Thursday, September 22, 2011
A flexible framework for registration and key distribution for online distance education.
A flexible framework for registration and key distribution for online distance education. The power and utility of the Internet InternetPublicly accessible computer network connecting many smaller networks from around the world. It grew out of a U.S. Defense Department program called ARPANET (Advanced Research Projects Agency Network), established in 1969 with connections between computers at the have been proven in manycommercial, industrial, and corporate sectors. However, the effectiveapplication of the Internet in educational sectors is still beingexplored. Universities and commercial service providers must collaborateto offer distance education and teleteaching that can reach a wideaudience. This requires a flexible and secure framework with regard toregistration, certification, validation See validate. validation - The stage in the software life-cycle at the end of the development process where software is evaluated to ensure that it complies with the requirements. , and data distribution.Currently, few tools are available to fulfill ful��fillalso ful��fil ?tr.v. ful��filled, ful��fill��ing, ful��fills also ful��fils1. To bring into actuality; effect: fulfilled their promises.2. these requirements.Therefore, a project was undertaken to develop an innovative approachthat uses the existing multicast (1) To transmit data to multiple recipients on the network at the same time using one transmission stream to the switches, at which point data are distributed out to the end users on separate lines. capabilities of the Internet to provideonline distance education. This paper discusses a proposed framework andcompares it with the existing Distributed Registration and KeyDistribution (DiRK) model. SECTION 1 -- INTRODUCTION Recent developments in computer-supported communication systemshave been enormous due to the tremendous advancements in Internettechnology. The growing number of Internet applications has influencedthe personal lives of people worldwide, and has led to increased numbersof users and of systems attached to the Internet. Extraordinary changesare taking place in communication systems because of the move frompoint-to-point communication to group communication using multicasttransmission The introduction to this article provides insufficient context for those unfamiliar with the subject matter.Please help [ improve the introduction] to meet Wikipedia's layout standards. You can discuss the issue on the talk page. . Multicast transmission extends the broadcast concept ofone-to-many by allowing the sending of one transmission to many users ina defined group, but not necessarily to all users in that group. Thiscapability within networks is enabling these changes. There is littledoubt that multicast communication will become the communicationparadigm of all future networks, especially the Internet. The Internet, which originally provided no support for groupcommunication, now has an experimental network--the multicast backbone See Mbone. multicast backbone - (MBONE) A virtual network on top of the Internet which supports routing of IP multicast packets, intended for multimedia transmission. MBONE gives public access desktop video communications. (MBone)--that includes some support. Initial work on multicastcommunications paved pave?tr.v. paved, pav��ing, paves1. To cover with a pavement.2. To cover uniformly, as if with pavement.3. To be or compose the pavement of. the way for group communication (Deering, 1989).Deering proposed class D addresses that could be integrated into theInternet protocol See Internet and TCP/IP. (networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol. to enable group communication. Many changes have since taken place to exploit the Internet fore-commerce applications. Using the multicast capabilities of theInternet in a secure manner for such applications requires efficient andflexible mechanisms. However, for applications such as online distanceeducation, little effort has been made to provide a practical solution.The demand for quality education is increasing. Unfortunately, theservices of universities are not made available to many who areunderprivileged and/or located in very remote areas. Moreover,universities have high operating costs operating costsnpl → gastos mpl operacionales. It is imperative that they beable to deliver their services worldwide, at a nominal cost, and to awide audience. Using current technological advancements in the Internet, this ispossible without sacrificing quality of education. Universities andcommercial service providers must collaborate to offer distanceeducation programs. To accomplish this, the enforcement of logicalsecurity mechanisms using a flexible framework is critical.Interconnected networks located in very remote areas can be used toconnect Professors to Student sites, enabling these Professors todeliver University lectures. The multicast capabilities of the Internetcan be exploited to enable only registered Students to participate inthese lectures. Existing MBone tools such as vat (visual audio tool), nv (networkvideo), vic (video conferencing See videoconferencing. (communications) video conferencing - A discussion between two or more groups of people who are in different places but can see and hear each other using electronic communications. ), and wb (white board) allow multicastconferences that are intended for very specific applications (Wittmann& Zitterbart, 2001). Currently, IP networks and some corporate ATMnetworks use multicast capabilities for their own applications.Universities could use commercial service providers to disseminate dis��sem��i��nate?v. dis��sem��i��nat��ed, dis��sem��i��nat��ing, dis��sem��i��natesv.tr.1. To scatter widely, as in sowing seed.2. lecture materials to a wide audience. This requires a scalable multicastsecurity framework that permits only registered members to use theservices. The approach proposed requires only a multicast-capable router routerPortable electric power tool used in carpentry and furniture making that consists of an electric motor, a base, two handle knobs, and bits (cutting tools). A router can cut fancy edges for shelving, grooves for storm windows and weather stripping, circles and ovals to support the underlying network. This paper proposes: * A suitable framework for online distance education. * A design for the modules and the corresponding protocol steps toenforce security. Section 2 provides the problem description. Section 3 introducesthe model and the notations used and discusses suitable protocol steps.Section 4 discusses the comparison of the existing DiRK with that of theproposed solution. Section 5 provides conclusions. SECTION 2 -- PROBLEM DESCRIPTION University lectures are typically held by registeredProfessors/lecturers and are attended by Students. In this context, therole of the University is two-fold (Oppliger & Albanese, 1996). * The University must provide the platform or infrastructure thatallows Professors and Students to interact, exchange views, and sharematerials. * The University must also issue official and legally bindingdocuments that certify cer��ti��fy?v. cer��ti��fied, cer��ti��fy��ing, cer��ti��fiesv.tr.1. a. To confirm formally as true, accurate, or genuine.b. the Students, evaluate their performance, andaward degrees to eligible candidates. This is the existing model traditionally followed by universities.Online distance education systems must be able to use the same model. Toaccomplish this, they must exploit the existing Internet multicastbackbone architecture. To enable a wide audience to access distanceeducation, the universities could use commercial service providers suchas telecommunications Communicating information, including data, text, pictures, voice and video over long distance. See communications. , cable television, or satellite companies, orInternet service providers Internet service provider (ISP)Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISPs). The advantages of using commercial service providers are: * Effective utilization of network service provider infrastructuresfor public service. * Increased offerings by the providers, including coverage toremote locations. * Enrollment of many Students in the same program/class, allowinguniversities to reach a wider audience. * Flexibility by Students to choose the course, time, or module oflectures based on convenience and availability; this meets therequirements of a rural population. To ensure the reliability of the service providers, universitiesshould enter into a legal agreement with them. Service providers must betrusted third parties In cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party; they use this trust to secure their own interactions. TTPs are common in cryptographic protocols, for example, a certificate authority (CA). who can perform registration, access control,certification, validation, and key distribution on behalf of theUniversity. The University may run many courses and Students may enrollin multiple courses simultaneously with some prerequisites. Each courseis divided into various modules. A Professor may be in charge of manycourses, and subsequently of many modules. At any particular time,however, that Professor will be participating in only one module. In thesame way, Students may enroll in different courses, but take only onemodule at a time. Since the Internet has multicast capabilities, thesecapabilities could be exploited; the only problem to be addressed issecurity. Therefore, this problem could be addressed as a multicastsecurity problem. This multicast security problem has numerous aspects, many of whichare still to be explored. (Moyer, Rao, & Rohatgi, 1999; Sandro &Hutchison, 2003; Wade, Song, Poovendran, & Liu, 2003). SECTION 3 -- PROPOSED APPROACH The multicast security problems are addressed in different ways(Eriksson, 1994; Moyer, Rao, & Rohatgi, 1999; Wade et al., 2003).The approaches adopted thus far are application dependent. Some adoptcentralized cen��tral��ize?v. cen��tral��ized, cen��tral��iz��ing, cen��tral��iz��esv.tr.1. To draw into or toward a center; consolidate.2. approaches; some follow distributed approaches, depending onthe characteristics and requirements of the problem. The proposedapproach is innovative in that it follows a layering mechanism byadopting a different grouping of members. Grouping Mechanism The grouping mechanism differentiates between the majorentities--Professor and Student. Generally, the University, along withthe service provider, is responsible for access control, groupmanagement, and security management. The proposed approach follows adifferent approach. The elements of the system are arranged in threedifferent layers, with the service provider and the University occupyingthe top two layers. The Professors are considered as static members andare arranged in the middle layer; the Students as dynamic members arearranged at the bottom layer. The static members are the sub-groupheads. They are responsible for partial key control operations of thesub-group members. Figure 1 explains the grouping mechanism that isfollowed. Initially, the University identifies a particular service providerand enters into a legal agreement. After adopting the formalauthentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.(2) Verifying the identity of a user logging into a network. mechanisms, the University certifies the serviceprovider. According to according toprep.1. As stated or indicated by; on the authority of: according to historians.2. In keeping with: according to instructions.3. Eriksson, in any multicast security solution,there must be a secure delivery mechanism to distribute the data andkeys. Because they are the permanent members of the multicast group fora particular module, the Professors occupy the core routing position ofthe distribution tree with the dynamic members occupying the leafpositions. The Students are attached to a particular static member for aparticular module. The proposed model uses the cryptographic cryp��tog��ra��phy?n.1. The process or skill of communicating in or deciphering secret writings or ciphers.2. Secret writing.cryp capabilities of the communicating parties. It uses a public keycryptosystem that requires a public key to encrypt See encryption. the entire message atthe sender's side and a private key to decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. it at thereceiver's side. All Student requests are directed to theUniversity authority through the static members. The service provider isconsidered as the central controller and is responsible for thesefunctions. The controller has two components: registrar See domain name registrar. and key manager.Figure 2 explains the controller components. The registrar performs allthe initial registration and authentication functions, including issuingtokens to eligible members. The registrar also classifies the membersbased on the details, and groups them under different layers. The keymanager receives the membership join/leave requests for particularmodules, generates keys, and distributes them to the members at thebeginning of the session. The keys must be changed as the members ofeach module or session change over time. This is done to maintain theforward and backward security, which is a requirement of any securityarchitecture (Moyer, Rao, & Rohatgi, 1999; Sandro & Hutchison,2003; Wade, Song, Poovendran, & Liu, 2003). [FIGURE 1 OMITTED] [FIGURE 2 OMITTED] Keys Used Two keys are used in this protocol: the session keys and thesub-group keys. Session data is encrypted en��crypt?tr.v. en��crypt��ed, en��crypt��ing, en��crypts1. To put into code or cipher.2. Computer Science with the session key and eachsub-group has a sub-group key. The sub-group key is issued to a memberif it is a member of the sub-group. The grouping mechanism followed doesnot allow overlapping of sub-groups, as the members at a particularinstance will be part of only one module. The central controller issuesencryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. keys to the static members to decrypt the session key and thestatic members issue the sub-group keys to the dynamic members. Thedynamic members can decrypt the session key only with the help of thesub-group keys. This is done to enforce strict security. The sub-groupkey changes on a join/leave operation of any member. Protocols The system uses four protocols: course announcement, registration,validation, and certification. Table 1 shows the major notations used inthe protocols. The important points to be noted in the design are: * The University could offer different courses. * Each course could be associated with a fixed number of modules. * Each module is covered in different sessions. * A Professor may be in charge of various courses/modules. * A Student with the necessary prerequisites may register for morethan one course. * The central controller performs registration, access control,validation, and certification in conjunction with the University and theProfessor. Course Announcement Initially the University authenticates the service provider,recognizes the Professors who are qualified to conduct courses, andissues the identification numbers. The University advertises the coursesoffered. Each course consists of various modules. The sessionannouncement message consists of lists of courses to be conducted andthe modules covered, with the sponsor certificates issued. TheUniversity digitally signs the sponsor certificates and the message. <Service provider id., [U.sub.i][much less than]SP[much greaterthan]> [k.sub.Ui.sup.-1]. <[U.sub.i] [much less than][P.sub.i][much greater than],prof.id> [k.sub.Ui.sup.-1]. <[C.sub.i], [M.sub.ij], {[U.sub.i] [much lessthan][M.sub.ij][much greater than]}>[k.sub.Ui.sup.-1]. Registration Professors may be permanent entities who have already registeredwith the University. However, a Professor, Pi, who wishes to conduct aparticular module, registers with the University. Pi randomly selects akey pair ([k.sub.Pi], [k.sub.Pi.sup.-1]) for the module, [M.sub.ij], andsends a registration request message, REG_REQ REQ RequestREQ RequiredREQ RequirementREQ Requisition _AS_PROF. The registrationrequest message includes the public key and the certificate issued tothe Professor by the University. For authentication purposes and toascertain the message origin, the message is digitally signed Any message or key that has been encrypted with a digital signature. When a user's public key is digitally signed by a certification authority (CA), it is known as a digital certificate or digital ID. See digital signature and digital certificate. with thecorresponding private key [k.sub.Pi.sup.-1]. The University sends aconfirmation message. The messages exchanged during this phase are: [P.sub.i] _ [U.sub.i] : REG_REQ_AS_PROF (<prof.id, [U.sub.i][much less than][P.sub.i][much greater than], [M.sub.ij]>[k.sub.Pi.sup.-1]). [U.sub.i] _ [P.sub.i] : REG_CONF CONF ConferenceCONF ConfidenceCONF ConfirmCONF ConfidentialCONF Configuration File (Unix file extension)CONF Configuration FailureCONF Contracting Flight (US Air Force)CONF Conference Call _AS_PROF(<prof.id,[U.sub.i][much less than][M.sub.ij][much greaterthan]>[k.sub.Ui.sup.-1]). If a Student, [S.sub.i], wants to register for a module, thatStudent also sends a registration request message, REG_REQ_AS_STUDENT,to the multicast channel associated with the lecture. A Student canregister for a particular course only if he/she has fulfilled ful��fillalso ful��fil ?tr.v. ful��filled, ful��fill��ing, ful��fills also ful��fils1. To bring into actuality; effect: fulfilled their promises.2. theprerequisites. The registrar verifies this request and issues a token. Based onthis, the University issues an admit message, which is the confirmationmessage. [S.sub.i] _ [C.sub.i] : REG_REQ_AS_STUDENT (details). [U.sub.i] _ [S.sub.i] : REG_CONF_AS_STUDENT (stud.id, [C.sub.i],[U.sub.i]<stud.id, [M.sub.ij]>)[k.sub.Ui.sup.-1]. The University sends the Students the details on the Professor ofthe particular module; it also sends the Professor a list of eligibleStudents for that module. [U.sub.i] _ [S.sub.i] : (service provider id, prof.id,[M.sub.ij])[k.sub.Ui.sup.-1]. [U.sub.i] _ [P.sub.i] : ELIGIBLE_LIST (service provider id,stud.id, [M.sub.ij])[k.sub.Ui.sup.-1]. The Student establishes communication with the Professor in chargeof the course through the service provider. The Professor delivers themodules through the selected service provider. Initially the Professorexchanges the sub-group key with the Student. The Professor can alsoverify (1) To prove the correctness of data.(2) In data entry operations, to compare the keystrokes of a second operator with the data entered by the first operator to ensure that the data were typed in accurately. See validate. the Student list when a request from a Student for messagedelivery is received. Generally, the key manager component of thecontroller handles the requests for keying and rekeying In cryptography, rekeying refers to the process of changing the encryption key of an ongoing communication in order to limit the amount of data encrypted with the same key. . The staticmembers also have key management capabilities. The materials deliveredto the Students are encrypted with the session key, which can bedecrypted only with the sub-group key issued by the Professor, thesub-group head. Changing the sub-group key in a scalable manner providesfor dynamic membership management. The method is very efficient becauseit only affects the sub-group. Validation Protocol Both the static and dynamic members periodically send aregistration validation request message, REG_VAL 1. VAL - Value-oriented Algorithmic Language. J.B. Dennis, MIT 1979. Single assignment language, designed for MIT dataflow machine. Based on CLU, has iteration and error handling, lacking in recursion and I/O. "A Value- Oriented Algorithmic Language", W.B. , to the multicastchannel that is associated with the session. The validation messages include the registration certificates alongwith the timestamp, T, which is digitally signed by theUniversity's private key. [P.sub.i] _ [M.sub.ij] : REG_VAL(prof.id, [U.sub.i]<[P.sub.i],[M.sub.ij]>, {T}[U.sub.i.sup.-1]). [S.sub.i] _ [M.sub.ij] : REG_VAL(stud.id, [U.sub.i]<[S.sub.i],[M.sub.ij]>, {T}[U.sub.i.sup.-1]). Certification Protocol Prior to taking the final examination, Student participants mustget an attendance certificate from the Professor. The registrationcertificate issued to the Students is valid only for the life of amodule. After the completion of the module, the Student is expected toapply for an attendance certificate, by sending an AC _ REQ. [S.sub.i] _ [P.sub.i]: AC _ REQ(stud.id, [U.sub.i] <[S.sub.i],[M.sub.ij]>). The registration certificate issued is stored and is verified ver��i��fy?tr.v. ver��i��fied, ver��i��fy��ing, ver��i��fies1. To prove the truth of by presentation of evidence or testimony; substantiate.2. bythe Professor, if the Student has completed the requirements. TheProfessor sends a confirmation message AC _ CONF. [P.sub.i] _ [S.sub.i]: AC _ CONF(stud.id). After processing all attendance requests, the Professor, Pi, sendsthe University the list of eligible candidates with his/her digitalsignature. [P.sub.i] _ [U.sub.i]: ELIGIBLE _ LIST(stud.id,[M.sub.ij])[k.sub.Pi.sup.-1]. SECTION 4 -- REVIEWS AND COMPARISON The proposed approach is compared with that of the DiRK, asimplemented by the University of Berne. DiRK uses four protocols. In theOppliger approach, the service provider plays a major role in thecertification and validation process. Moreover, the first registeredservice provider or the member performs most of the certificationprocess; this could raise trust issues. It adapts a decentralizedcontrol In air defense, the normal mode whereby a higher echelon monitors unit actions, making direct target assignments to units only when necessary to ensure proper fire distribution or to prevent engagement of friendly aircraft. See also centralized control. that uses service providers. In the proposed approach, themessage and communication control aspects are distributed between theservice provider and the University. The Professors, the major courseconductors, play a significant role in enforcing security, using partialkey control operations. In any University or educational system, theProfessors should be the trusted entities for evaluation andcertification. Therefore, the proposed framework is more efficient andflexible when compared to the DiRK method. The double keying methodfollowed enforces security more stringently. This double keying methodcan also be followed while issuing the certificates to the candidateswho have completed courses. As far as key management is considered, theoverhead is reasonable when compared to any hierarchical A structure made up of different levels like a company organization chart. The higher levels have control or precedence over the lower levels. Hierarchical structures are a one-to-many relationship; each item having one or more items below it. keydistribution schemes. The key distribution method is also brieflydiscussed in comparison to DiRK because it is an important aspect ofsecure multicast Secure MulticastIP Multicast is a communication method where a single data packet can be transmitted from a sender and replicated to a set of receivers. The replication techniques are somewhat dependent upon the media used to transmit the data. models. SECTION 5 -- CONCLUSION This paper has briefly discussed the role of universities indistance education. Universities may collaborate with service providersto disseminate lectures to a wide audience. A flexible and securemulticast framework can help to achieve this. The role and cooperationof the service providers is important. The entire process is discussedin three phases--registration, validation, and certification. Theexisting Internet multicast backbone can be used to handle this in adistributed manner. A comparison with an existing model is provided tohelp the reader to understand the advantages of the framework. References Deering, S. (1989). Host extensions for IP multicast A one-to-many transmission of data over an IP network. It is used for a myriad of purposes including updating routers, announcing and discovering services and streaming media. IP multicast saves network bandwidth, because packets are transmitted as one stream over the backbone and only . IEEE (Institute of Electrical and Electronics Engineers, New York, www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. ,RFC (Request For Comments) A document that describes the specifications for a recommended technology. Although the word "request" is in the title, if the specification is ratified, it becomes a standards document. 1112. Eriksson, H. (1994). MBONE: The multicast backbone. Communicationsof the ACM (publication) Communications of the ACM - (CACM) A monthly publication by the Association for Computing Machinery sent to all members. CACM is an influential publication that keeps computer science professionals up to date on developments. , 37(8), 54-60. Moyer, M., Rao, J., & Rohatgi, P. (1999). A survey of securityissues in multicast communications. Network, IEEE (13)6, 12-23. Oppliger, R., & Albanese A. (1996). Distributed registrationand key distribution (DiRK). 12th International conference onInformation Security. Wittmann, R., & Zitterbart, M. (2001). Multicast communicationprotocols and applications. San Francisco San Francisco(săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden : Morgan Kaufman Publishers. Sandro, R., & Hutchison, D. (2003). A survey of key managementfor secure group communication. ACM (Association for Computing Machinery, New York, www.acm.org) A membership organization founded in 1947 dedicated to advancing the arts and sciences of information processing. In addition to awards and publications, ACM also maintains special interest groups (SIGs) in the computer field. Computing computing - computer Surveys, 35(3), 309-329. Wade, T., Song, J., Poovendran, R., & Liu, K. J. (2003). Keymanagement and distribution for secure multimedia multicast. IEEETransactions on Multimedia IEEE Transactions on Multimedia is an academic journal, published by the IEEE Computer Society, covering multimedia technology and applications. This includes circuits, algorithms and architectures, software design, synchronization, joint processing of multimedia/multimodal , 5(4), 544-557. ANNADURAI SAMUKUTTY Government Engineering college, Tirunelveli, Tamil Nadu Tamil Nadu(tăm`əl nä`d), formerly Madras(mədrăs`, mədräs`), state (2001 provisional pop. , INDIA sannalaxmi@yahoo.co.in PADMAVATHI GANAPATHI Avinashilingam Deemed University Deemed University is a status of autonomy granted to high performing institutes and departments of various universities in India. It is granted by the University Grants Commission (UGC) of India. , Coimbatore-641 043., Tamil Nadu,INDIA mail_padma@yahoo.comTable 1 Notations used in the protocol[U.sub.i] University i[P.sub.i] Professor iSP Service provider[S.sub.i] Student i[C.sub.i] Course i[M.sub.ij] Module j for course i where i, j [greater than or equal to] 1<x>y Message x is encrypted with y.(k,[k.sup.-1]) Key pairx[much less than]y[much greater than] Certificate issued by x to y
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment