190 likes | 278 Views
T-110.557 Petri Jokela petri.jokela@nomadiclab.com. Access control for IP multicast. Contents. Unicasting / multicasting HIP User authentication Certificates User authorization Certificate based Multicast Access Control - C-MAC Future work Summary. Multicasting. Unicasting
E N D
T-110.557 Petri Jokela petri.jokela@nomadiclab.com Access control for IP multicast
Contents • Unicasting / multicasting • HIP • User authentication • Certificates • User authorization • Certificate based Multicast Access Control - C-MAC • Future work • Summary
Multicasting • Unicasting • Point-to-point connection • Multiple receivers -> resources wasted • Multicasting • One outgoing stream, multiplied near recipients • How to control stream receiving?
I3 based multicast • Traffic is sent with a stream identifier • Chord routing protocol used for data routing • End-user sets a trigger at an I3 server • Receive a stream • stream identifier in the trigger • Traffic unicasted from the server to the end-user
Source Router Router Router Router Router Router Host Host Host IP multicasting • Send to • IPv4: 224.0.0.0/4 • IPv6: ff00::/8 Multicast routing protocol • Join multicast group • IGMP • Router broadcasts Join multicast group X Join...
HIP usage • The end-user authentication • During HIP 4-way handshake • End-user sends HI (public key) • Use private key to prove HI ownership • IPsec usage • Data decryption key information sent over IPsec ESP
Certificates • SPKI certificates • RFC2693 • Certificate – 5-tuple, containing: • Issuer: Who gives the rights • Subject: To who this certificate gives rights • Authorization: What this certificate authorizes the subject to do • Validity: How long this cert is valid • Delegation: Can the subject delegate this further? • Certificate signed with issuer’s private key
Certificate delegation • Certificate delegated: new and old cert concatenated • Issuer: itself • Subject: next retailer or end-user • Authorization: subset of original • Validity: subset of original • Delegation: depends on subject • Signature over the whole certificate chain • The receiver can validate • Knows the first public key • Goes through the certificate chain
Source Router Retailer Router Retailer Router End-user C-MAC parties Data stream Cert ok? Keying
Source Router Retailer Router Retailer Router End-user C-MAC: certificate distribution Data stream Cert ok? Keying
C-MAC operation: cert distribution • The data source issues a certificate • Issuer: data source public key • Subject: retailer’s public key • Authorization: receive data multicasting X • Validity: how long valid • Delegation: yes • Certificate given to a retailer • Retailer can further delegate to another retailer • Finally, certificate is sold to the end-user • Payment: VISA, other... – not specified here
Source Router Retailer Router Retailer Router End-user C-MAC: authentication and authorization Data stream Cert ok? HIP negotiation
C-MAC: end-user authentication and authorization • End user joins a multicast group • HIP association with the router • Router learns end-hosts public key (HI) • End user sends the certificate to the router • Router verifies the certificate chain • Verify the subject, must match the end-user HI • Make a verification to the last retailer • Retailer marks the certificate used
Source Router Retailer Router Retailer Router End-user C-MAC: data transmission Data stream Cert ok? Keying
C-MAC: Data transmission • Data must be encrypted • IP multicast: sent to everyone on the link • Where? At the last router • Valid receiver needs a key • The decryption key is sent to valid receivers • Key sent over the IPsec ESP • Rekeying needed • How validity times are defined? • Minutes, hours, days,...? • Problems • How to prevent end-user to redistribute the key? • And if prevented, how to prevent resending decrypted data?
Future work • Trust relations between entities • How this system could be adopted in real business • Security • No security analysis made on this (complex) system • Performance optimization • Encoding of data • Key distribution • Payment system • Not studied in this paper • Prototyping
Summary • Access Control system for IP multicast • IP multicasting • Certificates for access control • certificate chain • User authentication • HIP • Data encryption • A lot of work to do