Usually multimedia services can be divided into two different phases: access to the service and content distribution. The first phase usually takes place over reliable transport protocols and unicast connections. The second one is often performed over unreliable transport protocols and multicast communications.
Adding security to the first phase only needs a straight application of well known unicast security techniques. On the contrary, adding security to IP multicast requires the study of a new problem because traditional unicast solutions do not fit the new environment.
This Doctoral Thesis deals with the arising problems when security is added to multicast environments and proposes different practical solutions.
Among all the attacks to the distribution phase, eavesdropping is probably the most significant. Ciphering is the security service against eavesdropping. Multicast encryption introduces the Key Management problem in multicast.
If Perfect Forward and Backward secrecy is required the session key must be updated every time a member joins or leaves the multicast group. In huge and highly dynamic groups the unicast distribution of the session key is completely unfeasible
The contributions of this Thesis consist in different logical key tree based updating algorithms for multicast. Our proposals take advantage of pseudo-random functions and modular reduction in order to reduce required bandwidth for updating and total amount of bytes stored in the Key Server.
In many scenarios it is not worth to update the key every time a change in the membership occurs. Services as Web-TV permit a decrease in security in order to reduce bandwidth requirements for key management. In such case batch rekeying algorithms are used. This kind of algorithm process periodically all joining and leaving requests produced since the last rekeying process at once. Batch rekeying algorithms are efficient if and only if the logical tree is maintained balanced. This Thesis also proposes a batch-rekeying algorithm that leads to completely balanced trees for the whole group lifetime.
Batch processing techniques are also combined with the former contributions in order to increase efficiency.
The proposals of this Thesis are not supported by the IETF standard on Key Management for multicast secure communications (GDOI). This is mainly because this standard does not allow members to change their position in the tree while they are members of the group. Finally, an adaptation of GDOI allowing the performance of our contributions is proposed.
