1 / 18

Access control for IP multicast

T-110.557 Petri Jokela petri.jokela@nomadiclab.com. Access control for IP multicast. Contents. Unicasting / multicasting HIP User authentication Certificates User authorization Certificate based Multicast Access Control - C-MAC Future work Summary. Multicasting. Unicasting

lee-hewitt
Download Presentation

Access control for IP multicast

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. T-110.557 Petri Jokela petri.jokela@nomadiclab.com Access control for IP multicast

  2. Contents • Unicasting / multicasting • HIP • User authentication • Certificates • User authorization • Certificate based Multicast Access Control - C-MAC • Future work • Summary

  3. Multicasting • Unicasting • Point-to-point connection • Multiple receivers -> resources wasted • Multicasting • One outgoing stream, multiplied near recipients • How to control stream receiving?

  4. I3 based multicast • Traffic is sent with a stream identifier • Chord routing protocol used for data routing • End-user sets a trigger at an I3 server • Receive a stream • stream identifier in the trigger • Traffic unicasted from the server to the end-user

  5. Source Router Router Router Router Router Router Host Host Host IP multicasting • Send to • IPv4: 224.0.0.0/4 • IPv6: ff00::/8 Multicast routing protocol • Join multicast group • IGMP • Router broadcasts Join multicast group X Join...

  6. HIP usage • The end-user authentication • During HIP 4-way handshake • End-user sends HI (public key) • Use private key to prove HI ownership • IPsec usage • Data decryption key information sent over IPsec ESP

  7. Certificates • SPKI certificates • RFC2693 • Certificate – 5-tuple, containing: • Issuer: Who gives the rights • Subject: To who this certificate gives rights • Authorization: What this certificate authorizes the subject to do • Validity: How long this cert is valid • Delegation: Can the subject delegate this further? • Certificate signed with issuer’s private key

  8. Certificate delegation • Certificate delegated: new and old cert concatenated • Issuer: itself • Subject: next retailer or end-user • Authorization: subset of original • Validity: subset of original • Delegation: depends on subject • Signature over the whole certificate chain • The receiver can validate • Knows the first public key • Goes through the certificate chain

  9. Source Router Retailer Router Retailer Router End-user C-MAC parties Data stream Cert ok? Keying

  10. Source Router Retailer Router Retailer Router End-user C-MAC: certificate distribution Data stream Cert ok? Keying

  11. C-MAC operation: cert distribution • The data source issues a certificate • Issuer: data source public key • Subject: retailer’s public key • Authorization: receive data multicasting X • Validity: how long valid • Delegation: yes • Certificate given to a retailer • Retailer can further delegate to another retailer • Finally, certificate is sold to the end-user • Payment: VISA, other... – not specified here

  12. Source Router Retailer Router Retailer Router End-user C-MAC: authentication and authorization Data stream Cert ok? HIP negotiation

  13. C-MAC: end-user authentication and authorization • End user joins a multicast group • HIP association with the router • Router learns end-hosts public key (HI) • End user sends the certificate to the router • Router verifies the certificate chain • Verify the subject, must match the end-user HI • Make a verification to the last retailer • Retailer marks the certificate used

  14. Source Router Retailer Router Retailer Router End-user C-MAC: data transmission Data stream Cert ok? Keying

  15. C-MAC: Data transmission • Data must be encrypted • IP multicast: sent to everyone on the link • Where? At the last router • Valid receiver needs a key • The decryption key is sent to valid receivers • Key sent over the IPsec ESP • Rekeying needed • How validity times are defined? • Minutes, hours, days,...? • Problems • How to prevent end-user to redistribute the key? • And if prevented, how to prevent resending decrypted data?

  16. Future work • Trust relations between entities • How this system could be adopted in real business • Security • No security analysis made on this (complex) system • Performance optimization • Encoding of data • Key distribution • Payment system • Not studied in this paper • Prototyping

  17. Summary • Access Control system for IP multicast • IP multicasting • Certificates for access control • certificate chain • User authentication • HIP • Data encryption • A lot of work to do

  18. Thank you!

More Related