Efficient Key Management Protocol for Secure RTMP Video Streaming Towards a Trusted Quantum Network

This paper presents an achievable secure videoconferencing system based on quantum key encryption in which key management can be directly applied and embedded in a server-client videoconferencing model using OpenMeeting as an example. A secure key management methodology has been proposed to ensure a trusted quantum network and a secure videoconferencing system which is presented an effective and flexible security architecture on how to share a secret keys between key management servers and distant parties in a secure domain, without transmitting any secrets over insecure channels; these keys are used for cryptographic purposes, while different keys are needed for each operation. The advantages of the proposed key management overcome the limitations of quantum point-to-point key sharing by simultaneously distributing keys to multiple users, make quantum cryptography a more practical and secure solution because it can be applied in real environments to increase video encryption performance. From the experimental result, it appears that the time required for the encryption and decryption of general 64 KB data payload is approximately 0.098 seconds, which may cause a few seconds delay in video transmission, but this proposed method bring an elegant solution that protects against adversary attacks.

Keywords: Quantum cryptography, key management, custom protocols, symmetric encryption, Real Time Message Protocol (RTMP). I. Introduction

Over the past decade, the role of videoconferencing over the Internet has grown significantly to meet human requirements.

Traditional tools such as email, phone, and face-to-face meetings are still the most popular ways of communicating and

Manuscript received July 23; revised Mar. 24, 2015; accepted Apr. 15, 2015. Montida Pattaranantakul (corresponding author, [email protected]),

Paramin Sangwongngam ([email protected]), and Chalee Vorakulpipat ([email protected]) are with the Wireless Information Security and Eco-Electronics Research Unit (WISRU), Intelligent Devices and System Research Unit (IDSRU), National Electronics and Computer Technology Center, Pathumthani, Thailand.

Aroon Janthong ([email protected]) and Kittichai Sanguannam ([email protected]) are with the IT department, Triple T Broadband Public Company Limited, Nonthaburi, Thailand.

collaborating. Today, businesses are looking to implement next-generation tools to help drive productivity in a decentralized work

environment. Videoconferencing solutions are an alternative option to fulfill this growing demand: according to a next-

generation videoconferencing white paper, 20 million workers globally will run corporate supplied videoconferencing from their

desktops by 2015, and the market will reach $8.6 billion [1].

The core technology used in a videoconferencing system is digital compression of audio and video stream in real time. At the sender’s location, a video from a camera and audio from a microphone are converted into a separate video stream and then transmitted to the receiver’s location through a public channel such as the Internet. However, general data communication services such as videoconferencing have many inherent vulnerabilities and associated security risks. Attackers can detect or capture video streams when video conferences are in session by monitoring the pattern of data transmission. They can also collect interrelated information that can be used for further analysis in terms of protocols or a set of rules on how those users communicate messages to other people. This is a critical issue, whose resolution can probably prevent data loss and corruption.

As a result, many research efforts have been aimed at designing a videoconferencing system based on security architecture. Security and quality of service (QoS) are two imperative functionalities of a successful videoconferencing system. The security mechanism must provide message integrity, confidentiality, and authentication. Besides, the QoS ingredients should provide sufficient video and audio capability for visual communication. The value of video data in sensitive applications is closely connected to the video quality and timeliness of the content in such a way that the quality evaluation results must be equivalent to a real face-to-face meeting. However, different video applications require different security levels. In general, two basic security mechanisms have focused on preserving confidentiality of video data: specific video encryption algorithms [2]-[4] aim to reduce the encryption burden and computational complexity so that only important video information is selected for encryption. Another network technology is Virtual Private Network (VPN) [5], which creates a secure network connection over a public

Efficient Key Management Protocol for Secure RTMP Video Streaming Towards a

Trusted Quantum Network

Montida Pattaranantakul, Aroon Janthong, Kittichai Sanguannam, Paramin Sangwongngam, and Chalee Vorakulpipat

The article has been accepted for inclusion in a future issue of ETRI Journal, but has not been fully edited. Content may change prior to final publication. http://dx.doi.org/10.4218/etrij.15.0114.0883

RP1407-0883e © 2015 ETRI 1

network and prevents access through encryption. Using VPN services, user information remains encrypted to prevent eavesdropping. The VPN is created by establishing a dedicated virtual point-to-point connection using virtual tunneling protocols or traffic encryptions. The benefits of VPN include authentication, message integrity, and confidentiality. Although network traffic is sniffed at the packet level, an attacker would not see any real information. There are a number of VPN protocols being used for videoconferencing such as IPsec VPN [6]-[8] and SSL VPN [9].

However, there are some drawbacks and negative aspects in using either VPN mechanism to create an encrypted tunnel or applying video encryption algorithms to scramble video contents. Regarding the security issues, creating an encrypted tunnel and performing video encryption require a number of keys to provide secure communication. The encryption encrypted keys are security measures that turn data into an unreadable cipher; without keys, the algorithm would produce no useful result. Nevertheless, most video encryption algorithms are secured based on pseudo random numbers that are created from mathematical functions and provide outputs as periodic sequences and patterns. This could be a security drawback if the keys were trapped or the patterns broken up. As a result, this could decrease key performance because it is feasible to find the next value of key generation from an existing pattern. The second problem arises in key management and security associations. The VPN is typically deployed across a public infrastructure by offering encryption services to keep data confidential from non-intended recipients. Although symmetric key cryptography is the most popular encryption algorithm used to create a VPN tunnel, it would be difficult to share the keys between two remote devices securely. As a result, the distribution and management of keys seem to be a critical problem that remains an open research area and requires further study.

In order to resolve the above problems, ensure end-to-end protection, and enhance security architecture for a videoconferencing system, additional support might be required, such as an authentication mechanism [10], a decentralized group key management [11], cryptographic algorithms [12]-[13], and a level of trust [14]-[15]. Therefore, the main contribution of this paper is a proposed new framework on how to transmit video contents over a public network such as the Internet in a secure domain. This framework has been independently concentrated into three different layers, the lowest of which is the Quantum Key Distribution (QKD) layer, which provides a mechanism for securing key exchange between two parties based on the laws of quantum physics [156]. These secret keys will be used to encrypt video streams. The next layer is the key management layer, which encompasses all activities related to the keys, such as storage, distribution, and destruction. The main function of the key management layer will be inter-operated with the QKD layer by accumulating the quantum secret keys, creating a secure channel, exchanging key information, and distributing these keys to be used for further video encryption

simultaneously; thus, the proprietary key management protocols [167] have been proposed regarding to this layer. The last layer is the application layer, where the videoconferencing system comes into play. The media data of audio and video streams are encrypted based on symmetric key encryption by using quantum secret keys as a part of the encryption process.

The rest of the paper is organized as follows. Section 2 presents the background research of quantum cryptography, which provides perfectly secure communications. Section 3 discusses the conceptual framework of trusted quantum networks in more detail in order to understand the topological structure and layered architecture. Our proposed key management framework is described in Section 4, while Section 5 presents a secure videoconferencing system based on proposed key management protocols by using quantum key encryption to ensure robust and reliable video transmission. Section 6 provides a comparative analysis between the existing structures and the proposed framework, and shows the experimental result of network throughput and data encryption performance. Finally, Section 7 features some concluding remarks and future works.

II. Background of Quantum Key Distribution

Traditional computer processing is based on a foundation of binary digits represented as a set of bit string values, in such a way that each bit must be either zero or one, while the occurrence of the two values simultaneously is not feasible. Although many techniques are used to create the bit strings, most of them fall short under the goal of true randomness. In fact, techniques of creating bit strings have been derived from mathematical equations that provide periodic patterns of the key values. Such drawbacks may break down the ideal of information security because most conventional cryptographic schemes are based on an assumption of computational difficulty; therefore, the final result can be exploited by unanticipated advances in algorithms and hardware when quantum computers [178] will become a reality.

In order to figure out the traditional weakness of pseudo random number generation, the concept of Quantum Key Distribution (QKD), usually known as quantum cryptography [156], [189]-[201] has been proposed. This technology offers a promising unbreakable way and provides secure communications over an untrusted network, in such a way that if any eavesdroppers attempt to intercept secret keys during a quantum key exchange state detectable changes in the system will occur through the introduction of abnormal high-bit error rates of the key. An important new feature of quantum cryptography is that the security of cryptographic protocols generation is based on the laws of nature and not on unproven assumptions of computational complexity theory. This characteristic becomes a bright light source that has been applied to create a strong key, stopped eavesdroppers, and increased security performance in videoconferencing systems.

III. The conceptual framework of trusted quantum


RP1407-0883e © 2015 ETRI 2

network

In general, a trusted quantum network can be divided into three different layers: the QKD layer, the key management layer, and the application layer, respectively. Our approach to a practical architecture design for trusted quantum networks consists of two quantum links and three physical nodes serving as links between three different locations that are structured as a star topology. This is illustrated in figure 1.

1. The QKD layer

The QKD layer performs quantum key generation in such a way that a way that a number of QKD devices have been configured and installed to this layer. Each device is linked together with its peer through a quantum channel in order to establish a shared secret keys. As a result, the quantum secret keys can only be shared between groups that belong to the same directed quantum link. This disadvantage of quantum point-to-point link can be solved by using a hop-by-hop forwarding paradigm, which is carried on by the key management layer.

2. The key management layer

After the quantum secret key has have been generated by the QKD layer, a pool of ordered secret bits will be forwarded to the key management layer where key management servers are installed. All tasks associated with these key management servers aim to establish a secure channel among their peers. According to our approach, a VPN connection seems like an additional mechanism used to exchange only key information such as key_id and pairing_node in order to check the correctness of the key and whether a paired user obtained the same key for cryptographic purposes, while the actual secret keys are is kept in secure storage. Consequently, the key management servers aim to provide secure key storage, transfer cryptographic keys among key management servers, perform routing, and later distribute these cryptographic keys to be used in video encryption. Using a key transfer technique based on a hop-by-hop key encryption paradigm allows a couple of users who are making requests and do not connect or belong to the same quantum link to share the same symmetric keys.

3. The application layer

The application layer is where the videoconferencing system and transparent encryption software reside. When a secure video conference session starts, all the video streams will be encrypted with quantum secret keys before they are sent out through the Internet, while the encrypted video streams will be decrypted after being received from the Internet. Therefore, various cryptographic services require a number of keys to provide secure communication.

In conclusion, to maintain key integrity and security of a quantum-trusted network, a single key management server has been approached for each physical node, based on a quantum link connection. Therefore, only peer key management servers share the same symmetric keys. These keys will be kept secure in storage until key requests are made, and automatically destroyed after distributing to authorized users who belong to the same local network of the key management server. However, only key information has been exchanged among key management servers via the VPN channel.

IV. Architecture of secure key management

On a basic level, key management deals with the secure generation, distribution, and preservation of keys, whereas these keys must be kept secret from unauthorized disclosure, misuse, alteration, or loss. Besides, the term key management encompasses the establishment of keying material to be used with a cryptographic algorithm and then to provide protocol security services, especially integrity, authentication, and confidentiality. Therefore, the key management method is an important role procedure that covers details on how to properly and securely handle cryptographic keying materials. In large-scale communication systems, secure and efficient key management schemes require complex replication and scaling architecture that are is difficult to implement. Although a number of encryption techniques have been submitted to the scrutiny of experts and pressed in and follow industry standards such as ISO [212], ANSI [223], and NIST [234]-[256], many key management applications have been proposed with their own concepts in some kind of proprietary protocols to avoid

Fig. 1. The proposed framework of a secure video conferencing system based on a trusted quantum network


RP1407-0883e © 2015 ETRI 3

further incompatibility reactions.

Presently, cryptographic key management has been utilized in many practical applications such as applying a distributed key management scheme in a quantum communication network, as it aims to maintain the integrity of the keys during data encryption. For instance, the DARPA quantum network [267], [278] relies on IPsec protocol suit and universal hash function. The SECOQC project [289], [2930] proposed a customized architecture and protocol stack for a QKD network in order to preserve efficient consumption of key materials. The idea was inspired by an Internet model consisting of Quantum Point-to-Point Protocol (Q3P) [301] and the QKDTL protocol [312]. In the meantime, the SwissQuantum project [323] has been designed and deployed to demonstrate the reliability and robustness of the QKD in modern enterprise network scenarios for encryption over Mmetropolitan Aarea Nnetworks (WAN). Recently, the Tokyo QKD network [334] was built to demonstrate eavesdropping attacks over secure video transmission. The network consists of key management agents that monitor the common keys, summarize the amount of keys in each link, and finally report back to the key management server.

4.1 Structure overview

The key management and custom protocols are the state of the art of this paper, which proposes a simple key management infrastructure for synchronizing and managing quantum secret keys among their peers, and onward distribution of symmetric keys to the corresponding applications. This paper focuses on how to utilize key management services in order to improve user satisfaction with efficient and secure support when using a videoconferencing system. Thus, the key management tasks are related to managing and distributing quantum keys in parallel based on with user requests. Our proposed key management protocol has been successfully implemented and demonstrated in a real-world test by adapting quantum secret keys for further video encryption. This key management framework has been integrated based on an existing network structure. Figure 2 illustrates an overview structure of key management.

4.2 Key management in design

The key management method has been addressed for managing and distributing a secret keys in parallel among involved parties under a secure domain. Regarding the network structure and protocol design, the core function of key management can be divided into five different protocols that depend on its operation in order to provide a framework of authentication, key exchange services, and support enhanced features of secure key management that compatible with one another protocol where it performed. The detail of each protocol can be described as follows.

A. Key Caching Protocol

Key Caching Protocol has been executed in the local site to examine whether the secret keys generated from the QKD

devices were correctly presented in the same sequence value for every record similar to its peer. The main function of the Key Caching Protocol is to ensure that for all directed quantum point-to-point links, the appearance of secret key bits must have the same value as their peers. With reference to figure 1, there are link connections from local site ‘A’ to ‘B’, and from local site ‘A’ to ‘C’. Thus, site ‘A’ must contain the same sub keys, which is similar to site ‘B’, and vice versa. In addition, this process has already added a transaction identifier number and a time out value for each key block, while the aforementioned block will be temporarily locked during the key caching process to prevent illegitimate access by other operations. The sequential steps are illustrated in figure 3. After each round is completed, all the secret keys have been finally transferred to the local key management server.

B. Key Transfer Protocol

This protocol has been employed to transfer a secret keys from one key management server to another. If In the event the end nodes do not share the same secret keys and the network structure consisting of a multilink connections based quantum channels, then the Key Transfer Protocol comes into play. Figure 4 illustrates the sequential process of the Key Transfer Protocol; for instance, node ‘A’ needs to communicate with node ‘C’ based on symmetric key encryption. A set of secret bits must be exchanged before the communication starts between node ‘A’ and node ‘C’. Firstly, node ‘A’ randomly selected a set of secret bits assigned as ‘R’: for all r1 ⊆ R{0,1}n . The aforementioned ‘R’ has been encrypted with another secret key shared between node ‘A’ and its neighbor, which is

Fig. 2. The interoperability among different custom protocols over the key management layer [16]


RP1407-0883e © 2015 ETRI 4

assumed to be node ‘X’. The corresponding ciphertext message can be calculated by this equation: c1 = r1 ⊕ kAX. This ciphertext message, ‘c1’, will be transmitted to node ‘C’ over the Internet. To decipher the ciphertext message ‘c1’, node ‘C’ has to wait for the corresponding key ‘kAX’ from node ‘A’, which is passed through the neighbor node along quantum point-to-point links using a call service from Point-to-Point Encrypted Transfer Protocol. As a result, node ‘A’ and node ‘C’ will use a shared key, 'r1', that is obtained from r1 = c1 ⊕ kAX for further secure communication in videoconferencing system.

C. Point-to-Point Encrypted Transfer Protocol

Point-to-Point Encrypted Transfer Protocol (PPETP) has been complied with and executed in the key management layer in order to solve the key problem of how to share a secret keys between two end nodes in a secure domain, where these nodes do not rely on the same directed quantum channel. The idea of this protocol takes features of the hop-by-hop mechanism to transmit a secret keys from a source to a destination across intermediate nodes. The PPETP protocol is designed to work together with the Key Routing Protocol in order to obtain an appropriate part of the network where the message is sent. Using the ‘findnexthop’ function, the source node will look for all possible adjacent nodes based on the quantum point-to-point link to consider the best transmission part for data transfer according to routing information provided by the Key Routing Protocol. When the transmission path has been identified from the source to the next hop, the corresponding key, ‘kAX’, which is used for further ciphertext decryption of node ‘C’ will be encrypted with a secret key shared between node ‘A’ and the next hop. Assuming node ‘B’ is the next hop between node ‘A’ and node ‘C’, then the corresponding key ‘kAX’ has been encrypted first with a secret key, ‘kAB’, as the key shared between node ‘A’ and node ‘B’. Therefore, the result of encryption at node ‘A’ is defined as cAB = kAX ⊕ kAB. When the

ciphertext message 'cAB' reaches node ‘B’, the decryption operation is started in order to get back key ‘kAX’ referred to as kAX = cAB ⊕ kAX, and continuously perform the encrypted message with a secret key, ‘kBC’, shared between node ‘B’ and node ‘C’, typically defined as cBC = kAX ⊕ kBC. To summarize, the process keeps continuing to perform the encryption and decryption operations along the quantum channels until it has reached the destination. At the last step, node ‘C’ uses the secret key ‘kAX’ to decrypt the ciphertext message ‘c1’ to obtain the final secret key ‘r1’, as well as inform the source node about of the successful decryption. The sequential diagram of the PPETP protocol and the overview structure of key exchange across multi hops are shown in figure 5 and figure 6, respectively.

D. Key Routing Protocol

Key routing protocol has been provided as a service to determine optimal network data transfer and communication paths over network nodes in such a way that it the communication takes the shortest path from the local subnet to the destination node. This protocol contains static route information, including the details of adjacent nodes, IP addresses that are referred to send data to the next hop, number of quantum links, and current status of routing. There is a routing table that stores route information and contains the next hop association, in which the next hop is indicated as the hop to which message is sent. This next hop performs the same look up and forwarding functions and so on, until the message reaches the destination. For the Key Routing Protocol, each node in the network knows only the IP address and the next hop information of adjacent nodes that are interconnected.

E. Key Distribution Protocol

This service provides a comprehensive connection that allows users to communicate with the key management server

Fig. 3. Key Caching Protocol

Fig. 4. Key Transfer Protocol


RP1407-0883e © 2015 ETRI 5

for quantum key requisitions, including requesting a new key for data encryption and decryption. The Key Distribution Protocol was designed based on two new buffers known as ‘In-buffer’ and ‘Out-buffer’ in order to improve the effectiveness and efficiency of the key management process. If end users request quantum keys for data encryption, then the encrypted encryption keys will be placed in the ‘In-buffer’, while the corresponding keys are automatically placed in the ‘Out-buffer’ to serve as decrypted decryption keys for decryption purposes.

To summarize, the main idea of secure key management is to overcome the limitations of the quantum point-to-point structure, since only users located in the same direct quantum link can exchange keys and perform cryptographic operations, while others cannot. Therefore, the benefits of key management protocols do not only create a trusted network, but its functions can also simultaneously offer key distribution among multiple users, even if they do not connect or belong to the same quantum link.

V. A secure videoconferencing system based on quantum key encryption for application use

Cryptographic technology is the most widely used method of keeping information secret and can also be applied to ensure secure videoconferencing. In general, most encryption mechanisms depend on the conventional cryptography model, which is based on heuristic security assumptions and not on mathematical proofs, while the security of data should depend only on the key, as it must be kept secure. One of the main drawbacks of conventional encryption is that data can still be

intercepted and decoded by someone with sufficient computing power. Quantum cryptography technology has been extensively advanced to the point that it can be used to increase security of the videoconferencing system. Therefore, quantum cryptography has become a very promising technique employed to stop eavesdroppers. The system works by first establishing a quantum secret keys that provides instructions on how to encode and decode a digital data streams, using key management services to manage the quantum keys and distribute it them to users, while the quantum keys will be then discarded after successful communication.

5.1 Understanding video streaming

Many streaming media systems are based on Real-time Messaging Protocol (RTMP) [345] for client and server communication. This is a proprietary protocol developed by Adobe Systems (formerly developed by Macromedia) that is used primarily with Macromedia Flash Media Server to stream audio and video over the Internet to the Flash Player client. It can also be used for general remote procedure calls (RPC). It is a basic data transfer protocol that works on top of the TCP/IP protocol, which is designed for high-performance transmission of audio, video, and data messages between Macromedia Flash Platform technologies. The concept of RTMP protocol may split payload data into fragments; the default fragment sizes are 128 bytes for video and 64 bytes for audio data. When RTMP data are packetized and a packet header is generated, the packet header consists of the channel id that the data to be sent, the timestamp, and the size of the packet payload. Therefore, RTMP data sent by the client on port 1935 will be encapsulated by RTMPT protocol in such a way that RTMP data are going to be tunneled inside HTTP through port 80, and afterwards sent to the destination server.

5.2 Open meetings system

Apache OpenMeetings [356] is a multi-language, customizable videoconferencing and collaboration system that provides videoconferencing, instant messaging, white board, collaborative document editing, and other groupware tools using the API functions of the Red5 Streaming Server for remoting and streaming.

Fig. 5. Point-to-Point Encrypted Transfer Protocol

Fig. 6. Hop by hop key encryption technique


RP1407-0883e © 2015 ETRI 6

This paper has integrated the OpenMeetings videoconferencing application as an example of real time video demonstration with highly secure data transmission services based on quantum key encryption over a trusted network. Considering figure 7, the network structure is connected to the videoconferencing server where it is located within a trusted network and listened to on port 1935. This the videoconferencing server will wait for user requests and perform initial handshaking to establish a network connection between the videoconferencing server and clients. When using a videoconferencing system, Therefore, all users must first login to the server according to the server’s IP address. The entire contents of data streaming have been transferred to a TCP/IP network to or from the videoconferencing server in parallel, while the data transmission rates depends on the network’s bandwidth.

5.3 Transparent encryption software

Transparent encryption software is implemented to encrypt data streams sent by users before transmission over the Internet. The features of transparent encryption provide high levels of security in such a way that it uses the power of quantum secret keys for streaming video encryption and decryption based on one-time pad (OTP) encryption algorithm. Using quantum key encryption can help increase the security performance of secure video transmission over the Internet. The idea of transparent encryption software can be divided into sub four sections.

A. Packet filter

The Packet Filter works together with the kernel in order to collect network packets being sent to and from a network interface-based iptables configuration. In this case, the transparent encryption software examines only the videoconferencing server’s IP address with port 1935, while other IP addresses passing through this network interface will

not be considered. Therefore, all packets being sent to and going from the videoconferencing server must perform data encryption.

B. Packet process

As data streams flow across the network, the packet process captures all packets passing through a network interface, and then analyzes each packet to find out the actual data payload data according to the appropriate TCP segment format. The information about data payload data has been continuously forwarded to payload encryption and decryption services to perform cryptographic operations.

C. Payload encryption and decryption

This is the process used to scramble the data payload before sending it out to the lower layer. All outgoing payloads must be encrypted with quantum keys based on OTP encryption, while all incoming payloads must be decrypted. The corresponding keys will be loaded into a queue buffer, either an ‘In-buffer’ or ‘Out-buffer’, which has been organized by the key manager.

D. Key manager

This function deals with how to manage the quantum keys and distribute them to the corresponding users within the transparent encryption domain correctly. It consists of a key provider to import and export the quantum keys to or from the queue buffer, and the Key Distribution Client Protocol that works closely with the key management server to request the quantum keys for cryptographic purposes.

In addition, transparent encryption software can install either within a client/server domain or through independent hardware encryption, but to achieve a better security result, this paper suggests the installation of a transparent encryption module as a separate part from the videoconferencing server and client

Fig. 7. Practical concepts for encrypted RTMP streams


RP1407-0883e © 2015 ETRI 7

computers to prevent Trojan attacks. As its functions, only the TCP payloads with port 1935 will be encrypted by the transparent encryption program. Nevertheless, the transparent encryption mechanism seems to be quite different from the VPN technique whereas that only selected packets are encrypted regarding transparent encryption software, while the VPN technique performs packet encryption for all incoming and outgoing messages.

VI. Security analysis and performance evaluation

In this section, we present and discuss the security analysis and performance evaluation of the proposed structure in more detail. The paper has been focused on experimental results to demonstrate a videoconferencing system in real time; hence, it has performed under a trusted quantum network environment. Moreover, this paper has included a comparative evaluation that draws a comparison between the proposed framework and the existing quantum networks at the end of this section.

6.1 Experimental result

For the experimental setup, the videoconferencing server was assigned using ‘http://192.168.20.2:5080/openmeetings’ located within the private network. The transparent encryption was separately installed on different computers located in front of the videoconferencing server and the users’ computers (see the network diagram as illustrated in the figure 1) in order to prevent insider attacks that may occur across intermediate channels between the videoconferencing server and the encryptor (this is indicated as a computer that has transparent encryption software installed inside) or users’ computers and the encryptors. It is important to keep the encryptors within visible range to maintain control and guarantee there is no attack between each intermediate contour line. Accordingly, the proposed framework does not cover certain kinds of security

breaches: in such a way that it has been designed to prevent outsider attacks only, and not insider attacks, as they are beyond the scope of this paper.

The first time users login to the system they have to fill out the authorized user account through the Wweb interface. After successfully logging in, users can communicate with other users through the OpenMeeting interface. The program provides videoconferencing, instant messaging, document sharing on a white board, screen sharing, or recording during the meeting sessions. Based on the proposed framework, users do not know of any operation that has occurred behind the back-end network. All encryption and decryption processes have received and responses responded by from the encryptors and the key management server. From our experimental result when integrating quantum key encryption with the OpenMeetings videoconferencing system, the security has been improved by analyzing the achieved security level of the proposed scheme and assessed its performance. The result has been shown that even the Wireshark program is unable to decrypt back the data content and does not understand the forms of user communication or what information they are exchanged. Without quantum key encryption mechanism, attackers could intercept all unencrypted communications occurring between two parties leading to negative impact and harmful integrity and data confidentiality. The experimental results represent the achievable secure videoconferencing system; thus, the method can increase the security performance of data streams transmission. While, figure 8, it has been shown that even the Wireshark program unable to decrypt back the data content and does not understand the forms of user communication.

6.2 Encryption efficiency analysis

The two main characteristics used to identify the efficiency of a videoconferencing system are security and the high speed of data services. Security aspects usually dealt with the

Fig. 89. Time requires for encoding and decoding in various message sizes


RP1407-0883e © 2015 ETRI 8

encryption and decryption of video streams. In this context, a OTP based quantum key encryption has been applied to fulfill the security requirements regarding the proposed framework . Throughout the above discussion on transparent encryption we have mentioned that only data payloads data would be heavily encrypted with the quantum keys; then, the encrypted payloads would be replaced back to the TCP segment before transmission through the Internet. However, there is a time delay that has been lost for encryption, decryption, and replacement. The round-trip delay between the parties in a video conference needs to be minimized, and the time delay should not exceed one second in order to support efficient video transmission. Figure 89 shows the time required for encoding and decoding by comparing different message sizes with regard to the experimental set up. This process has been tested under Ubuntu 12.04 based on an Intel (R) Xeon (R) CPU 2.67 GHz environment. According to the graph, big data sizes require longer time for encryption and decryption, but in fact, the data stream transmission technique over the Internet generally relies on the maximum payload of a TCP segment. Each TCP/IP packet supports datagrams up to the size of 65536 bytes per second, which is equivalent to 64 KB. As a result, the time required for the video encryption and decryption of a 64 KB data payload is approximately 0.098 seconds, which may have little effect on transmission delay in the videoconferencing system.

6.3 Comparative analysis of quantum networks

A prototype of a quantum network has been reported recently. It offers a clear perspective for scalability, while paving the way towards large-scale quantum networks and their application. From this point of view, the quantum networks can be illustrated in four differential aspects as illustrated in Table 1.

A. Security model

A quantum network is defined as a future technology that prevents eavesdropping attacks over optical channels and establishes a trusted quantum network for secure communication. Based on the proposed framework, the VPN technique has been officially applied to establish a private network among key management servers for exchanging key information such as key_id and pairing_node in order to check the correctness of the key and whether a paired user obtained the same keys for cryptographic purposes, while the actual secret keys is are kept in a secure storage.

B. Network topology

Figure 1 shows that the QKD layer comprises three physical nodes, node ‘A’, node ‘B’, and node ‘C’ and two optical links. Each node is connected to the central node as in the star topology. However, there is a drawback to the star topology known as central point of failure in that hence the entire network is dependent upon the central node; if it has actually failed, the network may become inoperable. Mesh topology is fault tolerant, in that it can ensure data privacy and security

because every message travels along a dedicated link.

C. Protocol design

In a traditional framework, there is still no standardization of key management protocols to provide flexible and feasible solution across quantum networks and services. Most existing projects have established a quantum network based on their own proprietary protocols. According to the proposed framework and experimental set up, six new protocols have been developed to create a field prototype of a trusted quantum network in Thailand. These protocols have been operated under the key management layer, except for the Key Distribution Client Protocol that was executed under the application layer. To summarize, the purpose of this paper is to design and develop a simple trusted quantum network to serve a secure communication platform as a videoconferencing system.

D. Key transportation

Basically, the quantum network structure has been constructed and composed from a multi point-to-point links QKD system; thus, only a quantum secret keys is are shared among the directed quantum channel. This is a limitation that appeared in the traditional model. The key management service with hop-by-hop key encryption has been adapted to expand the distance of key distribution and overcome the limitation of the quantum point-to-point link connection in the event that users who are making requests, do not belong to the same quantum link.

6.4 Foundation of cryptography

Table 2 provides synopsis of cryptographic primitives in security context, as the evidence of quantum cryptography combined with OTP encryption make the videoconferencing system more secure, efficient and privacy- enhancing solutions.

VII. Conclusion

Efficient key management protocols for secure RTMP video streaming toward a trusted quantum network present a new model on how to transmit video streams in a secure domain over the Internet. This paper has been addressed the architecture and protocols corresponding to a trusted quantum network and its applications. The framework can be divided into three layers: the first is the QKD layer, which consists of a QKD protocol, which to enables secure key distribution; the second layer is the key management layer, which introduces a new secure model of the key management method based on custom protocols. The features of key management protocols provide a secure usage model for exchanging quantum secret keys between key management servers, and distributing these related keys to authorized users in an appropriate manner for further video encryption. A video encryption algorithm with a


RP1407-0883e © 2015 ETRI 9

proprietary protocol has been dedicated along the application layer by integrating the quantum keys with the OpenMeeting

videoconferencing system to provide stronger encryption, as well as to increase data security when the video streams have been transmitted across the Internet. Therefore, the proposed methods of key management, the protocols, and a well-designed video encryption algorithm are all state of the art of this paper.

The promise of key management protocols plus their interoperability across videoconferencing system based RTMP encryption introduces a significant step toward data protection and privacy in electronic communication because the technique relies on quantum key encryption. The experimental setup has been tested in a realistic networking environment, in which a trusted quantum network has been implemented to create a secure network infrastructure. Along with key management strength, the quantum secret keys can be shared between the two end points, even if they do not connect or belong to the same quantum link. Therefore, applying hop-by-hop key encryption provides secure key transference, this a strategy that can overcome the limitation of quantum point-to-point link connection. Additionally, encrypted videoconferencing is an example of application usage that offers a perfectly feasible solution in which quantum key encryption can be used to increase security on for data protection. The secure videoconferencing system has been considered based on a strong encryption algorithm, whereas the quantum secret keys and key management are included in the system to offer fast, secure, and reliable data, voice, and video transmission that people can apply in real-life communication.

References

[1] D. Chin, “Next Generation Video Conferencing, Boosting Productivity of the Decentralized Workforce”, Palmer Research White Paper, Arkadin Global Conferencing, 2011.

[2] F. Liu and H. Koenig, “A Survey of Video Encryption Algorithms”, Computers and Security, Vol. 29, no. 1, pp. 3-15.

[3] J. Shah and Dr. Vikas Saxena, “Video Encryption: A Survey”, International Journal of Computer Science, Vol. 8, Issue 2, 2011, pp. 525-534.

[4] B. Kurht and D. Kirovski, “Multimedia Security Handbook”, CRC Press, 2004, ISBN: 0-8493-2773-3.

[5] S. Frankel, P. Hoffman, A. Orebaugh and R. Park, “Guide to Ipsec VPNs”, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-113, 2008.

[6] J. Arturo Pérez, V. Zárate, Á. Montes and C. García , “Quality of Service Analysis of IPSec VPNs for Voice and Video Traffic”, AICT/ICIW 2006, 2006, pp. 43-48.

[7] S. Park, B. Matthews, D. D' Amours and W. J. McIver, Jr., “Characterizing the Impacts of VPN Security Models on Streaming Video”, 8th annual CNSR conference, 2010, pp. 152-159.

[8] O. Adeyinka, “Analysis of IPSec VPNs Performance in a multimedia environment”, IE' 08, 2008, pp. 1-5.

[9] C. Du, H. Yin, C. Lin and Y. Hu, “VCNF: A Secure Video Conferencing System Based on P2P Technology”, The 10th IEEE HPCC, 2008, pp. 1-5.

[10] Z. Li, X. Xu, L. Shi, J. Liu and C. Liang, “Authentication to Peer-to-Peer Network: Survey and Research Direction”, NSS 2009, pp. 115-122.

[11] W. Fumy and P. Landrock, “Principle of Key Management”, J-SAC, Vol. 11, No. 5, 1993, pp. 785-793.

[12] W. Diffie and M. E. Hellman, “New Direction in Cryptography”, IEEE Transactions on Information Theory, Vol. 22, Issue. 6, 1976, pp. 644-654.

[13] W. Stallings, “Cryptography and Network Security Principles and Practices”, 4th Edition, Prentice Hall, 2005, ISBN – 0131983164.

[14] F. Wang, Z. Xiao and J. Chen, “Research on Security of Trusted Network and Its Prospects”, ETCS 2010, 2010, pp. 256-259. [15] M. Saadi, A. Bajpai, P. Sangwongngam, and L. Wuttisittikulkij, “Design and Implementation of Secure and Reliable Communication

Table 1. Performance comparison between the differential quantum network structure

Features Key management properties based on the differential QKD networks

DARPA network SECOQC network Tokyo network Proposed network

Security model VPN encryption IKE

VPN encryption

VPN encryption

VPN encryption Secure key management

Network topology Start Mesh Mesh Star

Protocol design QKD protocol IPSec (IKE) QKD Circuit management

QKD protocol Q3P QKD-NL QKD-TL

QKD protocol Key management agent Key management server

QKD protocol Key Caching Protocol Key Transfer Protocol Point-to-Point Encrypted Transfer Protocol Key Routing Protocol Key Distribution Protocol Key Distribution Client Protocol

Key transportation Hop by hop encryption

Table 2. Security foundation of cryptographic primitives

Factors Types of algorithms DES 3DES AES OTP

Key length 56 bits 112/168 bits 128/192/256 bits

Equal plaintext sizes

Block size 64 bits 64 bits 128/192/256 bits

Key streams

Cryptographic resistance

Assumption

Assumption Assumption Information Theory


RP1407-0883e © 2015 ETRI 10

using Optical Wireless Communication”, Frequenz 2014, Vol. 98, No. 11-12, pp. 501-509.

[156] W.K. Wootters and W.H. Zurek, “A Single Quantum Cannot be Cloned”, Nature 299, 1982, pp. 802-803.

[167] M. Pattaranantakul, A. Janthong, K. Sanguannam, P. Sangwongngam and K. Sripimanwat, “Secure and Efficient Key Management Technique in Quantum Cryptography Network”, ICUFN 2012, pp. 280-285.

[178] Michael A. Nielsen and Isaac L. Chuang, “Quantum Computation and Quantum Information”, Cambridge: Cambridge University press 2000, ISBN 0-521-63503-9.

[189] S. Wiesner, “Conjugate Coding”, Sigact News, Vol. 15, No. 1, 1983, pp. 78-88.

[1920] Bennett, C. H. and G. Brassard, “Quantum Cryptography: Public Key Distribution and Coin Tossing”, Proceeding of IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, 1984, pp. 175-179.

[201] C.H. Bennett, “Quantum Cryptography Using Any Two Non-Orthogonal States”, Physic Review Letters, Vol. 68, No. 21, 1992, pp. 3121-3124.

[212] ISO/IEC 11770-5:2011, Information Technaology – Security Techniques – Key Management – Part 5: Group Key Management, (Accessed: June 2, 2014), http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?c snumber=34937

[223] ANSI, X9.24 – Retail Financial Services Systematic Key Management – Part 1: Using Systematic Techniques, 2004, (Accessed: June 2, 2014), http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.24-1%3A2 009

[234] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Recommendation for Key Management – Part 1: General (Revised)”, NIST Special Publication 800-57, 2007.

[245] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Recommendation for Key Management – Part 2: Best Practices for Key Management Organization”, NIST Special Publication 800-57, 2008.

[256] E. Barker, W. Burr, A. Jones, T. Polk, S. Rose, M. Smid, and Q. Dang, “Recommendation for Key Management – Part 3: Application-Sepecific Key Management Guidance”, NIST Special Publication 800-57, 2009.

[267] BBN Technaologies, “DARPA Quantum Network Testbed”, ir Force Research Laboratory, New York, Final Tech. Rep. AFRL-IF-TR-2007-180, 2007.

[278] C. Elliott, “Building the Quantum Network”, New Journal of Physics, Vo. 4, 2002, pp. 46 – 55.

[289] M. Dianati and R. Alléaume, “Architectue of the Secoqc Quantum Key Distribution Network”, ICQNM 2007, Jan 2007.

[2930] M Peev et al., “The SECOQC quantum key distribution network in Vienna”, New Journal of Physics, Vol. 11, Issue 7, 2009.

[301] O. Maurhart, “Q3P a proposal”, Secoqc Deliverable, 2006, (Accessed: June 2, 2014), http://www.secoqc.net

[312] M. Dianati and R. Alléaume, “Transport Layer Protocols for the Secoqc Quantum Key Distribution (QKD) Network”, LCN 2007, 2007, pp. 1025 -1034.

[323] Swiss Quantum, (Accessed: June 2, 2014), http://www.swissquantum.idquantique.com

[334] M. Fujiwara et al., “Field Demonstration of Quantum Key Distribution in the Tokyo QKD Network”, CLEO/IQEC/PACIFIC RIM 2011, pp. 507 –509.

[345] H. Parmar and M. Thornburgh, “Adobe’s Real Time Messaging Protocol”, Copyright Adobe Systems Incorporated, 2012.

[356] OpenMeetings, “Open-Source Web-Conferencing”, (Accessed: June 2, 2014), http://code.google.com/p/openmeetings/


RP1407-0883e © 2015 ETRI 11

Efficient Key Management Protocol for Secure RTMP Video Streaming Towards a Trusted Quantum Network

Documents

Transcript of Efficient Key Management Protocol for Secure RTMP Video Streaming Towards a Trusted Quantum Network