of management, perhaps the S-GCKS by management group proposes to add application (step 5,6,9,10) to GCKS.
The GM that withdraws from multicast group sends RTD message to the GCKS of this leaf domains of management, and perhaps the S-GCKS by management group proposes to nullify application to GCKS.
GO generates new PT according to expulsion GM sign, and GCKS sends R_J message according to PT to the expulsion member.
On the basis that the group membership changes, GCKS carries out the group key management operation, but the group membership in each leaf domains changes the group key management operation that causes, and will be confined in this leaf domains, can not cause the decreased performance of other leaf domains and backbone domain.
Each GCKS carries out member's renewal and regularly upgrades operation (step 4) in the backbone domain under the control of I-GCKS.Group key management in the backbone domain is confined in the backbone domain.
After the safe multicasting content sent to the GCKS of this leaf domains of management in the leaf domains, GCKS encrypted the back with the backbone domain group key again and issues in backbone domain after content is deciphered by group key in the leaf domains.After each GCKS receives multicast packet in the backbone domain,, in this leaf domains, issue (step 11) then with encrypting with group key in this leaf domains again after the deciphering of backbone domain group key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100488477A CN101286838A (en) | 2007-04-11 | 2007-04-11 | Design of large-scale dynamic multicasting security system framework |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100488477A CN101286838A (en) | 2007-04-11 | 2007-04-11 | Design of large-scale dynamic multicasting security system framework |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101286838A true CN101286838A (en) | 2008-10-15 |
Family
ID=40058823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100488477A Pending CN101286838A (en) | 2007-04-11 | 2007-04-11 | Design of large-scale dynamic multicasting security system framework |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101286838A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573395A (en) * | 2015-01-29 | 2015-04-29 | 上海理想信息产业(集团)有限公司 | Big data platform safety assessment quantitative analysis method |
| CN106603441A (en) * | 2017-01-05 | 2017-04-26 | 盛科网络(苏州)有限公司 | Multicast message processing method and switch chip in distributed link aggregation network |
| CN108989028A (en) * | 2018-07-16 | 2018-12-11 | 哈尔滨工业大学(深圳) | Group cipher distribution management method, apparatus, electronic equipment and storage medium |
| CN109753805A (en) * | 2018-12-28 | 2019-05-14 | 北京东方国信科技股份有限公司 | A kind of method of big data safety coefficient evaluation and test |
| CN111031495A (en) * | 2020-01-06 | 2020-04-17 | 南通大学 | Multicast communication system and method for 6LowPAN Internet of things communication network |
| CN112100606A (en) * | 2020-09-28 | 2020-12-18 | 邓燕平 | Online education processing method based on cloud big data calculation and online education platform |
-
2007
- 2007-04-11 CN CNA2007100488477A patent/CN101286838A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573395A (en) * | 2015-01-29 | 2015-04-29 | 上海理想信息产业(集团)有限公司 | Big data platform safety assessment quantitative analysis method |
| CN104573395B (en) * | 2015-01-29 | 2017-04-12 | 上海理想信息产业(集团)有限公司 | Big data platform safety assessment quantitative analysis method |
| CN106603441A (en) * | 2017-01-05 | 2017-04-26 | 盛科网络(苏州)有限公司 | Multicast message processing method and switch chip in distributed link aggregation network |
| CN106603441B (en) * | 2017-01-05 | 2019-09-20 | 盛科网络(苏州)有限公司 | Multicast message processing method and exchange chip in distributed aggregated link network |
| CN108989028A (en) * | 2018-07-16 | 2018-12-11 | 哈尔滨工业大学(深圳) | Group cipher distribution management method, apparatus, electronic equipment and storage medium |
| CN109753805A (en) * | 2018-12-28 | 2019-05-14 | 北京东方国信科技股份有限公司 | A kind of method of big data safety coefficient evaluation and test |
| CN111031495A (en) * | 2020-01-06 | 2020-04-17 | 南通大学 | Multicast communication system and method for 6LowPAN Internet of things communication network |
| CN111031495B (en) * | 2020-01-06 | 2021-07-30 | 南通大学 | Multicast communication system and method for 6LowPAN Internet of things communication network |
| CN112100606A (en) * | 2020-09-28 | 2020-12-18 | 邓燕平 | Online education processing method based on cloud big data calculation and online education platform |
| CN112100606B (en) * | 2020-09-28 | 2021-12-17 | 武汉厚溥数字科技有限公司 | Online education processing method based on cloud big data calculation and online education platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dondeti et al. | Scalable secure one-to-many group communication using dual encryption | |
| US6901510B1 (en) | Method and apparatus for distributing and updating group controllers over a wide area network using a tree structure | |
| CN103427998B (en) | The authentication of a kind of Internet data distribution and data ciphering method | |
| Hardjono et al. | The multicast group security architecture | |
| US7434046B1 (en) | Method and apparatus providing secure multicast group communication | |
| US7103185B1 (en) | Method and apparatus for distributing and updating private keys of multicast group managers using directory replication | |
| US7328343B2 (en) | Method and apparatus for hybrid group key management | |
| US20060193473A1 (en) | Key management for group communications | |
| CN1359574A (en) | Distributed group key management scheme for secure many-to-many communication | |
| WO2008095431A1 (en) | Node, distributing system and method of group key control message | |
| CN102447679B (en) | Method and system for ensuring safety of peer-to-peer (P2P) network data | |
| WO2008022520A1 (en) | A method, system and device for achieving multi-party communication security | |
| CN101286838A (en) | Design of large-scale dynamic multicasting security system framework | |
| Gharout et al. | Key management with host mobility in dynamic groups | |
| US20050111668A1 (en) | Dynamic source authentication and encryption cryptographic scheme for a group-based secure communication environment | |
| Kiah et al. | Host mobility protocol for secure group communication in wireless mobile environments | |
| CN105325020A (en) | Method for communication between femto access points and femto access point | |
| Huang et al. | Efficient and secure multicast in wirelessman: A cross-layer design | |
| Li et al. | A survey on key management for multicast | |
| CN1716853A (en) | Group broadcast cipher key managing method based on physical layer | |
| US20080082822A1 (en) | Encrypting/decrypting units having symmetric keys and methods of using same | |
| Dondeti | Efficient private group communication over public networks | |
| CN102546563B (en) | Method and system for distributing network data | |
| Kiah et al. | An implementation of secure group communication in a wireless environment | |
| Wang et al. | Efficient key management for secure wireless multicast |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081015 |