利用代理轉密法之高效率安全群播架構

Abstract

安全群播的目的在只讓屬於群組的合法群體成員可以解開秘密訊息。為了建立實用並安全的安全群播架構，我們專注於提供可擴充性及封鎖力。可擴充性指的是每個安全操作的處理負擔必須盡量不隨著群組成員的數量增加而增加。而封鎖力指的是在一子群組發生的安全漏洞事件不應影響到其他的子群組。 在本論文中，我們提出利用「代理轉密法」的創新安全群播機制。代理轉密法使得路由器可以將原本以一把密鑰加密之密文轉變成以另一把密鑰加密之密文，而不需洩漏私密金鑰或是原始明文。本論文提出兩個解決安全群播問題的方法。第一個方法專注於消去密鑰管理中心。由於密鑰管理中心通常是單一實體， 消去密鑰管理中心也就消除了單點故障問題。此方法利用Elgamal 加密演算法，提出了分散式的密鑰合成協定。密鑰合成是傳送者與路由器共同商議建立密鑰的過程。第二個方法則著重於提供封鎖，並且嘗試降低密鑰更新的影響。成功的封鎖能夠提供較佳的安全度，並同時增進可擴充性。第二個方法並不限定某特定加密演算法。因此系統建置者可以自由選擇演算法。此特性也增加了整個系統因應不同環境的存活力。 我們也比較其他的方法，並討論我們發現的一些安全問題。現存的方法都只使用公開金鑰演算法，但公開金鑰的高運算負擔使得這類方法在實際上並不可行。然而對稱金鑰演算法卻無法提供公開金鑰演算法能達成的許多特性。我們的方法結合公開金鑰演算法及對稱金鑰演算法，因此在現實環境中也是可實行的。

The goal of a secure multicast communication environment is to ensure that only valid members belonging to the multicast group can decrypt data. To build a practical and secure multicast architecture, we focus on scalability and containment issues. Scalability means that the processing overhead of each security operation should be minimized in terms of the number of group members. Containment means that a security breach that occurs in one subgroup does not affect other subgroups. In this dissertation, we propose novel secure multicast schemes by exploiting a cryptographic primitive, 'proxy re-encryption.' Proxy re-encryption allows intermediate routers to convert the ciphertext encrypted with one key to ciphertext encrypted with another key, without revealing the private key or the plaintext. Two schemes are proposed in this dissertation to solve the multicast security problem. The first one focuses on eliminating the key management center. Without the key management center, which is usually a single entity, this scheme also eliminates the single point of failure. It exploits the Elgamal encryption algorithm and proposes a distributed protocol for key composition. The key composition is a process that the sender and routers agree on encryption keys collaboratively. The second scheme focuses on providing containment, and tries to minimize the impact of rekeying events. Successful containment provides better security, and also improves scalability. The second scheme is not limited to one specific cryptographic scheme. Hence, operators have the freedom to choose proper schemes. This property enhances the survivability of the whole system. We also compare several related schemes, and discuss some security problems that we identified in them. Existing schemes that use similar techniques only use asymmetric-key algorithms, but the computational costs of the algorithms mean that the schemes are infeasible in practice. However, symmetric-key schemes can not afford several properties that can be achieved by asymmetric-key schemes. Our schemes combine asymmetric-key and symmetric-key algorithms, so they are practical for real-world applications.