|
多播安全 多播安全问题是其中的一个重要问题。多播服务要求比单播服务更安全。在多播过程中,多个实体在没有任何信任关系的过程中相互参与。威胁包括未经授权的创建、更改、销毁和不合法的使用数据。多播会话的范围是广泛的,因此相比于单播会话,这就是为什么它更容易受到安全攻击的原因。 为了减少多播安全问题,我们可以实现许多安全服务。这些服务可以进一步分为四个领域,如认证、授权、加密和数据完整性等方面的定义。为了最大限度地减少安全问题,多播通信可以使用全部或一些服务来获得所需的安全级别。在特定的需求和需求下,一个安全级别所需要的服务将被定义为特定的策略。 认证服务是提供参与的主机身份验证过程,因此它们可以被允许创建、发送或接收数据并执行特定的任务。在认证的帮助下,只允许授权的主机加入一个安全的多播组。 多播安全---Security in multicasting Security in multicasting is one of the main and important issues. Multicast services require more security than the unicast services. In multicasting process more entities participate with each other without any trusted relationship. Threats include the unauthorized creation, alteration, destruction, and illegitimate use of data.The scope of multicast session is broad as compared to unicast session that's why it is much vulnerable to security attacks. To reduce multicast security issues we can implement many security services. These services can be further categories into four areas such as authentication, authorization, encryption and data integrity as defined .To minimize security issues multicast communication may use all or some of the services to get a required level of security. The services needed for a security level will be defined by a certain policy under the specific requirements and needs of the session. Authentication service is process of providing assurance of the participating host identity, so they may be allowed to create, send or receive data and to execute specific tasks. With help of authentication only Authorized hosts are permitted to join a secure multicast group. More over authentication is a vital part in offering control to key material. If cryptographic techniques like as encryption for confidentiality are applied then authentication may offer a method to control access to keys used to secure group communication. For the establishment of session availability and distribution of keys only authorized group members should access those keys. In order to identify the source of multicast traffic, authentication mechanisms may be applied by the traffic source. This application serves to further define group membership by positively identifying group members along with their data being sourced to the group. Protocols such as the IP Authentication Header (AH) can provide authentication for IP datagrams and may be used for host authentication . Authentication is also an essential part of any key distribution protocol . To counter various masquerades and replay attacks that may be conducted against a secure multicast session keying material is used because it can identify the source of the key material. By applying authentication pattern to multicast groups data can achieve strong level of integrity. Integrity services provide assurance that multicast traffic is not changed during transmission. Integrity is not inherent to IP datagram traffic payloads and is usually reserved for transport layer protocols. The lack or weakness of integrity services in IP can lead to spoofing attacks . Strong integrity mechanisms can be applied indirectly at the network layer with security protocols such as the Encapsulating Security Payload (ESP) and AH . The applications having key management protocols, integrity services are necessary against spoofing attacks. Confidentiality services are important in creating a private multicast session. Normally encryption is used for establishment of private multicast sessions. With time/-to/-live (TTL) setting we can get a weaker form confidentiality by restricting data distribution of routed session. On different layers of protocol stack encryption can be applied to end services. At network layer, ESP provides confidentiality services for IP datagrams through encryption. Key management protocols such as the Internet Security Association and Key Management Protocol (ISAKMP) support confidentiality services for key exchanges. 关键管理问题---Issues of key management: We can accomplish required levels of confidentiality, integrity and authentication for multicast session by use of encryption and digital signatures. By having a robust security mechanism which cannot be easily defeated by cryptanalytic attacks, our concentration is now on key management, key distribution and access control for protecting key material. For this reason, secure multicast session has class D IP address and essential keying material. The encryption mechanism, enforced security policy and key structure dictate size, type and number of keys to guard multicast session. In order to maintain the security of session access to these keys must restricted. So, strong authentication mechanism should be applied during the registration process before distributing key material to each device. When these personal attributes are bound to a signed digital certificate, the certificate's digital signature and its relationship in a certificate hierarchy may verify the identity of a participant and their assigned permissions. In a multicast session it may be required to issue a new key or rekey depending on the security policy and traffic flow encrypted under a certain key. A rekey can also be done in case suspected event is detected. Rekey is sometime performed to deny the access to compromised site for future communication, without heavily affecting the other devices. Depending on the implemented security mechanism, voluntary exit of a device from a session is also included in compromise category. Rekey is required sometimes to prevent the previous device from joining the session without re registration. The need of rekey is dependent upon policy issues as well as practical tradeoffs. Policy of "flat or hierarchical" group trust is efficient in some scenarios greatly decreasing complexity required for dynamic key management. { Computer Communications Security: Principles, Standard Protocols and Techniques, W. Ford, Prentice Hall, 1994.}. Security Architecture for the Internet Protocol, R. Atkinson, RFC-1825, Naval Research Laboratory, August 1995. IP Encapsulating Security Payload (ESP), R. Atkinson, RFC-1827, Naval Research Laboratory, August 1995. IP Authentication Header, R. Atkinson, RFC-1826, Naval Research Laboratory, August 1995. Internet Security Association and Key Management Protocol (ISAKMP), D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet-Draft, draft-ietf-ipsecisakmp- 07.txt, 21 February 1997. Security Problems in the TCP/IP Protocol Suite, S. Bellovin, ACM Computer Communications Review, Vol. 19, No. 2, March 1989. Applied Cryptography, Second Edition: Protocols, Algorithms and Source Code in C, B. Schneier, John Wiley & Sons, Inc., 1996. |
 |
|||
| 网站地图 |
