Security in multicasting

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Security in multicasting is one of the main and important issues. Multicast services require more security than the unicast services. In multicasting process more entities participate with each other without any trusted relationship. Threats include the unauthorized creation, alteration, destruction, and illegitimate use of data.The scope of multicast session is broad as compared to unicast session that's why it is much vulnerable to security attacks.

To reduce multicast security issues we can implement many security services. These services can be further categories into four areas such as authentication, authorization, encryption and data integrity as defined .To minimize security issues multicast communication may use all or some of the services to get a required level of security. The services needed for a security level will be defined by a certain policy under the specific requirements and needs of the session.

Authentication service is process of providing assurance of the participating host identity, so they may be allowed to create, send or receive data and to execute specific tasks. With help of authentication only Authorized hosts are permitted to join a secure multicast group.

More over authentication is a vital part in offering control to key material. If cryptographic techniques like as encryption for confidentiality are applied then authentication may offer a method to control access to keys used to secure group communication. For the establishment of session availability and distribution of keys only authorized group members should access those keys. In order to identify the source of multicast traffic, authentication mechanisms may be applied by the traffic source.

This application serves to further define group membership by positively identifying group members along with their data being sourced to the group. Protocols such as the IP Authentication Header (AH) can provide authentication for IP datagrams and may be used for host authentication . Authentication is also an essential part of any key distribution protocol .

To counter various masquerades and replay attacks that may be conducted against a secure multicast session keying material is used because it can identify the source of the key material. By applying authentication pattern to multicast groups data can achieve strong level of integrity.

Integrity services provide assurance that multicast traffic is not changed during transmission. Integrity is not inherent to IP datagram traffic payloads and is usually reserved for transport layer protocols. The lack or weakness of integrity services in IP can lead to spoofing attacks .

Strong integrity mechanisms can be applied indirectly at the network layer with security protocols such as the Encapsulating Security Payload (ESP) and AH . The applications having key management protocols, integrity services are necessary against spoofing attacks.

Confidentiality services are important in creating a private multicast session. Normally encryption is used for establishment of private multicast sessions. With time/-to/-live (TTL) setting we can get a weaker form confidentiality by restricting data distribution of routed session.

On different layers of protocol stack encryption can be applied to end services. At network layer, ESP provides confidentiality services for IP datagrams through encryption. Key management protocols such as the Internet Security Association and Key Management Protocol (ISAKMP) support confidentiality services for key exchanges.

Issues of key management:

We can accomplish required levels of confidentiality, integrity and authentication for multicast session by use of encryption and digital signatures. By having a robust security mechanism which cannot be easily defeated by cryptanalytic attacks, our concentration is now on key management, key distribution and access control for protecting key material. For this reason, secure multicast session has class D IP address and essential keying material. The encryption mechanism, enforced security policy and key structure dictate size, type and number of keys to guard multicast session.

In order to maintain the security of session access to these keys must restricted. So, strong authentication mechanism should be applied during the registration process before distributing key material to each device. When these personal attributes are bound to a signed digital certificate, the certificate's digital signature and its relationship in a certificate hierarchy may verify the identity of a participant and their assigned permissions.

In a multicast session it may be required to issue a new key or rekey depending on the security policy and traffic flow encrypted under a certain key. A rekey can also be done in case suspected event is detected. Rekey is sometime performed to deny the access to compromised site for future communication, without heavily affecting the other devices.

Depending on the implemented security mechanism, voluntary exit of a device from a session is also included in compromise category. Rekey is required sometimes to prevent the previous device from joining the session without re registration. The need of rekey is dependent upon policy issues as well as practical tradeoffs. Policy of "flat or hierarchical" group trust is efficient in some scenarios greatly decreasing complexity required for dynamic key management.

  1. { Computer Communications Security: Principles, Standard Protocols and Techniques, W. Ford, Prentice Hall, 1994.}.
  2. Security Architecture for the Internet Protocol, R. Atkinson, RFC-1825, Naval Research Laboratory, August 1995.
  3. IP Encapsulating Security Payload (ESP), R. Atkinson, RFC-1827, Naval Research Laboratory, August 1995.
  4. IP Authentication Header, R. Atkinson, RFC-1826, Naval Research Laboratory, August 1995.
  5. Internet Security Association and Key Management Protocol (ISAKMP), D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet-Draft, draft-ietf-ipsecisakmp- 07.txt, 21 February 1997.
  6. Security Problems in the TCP/IP Protocol Suite, S. Bellovin, ACM Computer Communications Review, Vol. 19, No. 2, March 1989.
  7. Applied Cryptography, Second Edition: Protocols, Algorithms and Source Code in C, B. Schneier, John Wiley & Sons, Inc., 1996.