Gothic: a group access control architecture for secure multicast and anycast
Proceedings - IEEE INFOCOM - Tập 3 - Trang 1547-1556 vol.3
Tóm tắt
Multicast and anycast have received considerable attention due to their ability to support networked services. There are distinct and significant security vulnerabilities in both the multicast and anycast model including denial of service, theft or service, eavesdropping, and masquerading. The multicast problem requires a secure IGMP. The anycast problem requires secure anycast server advertisements. We generalize these two problems into a problem of group access control and propose Gothic, a complete architecture for providing group access control. Gothic centers around a novel authorization architecture. This is complemented by a proposal for a group policy management system that allows the group owner to be authenticated before being allowed to specify the group access rights. This system can be applied to other works that involve group policy. We show how Gothic operates in a number of environments including application-layer multicast, source-specific multicast, application-layer anycast and global IP-anycast. We evaluate the security and scalability of the architecture and show that it improves scalability over previous solutions while maintaining or increasing the level of security. We also propose methods of integrating Gothic with the group key management system and content distribution tree. We propose and evaluate a group access control aware group key management technique that leverages the existence of a group access control system to substantially reduce overhead.
Từ khóa
#Access control #Network servers #Multicast protocols #Routing protocols #Cryptography #Scalability #Computer crime #Security #Computer architecture #Educational institutionsTài liệu tham khảo
clifford neumann, 0, Proxy-based authorisation and accounting for distributed systems, 13th International Conference on Distributed Computing Systems Pittsburgh Penn May 1993, 283
10.1109/NDSS.1996.492416
vida, 2001, Multicast listener discovery version 2 (MLDv2) for IPv6
10.1109/INFCOM.1999.751455
10.1109/SECPRI.1989.36277
johnson, 1999, Reserved IPv6 subnet anycast addresses, 10.17487/rfc2526
housley, 1999, Internet X.509 public key infrastructure certificate and CRL profile, 10.17487/rfc2459
wei, 2000, Authenticating PIM version 2 messages
haberman, 2001, Host-based anycast using MLD
10.1145/263109.263179
10.1145/356850.356852
mcdaniel, 2000, Multicast security policy
10.1109/INFCOM.1999.751457
chu, 2000, A case for end system multicast, ACM SIGMETRICS, 1, 10.1145/345063.339337
10.1145/285243.285260
jannotti, 0, Overcast: Reliable multicasting with an overlay network, Symposium on Operating Systems Design and Implementation San Diego California 2000
rivest, 1996, SDSI - A simple distributed security infrastructure
galvin, 0, Public key distribution with secure DNS, Sixth USENIX Security Symposium July 1996
10.1109/35.587716
ishikawa, 1998, IGMP extension for authentication of IP multicast senders and receivers
10.1109/INFCOM.1998.665058
ratnasamy, 1999, Inference of multicast routing trees and bottleneck bandwidths using end-to-end measurements, IEEE INFOCOM
wallner, 1999, Key management for multicast: Issues and architectures, 10.17487/rfc2627
dai, 2000, Crypto++
10.1109/SP.1984.10001
hardjono, 2000, Secure IP multicast: Problem areas, framework, and building blocks
thaler, 2000, The internet multicast address allocation architecture, 10.17487/rfc2908
radoslavov, 2000, The multicast address-set claim (MASC) protocol, 10.17487/rfc2909
handley, 2000, Multicast address allocation protocol (AAP)
hanna, 1999, Multicast address dynamic client allocation protocol (MADCAP), 10.17487/rfc2730
meyer, 2000, GLOP addressing in 233/8, 10.17487/rfc2770
meyer, 2001, Extended allocations in 233/8
cain, 2001, Internet group management protocol version 3
partridge, 1993, Host anycasting service, RFC 1546
holbrook, 2001, Source-specific multicast for IP
deering, 1991, Multicast routing in a datagram internetwork
handley, 2000, Session announcement protocol, 10.17487/rfc2974
shields, 1999, KHIP - a scalable protocol for secure multicast routing, SIGCOMM, 53, 10.1145/316194.316206
gong, 0, Elements of trusted multicasting, Proceedings of the 2nd ACM Conference on Computer and Communications Security Fairfax Virginia 1994, 176
hinden, 1998, IP version 6 addressing architecture, 10.17487/rfc2373
10.1109/90.865074
10.17487/rfc2327
katabi, 1999, A framework for global IP-Anycast (GIA)
10.1109/ECUMN.2000.880748
10.1109/NDSS.1995.390649