使用者群組網路設備管理平台

Abstract

隨著資訊科技的發展，資訊設備具有的功能愈來愈多樣化，而具備連接網際網路的設備，稱之為網路設備。目前，網路設備間互相通訊的架構主要分為兩種。一為區域網路裡的網路設備通訊;另一種為透過居家閘道器存取使用者的網路設備。前者架構限制使用者只能在區域網域內存取網路設備;後者限制網路設備之間的通訊必須透過居家閘道器，造成系統的負載集中於居家閘道器。 我們提出了一個讓使用者網路設備能夠在網際網路上互相通訊的平台，並且透過群組的概念去管理使用者的網路設備。我們使用雙網認證機制來認證使用者的網路設備，和類似Kerberos架構處理請求服務的授權許可。系統中提供了「個人設備群組」及「使用者群組」。個人設備群組包含使用者個人的網路設備，讓使用者可以安全且便利的存取本身的設備。使用者群組則包含多個使用者的網路設備，讓使用者彼此之間可以做資源的分享，例如檔案分享及影音串流服務。 我們使用群組金鑰做為群組成員存取控制的方法。成員間共同擁有一把群組金鑰。利用群組金鑰可以達到訊息認證的功能，確保訊息為真正的群組成員所發出。此外，考慮群組通訊的安全性，當有新成員加入或舊成員離開群組時，群組金鑰需要被更新。我們以Diffie-Hellman 金鑰交換演算法為基礎來達成群組金鑰協定，並以多播的方式來分配金鑰以提高更換金鑰的效率。

With the advancement of information technology, many novel functions have been provided, and Internet capable information appliances are referred to as networked appliances (NA). Currently, the architecture of communication among NAs can be classified into two categories. One is focusing on that NAs communicate with each other within an LAN, while the other is accessing NAs through a residential gateway (RGW). The former has a limitation that users can only access their appliances within an LAN; the latter is that any communication message among NAs has to be sent to the RGW, and the RGW forwards the message to the destination, which raises the overhead of the RGW. We propose a platform which enables user’s NAs to communicate with each other on the Internet, and manage NAs into groups. We use dual-connection device authentication to authenticate user’s NAs, and a Kerberos-like architecture for service request authorization. The platform accommodates Personal Device Groups (PDG) and User Groups (UG). A PDG includes a user’s own NAs such that a user can access his/her NAs conveniently and securely. A UG involves NAs of different users, providing resources sharing, such as file sharing and streaming service to others. For group access control, each member maintains an identical group key. The group key can be used for the message authentication and to ensure the message is indeed from a group member. In addition, we take the backward and forward secrecy into account; therefore, the group key has to be refreshed when a user joins or leaves a group. We are based on Diffie-Hellman key exchange algorithm for key agreement and distributing the group key using multicast for efficiency.