35 results about "Multicast security" patented technology

An approach for establishing secure multicast communication among multiple event service nodes is disclosed. The event service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the event service nodes include the group session key and the private keys of the event service nodes that are members of the multicast or broadcast groups. The private keys provide unique identification values for the event service nodes, thereby facilitating distribution of such keys. Because keys as well as key version information are housed in the directory, multicast security can readily be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys. Event service nodes may obtain current key information from a local copy of the replicated directory.

An approach for establishing secure multicast communication among multiple multicast proxy service nodes is disclosed. The multicast proxy service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the multicast proxy service nodes include the group session keys that are members of the secure multicast or broadcast groups. Because keys as well as key version information are housed in the directory, multicast security can be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys. Multicast proxy service nodes may obtain current key information from a local copy of the replicated directory.

A method and apparatus for data source authentication in multicast communications is provided. Multicasting a packet may be divided into two actions. The first action includes unicasting the packet from a sending member to a group controller. The second action includes multicasting the packet from the group controller to the multicast group. The packet may be unicast to the group controller with a message authentication code (MAC) that may be generated by encrypting the packet with a symmetric key that is intended to be known only to the sending member and the group controller. After authenticating the MAC, the group controller multicasts the packet to the multicast group. The group controller includes with the packet a separate MAC for substantially each receiving member of the multicast group, each encrypted by a separate symmetric key. Each symmetric key may be intended to be known only by the receiving member and the group controller.

The invention relates to a realizing system of multicast routing based on a mark and a method thereof. The realizing system at least comprises a group user, an access switching router, an universal multicast service controller, a generalized switching router, and the like, to realize the member management, the counting management and the safe relative function of a multicast user. The invention comprises a management method of a group member, a multicast adding and separating method and a multicast tree building method, wherein the management method of the group member records the multicast user and multicast group information and provides a multicast counting function and a multicast security mechanism; the multicast adding and separating method relates to the group member relationship, counting, security, and the like, of the group user, and is used for controlling the update and the maintainace of a multicast tree; and the multicast tree building method intensively builds the tree with the universal multicast service controller, as to realize the transmission of the data in a core net.

The present invention discloses a method for controlling multicast flow in passive optical network includes: receiving multicast data from the optical line terminal, determining whether the received multicast data satisfies a multicast right control condition, transmitting the multicast data to the user side if the received multicast data satisfies the multicast right control condition, or discarding the multicast data if the received multicast data does not satisfy the multicast right control condition. The present invention also discloses an optical network terminal, an optical line terminal, and a system consisting of an optical network terminal and an optical line terminal and an optical distribute network, which implement the above mentioned method. The present invention could prevent the optical network terminal from receiving illegal multicast data and enhance the multicast security of the whole passive optical network system.

The safe multicast method is a first method of using the protocol of conversation initialization to implement operation of safe multicast. The method presents a set of scheme for solving issue of safe multicast including access control of multicast source, access control for receiver, management of group key, authentication of multicast source, service statistics, and charging capability. The method includes procedures: using route in network to encrypt data of multicast to guarantee access control of service, and safe comm.; method for authenticating multicast source in two stages is adopted; when IGMP/MLD adapter layer implements the method, working mode of traditional multicast route system does not need to be changed; three expansion techniques including cluster of regional multicast control server, regional physical and logical segmentations. The expansibility is suitable to large-scale network environment, and concurrent use. The invention does not change core network.

The invention discloses a multicast security control method, a system and a transmission node. The method includes the following steps that: the transmission node receives a multicast stream data message from an upstream port; according to multicast address information and upstream port information contained in the data message, a preestablished matched upstream port item containing the multicast address information and the upstream port information are queried; if the upstream port item exists, the data message is forwarded according to a data forwarding table of a multicast group owning the data message; if the upstream port item does not exist, whether the upstream port is a preconfigured valid upstream port is judged, if yes, a new upstream port item is created according to the multicast address information and the upstream port information, the data message is forwarded according to a data forwarding table of a forwarding path corresponding to the multicast group owning the data message, and if no, the data message is discarded. The invention effectively ensures the security of an upstream node of a multicast stream and prevents the attack of invalid multicast sources on transmission nodes.

A method of supporting a security for a multicast communication is provided in a mobile station. The mobile station shares an MAK with a base station, derives a prekey based on a first parameter including the MAK, and derives a multicast security key including an MTEK based on a second parameter including the prekey, and decrypts a multicast traffic using the multicast security key.

The related HORSEI2 based building method for self-organizing network security QoS multicast route comprises: every transmitter and receiver can add the multicast security group only being checked by visits control mechanism to obtain the private and public key of HORSEI2; every node requiring for creating/receiving new security multicast dialogue data creates/adds safe QoS multicast tree, wherein the transmitter applies signature on the message generated by HORSEI2, and the receiver uses the public key for verification.

The invention discloses a routing protocol security alliance management method, which comprises the following steps that: an agent module for negotiating a routing protocol security alliance is arranged in a network element; the element provided with the agent module and a negotiation initiator of the routing protocol security alliance establish a security alliance; under the protection of the established security alliance, the element provided with the agent module and the negotiation initiator of the routing protocol security alliance negotiate the routing protocol security alliance; and the network element provided with the agent module transmits the negotiated routing protocol security alliance through a preset or set security channel. The invention also discloses a routing protocol security alliance management device and a routing protocol security alliance management system. By the invention, the routing protocol unicast and multicast security alliance can be negotiated, updated and managed, so that the problems that the routing protocol security alliance only can be configured manually and potential safety hazards are large are solved, and routing information is transmitted more safely and reliably.

The invention discloses a method for enhancing the multicast security. For the structural security, building an end-to-end virtual circuit from a multicast user to a server not only supports the existing security mechanism of Internet, but also has a unique security mechanism based on the network structure, namely, security is embedded. Using a virtual circuit indicator and hiding multicast address during the multicast process cause the attacker difficult to attack, so as to efficiently manage and control multicast data transmission. In addition, the multicast user qualification is validated, so the attacker cannot imitate a qualified member in a group to receive multicast data, so as to enhance the security of the multicast network.

The invention relates to a multicast security agent assembly and a multicast encryption management method. File encryption and decryption submodules in a multicast module serve as specific execution modules for multicast users to encrypt/decrypt messages or files, an RSA (Rivest-Shamir-Adleman) algorithm is adopted as a multicast encryption/decryption algorithm, and private keys of the users are taken as decryption keys. After system authentication, if some users in an intranet need intra-group communication, a group key formed by a product of the private keys of all the members can ensure multicast security; and when new users participate in the intranet or the old users exit the intranet, the new users can not access communication contents before accessing and the exited users can not access the communication contents after exiting through updating the group key, therefore, the functions of encryption with one key and decryption with multiple keys in a multicast group are realized. When group members change, the keys (namely the private keys) of the other users in the group do not need to be updated, thereby realizing the encryption on the multicast information, and achieving important forward secrecy, backward secrecy, inner attack resistance and the like in security multicast.

The invention relates to a domain name service (DNS) based multicast security control method and apparatus. The method comprises the steps of sending a DNS request message to a domain name server, and acquiring a multicast source DNS address list of an internet protocol television (IPTV) server; after a multicast data message delivered by the IPTV server is received, performing address verification on the multicast data message according to the multicast source DNS address list and a multicast address list maintained locally; and performing forwarding control on the multicast data message according to a verification result. Through adoption of the method, multicast source verification can be carried out effectively, multicast service streams can be controlled effectively and safely, the multicast services are guaranteed to be stable, network attacks are reduced, a complicated filtering process of the multicast source is simplified, and engineering implementation and deployment are easy.

The invention relates to the field of communications, which discloses a method for a communications system and a terminal to join a multicast broadcast service, which ensures that the terminal can be smoothly joined MBS business in order to receive the MBS business data. In the invention, the terminal acquires the MBS authorization key from an MBS service network then acquires the MBS multicast parameters and/or a multicast security key from the loading network in order to join the corresponding MBS business. Through the processes, the terminal can successfully receive the corresponding MBS business parameters based on the loading indicated by the multicast parameters, according to MBS security key that is generated by the MBS authorization key and the multicast security key. Before the MBS authorization key is issued, the MBS service network needs to certify the terminal and does not issue the MBS key to the terminal unless the certification is passed. The process that the terminal acquires the MBS multicast parameters and the multicast security key for joining the MBS business, from the loading network can be started either from the side of the network or directly from the terminal.