| 翻訳と辞書 |
| Group Domain of Interpretation : ウィキペディア英語版 |
Group Domain of Interpretation
Group Domain of Interpretation or GDOI is a cryptographic protocol for group key management. The GDOI protocol is specified in an IETF Standard, RFC 6407, and is based on Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408, and Internet Key Exchange version 1 (IKE). Whereas IKE is run between two peers to establish a "pair-wise security association", GDOI protocol is run between a group member and a "group controller/key server" (controller) and establishes a security association among two or more group members.
==Functional Overview==
GDOI "interprets" IKE or ISAKMP for the group security domain in addition to pair-wise security associations. GDOI uses an IKE v1 Phase 1 security association for authenticating a GDOI member to a GDOI controller. The IKE/GDOI Phase 1 cryptographic protocol exchange protects a new type of Phase 2 exchange in which the member requests ("pulls") group state from the controller. The "group key" is the most important state in a GDOI member. The group key encrypts keys that decrypt application data. Thus, the group key is also called a "key encrypting key" in GDOI. A group's key-encrypting key is used for the "Rekey Security Association". Once the "Rekey-SA" is established, the GDOI controller can send ("push") unsolicited updates to the group security association to members over multicast, broadcast or unicast channels. This is why GDOI is called a "multicast key management system" as it uses and supports multicast messaging for very large groups. These multicast messages are unsolicited messages and are therefore called "push" messages, which are unsolicited messages sent from the controller to the members; explicit requests from a member to a controller are called "pull" messages in GDOI. Thus GDOI group key updates are pushed and can reach any number of group members with a single efficient transmission from the controller.
GDOI group key updates also serve to remove members from groups. RFC 2627 describes one Group Membership Management protocol that allows selective key updates to members to efficiently remove a member from the group. "Efficiency" is evaluated in terms of space, time and message complexity. RFC 2627 and other algorithms such as "subset-difference" are logarithmic in space, time and message complexity. Thus, RFC 2627 supports efficient group "membership management" for GDOI. In a practical implementation, GDOI group membership management is a separate function that the controller or a AAA function invokes to remove a de-authorized group member. "AAA" is authorization, authentication and accounting, which might run some kind of AAA protocol. But the AAA function could also be a "customer care" function for a service provider or a "subscriber management system" for a media services provider. The provider or AAA function must have a credential infrastructure such as a Public Key Infrastructure using X.509 digital certificates, SPKI or some other credential. In an X.509 environment, the provider or AAA function will install a certificate to allow a member to join a group when the Group Controller queries the PKI during a GDOI Registration exchange when a member attempts to join a group and "pull down" the group state.
抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』
■ウィキペディアで「Group Domain of Interpretation」の詳細全文を読む
スポンサード リンク
| 翻訳と辞書 : 翻訳のためのインターネットリソース |
Copyright(C) kotoba.ne.jp 1997-2016. All Rights Reserved.
|
|