Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
                Source Authentication for IPTV System

                             Ki-Eun Shin1, and Hyoung-Kee Choi1
chargeable content at a profit. A service provider utilizes Conditional Access System
(CAS) [2][3] to control the subscrib...
Content security threats

Message                              CAS module

            ECM       Encrypted CW       Signature         ECM Authentica...
Subscriber                                        CAS                                  Distribution Server

                                        H1,4                                      H5,8

TSi : MPEG2 transport stream
                                  H(root)                          Wi : Set of TSi’s siblings...
tree(m1) + sign                    tree(m2) + sign

                                                               m1 pac...
Table 1 Number of operation and processing delay on sender side

       Stream     Hash (188Bytes) Hash (32Bytes)      Con...
propose protocol affects only IPTD. IPTD of class 4 (Multimedia service) is 1 sec,
and the additional delay to process sou...
Table 3 Number of hash operation and average time to find eqivalence

        Operation          Hash output (8bit)   Hash...
al signing and verification process. It also offers QoS for the content, due to packet
loss tolerance and prevents the sub...
Upcoming SlideShare
Loading in …5

Source Authentication for IPTV System


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Source Authentication for IPTV System

  1. 1. * Source Authentication for IPTV System Ki-Eun Shin1, and Hyoung-Kee Choi1 1 School of Information and Communication Engineering Sungkyunkwan University, Suwon, Korea, Abstract. Presently, the demand for IPTV, to satisfy a variety of goals, is ex- ploding, and IPTV is coming into the spotlight as a killer application in upcom- ing IP convergence networks such as triple play which is the delivery of voice, internet, and video service to a subscriber. IPTV utilizes CAS that controls sub- scriber access to content for a profit. Although the current CAS scheme pro- vides access control via subscriber authentication, there is no authentication scheme for content transmitted from service providers. Thus, there is vulnera- bility of security, through which an adversary can forge content between the service provider and subscribers and distribute malicious content to subscribers. In this paper, we proposed efficient and strong source authentication protocols which remove the vulnerability of the current IPTV system, based on a hash tree scheme. We also evaluate our protocol from the viewpoint of IPTV re- quirements. 1 Introduction Entertainment is big business all over the world. The annual residential cable TV revenue and the number of subscribers are rapidly increasing. High-bandwidth IP infrastructure is now propagating such as VDSL, FTTH, and FTTB to make it possi- ble to provide high quality and variety services. As of September 2007, the number of IPTV subscribers in Korea is over 650,000 and rapidly increasing [1]. IPTV services are initially targeted by traditional telecommunication service companies (Telcos). Eventually cable TV companies and network operators rush to the golden opportunity presented. IPTV provides various services so called triple play which is the delivery of voice, Internet, video services to a customer. IPTV provides bidirectional service that im- proves the conventional one-way service broadcasting and transfers commercial grade SD and HD entertainment quality and on-demand video content over IP-based net- works, while meeting all prerequisite quality of service, and quality of experience. A subscriber utilizes channels and content that s/he wishes to enjoy. IPTV delivers di- verse and subdivided content to meet these requirements. A service provider offers * “This research was supported by the MKE(Ministry of Knowledge Economy), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Advancement)” (IITA-2008-C1090-0801-0028)
  2. 2. chargeable content at a profit. A service provider utilizes Conditional Access System (CAS) [2][3] to control the subscriber access to content. That is, an authorized sub- scriber could access content via subscriber authentication. For instance, a subscriber who pays for specified content can only utilize that content. Although current CAS provides access control via subscriber authentication, there is no authentication scheme for the content provided by a service provider. Current CAS provides content protection via a scrambling algorithm, a form of encryption. The scrambling algorithm uses encryption key, CW, published to a group of autho- rized subscribers through a regular process. Hence, any member of the authorized subscriber group, who holds CW, can be an insider attacker. S/he can forge content and distribute that content to subscribers by making use of an authentic CW. Thus, there is a security vulnerability, whereby an adversary can forge content between the service provider and subscribers and then squeeze forged content into an authentic stream. For instance, it is possible for an adversary to forge stock quotes both profit- ing from this and causing societal problems. In this paper, we propose novel source authentication protocols based on a hash tree scheme. It provides low authentication latency, resilience of packet loss and DoS attack for a data stream such as live streaming and Video on Demand (VoD) provided by the service provider, which solves the problem of the vulnerability of the current CAS and provides the evidence through non-repudiation in the case of subsequent disputes. The remaining part of this paper is organized as follows. In Section 2, we introduce the related work on source authentication protocol and requirements of source authen- tication for IPTV system. Section 3 presents CAS architecture and explains important signaling messages more detail for our protocol. In Section 4, we introduce the Merkle tree (MT) [4] and detail our proposed protocol. In Section 5, we analyze our proposed protocol from the viewpoint of security and performance aspects based on the IPTV system requirements. We finally conclude this paper in Section 6. 2 Related Work Broadcasting is an efficient way to deliver multimedia resources, such as real-time video or stock quotes to a group of receivers rather than unicasting due to limited network resources. Source authentication prevents not only receivers from suffering forged resources but also a sender from denying transmitting message. Source authen- tication has been an important topic in broadcast until now, but source authentication for multimedia streaming is hard to solve due to communication and computation overhead. There have been many studies about broadcast source authentication. Park et al. proposed SAIDA [5], to provide source authentication resilient to packet loss through signature amortization. However, Source verification involves buffering on the receiv- er side to reorganize the signature from the amortized signature and a high computa- tional overhead to reorganize the signature, this results in high processing latency.
  3. 3. Content security threats Application Subscriber security threats Content security layer provider Service security threats Service Service IPTV provider security layer terminal Network security threats Optional Infrastructure Home security layer gateway X.805 Network Terminal device security layer security threats Fig. 1 IPTV security elements and X.805 network security layer Perrig et al., proposed EMSS [6], based on signing a small number of packets in a data stream to provide non-repudiation, high loss resistance, and low overhead. Each packet is linked to a special packet that is signed via hash chains. On the other hand, EMSS has high verification latency that makes it impossible to provision real time service, a significant requirement of IPTV. Perrig et al. introduced TESLA [7], which also provides a fast and light-weight ve- rification scheme through hash chaining of symmetric keys and later disclosure of those keys. However, TESLA does not provide a non-repudiation service and needs time synchronization between a sender and receivers. The length of hash chaining is limited due to hash collision. The sender should commit the one-way key chain and broadcast it periodically to use TESLA with an infinite stream, such as a video stream. Fig. 1 depicts IPTV security elements and X.805 network security layer recom- mended from ITU-T [8]. Since there are various security threats, we focus on content security threat such as interception, unauthorized viewing, and redistribution. IPTV has to provide real time services such as live streaming and stock quotes. SAIDA and EMSS could not offer real time services, due to high processing latency which, makes subscribers wait for a moment to watch TV, and it causes authentic packets to fail the verification process, due to forged packets squeezed into a stream. TESLA could not offer non-repudiation service, an important factor of source authen- tication to provide evidence of transmission in case of later disputes between a service provider and subscribers. 3 Conditional Access System and Requirements IPTV has security components such as DRM and CAS. DRM is access control tech- nologies used by a publisher and other copyright holders to limit usage of digital me- dia to protect content provider’s profit. Conversely, CAS is a system that limits digital media to subscribed clients according to the entitlement to protect service provider’s profit. It manages subscribers to protect service provider’s profit through granting the entitlement to watch TV and controls these entitlements. Each service provider has
  4. 4. Message CAS module ECM Encrypted CW Signature ECM Authentication Decrypt CW EAK(CW) Encryption key : AK Signature check AK EMM Encrypted AK Signature EMM Authentication Decrypt EMPK(AK) Encryption key : MPK Signature check MPK Authentication server Off-line key distribution Smart card manager X.509 certificate SAS SMS Smart card Service Provider Set-top bex : key manager (Smart card) CAS Fig. 2 Conditional access system developed his own CAS, because until now, there has not been a CAS standard. CAS frameworks and fundamentals are almost universal. The CAS security component consists of scrambling and encryption for access con- trol. CAS protects the data stream via scrambling. Fig. 2 and Fig. 3 show CAS struc- ture and subscriber authentication respectively. The service provider scrambles the data stream (i.e. such as video and audio), a type of MPEG-2 Transport Stream (TS), allows only valid subscriber viewing. An authorized subscriber can generate original TSs by descrambling the scrambled stream. CAS makes use of a hierarchical key management scheme to provide conditional access. There are three keys: Master Private Key (MPK), Authorization Key (AK), and Control Word (CW). CW is a random number, used to scramble and descramble TSs. CW is updated via frequent, encrypted broadcasts, using an AK to restrict illegal viewing. CW is common to authorized subscribers. AK is a type of group key, used to encrypt the CW for each subscriber. Encrypted CW is sent with an Entitlement Con- trol Message (ECM). AK, which is encrypted with Master Private Key (MPK), is transmitted to the subscriber with an Entitlement Management Message (EMM) via a unicast. It consists of information such as contract information for individual receivers, by broadcasting over a relatively long period. MPK is a secret unique key kept in every receiver. The service provider stores MPK off-line in a smart card within each subscriber’s Set-top Box For instance, MPK is stored when the Set-top Box is taken from a warehouse or the subscriber installs Set-top Box through a service provider. Two kinds of message, ECM and EMM, are transmitted to control and manage conditional access of subscribers,. ECM is injected into TSs stream by the service provider to offer entitlement information and to update CW and AK according to the key update schedule. The subscriber could descramble the content, obtaining CWs and AKs transmitted within ECM and EMM respectively. ECM and EMM are important signaling messages enabling security and entitlement. Thus, the service provider signs these messages via a digital signature scheme to pro- vide integrity and authenticity. The subscriber can check the validity of these messag-
  5. 5. Subscriber CAS Distribution Server CAS Authentication Request Certificate, Subscriber Authentication Request Authentication OK, Certificate Authentication OK Update Subsriber Information EMM = [EMPK(AK), AP] sign Update OK IGMP Join Transport Stream by Multicasting with ECM = [EAK(CW), CP] sign IGMP Leave Fig. 3 Subscriber authentication es through signature verification and is granted use of specified content for which s/he pays. CAS provides authentication scheme for ECM / EMM and for subscribers’ authori- zation. However, there is no source authentication scheme for the stream transmitted to subscribers. Since all subscribers could get CW, which is used to scramble stream, a malicious subscriber, not having the right to broadcast the stream, could forge a stream (i.e. poisoning content or illegal content distribution) and re-scramble that stream with CW, transferring it to subscribers. Thus, IPTV is vulnerable to an attack that forges a stream and squeezes the forged stream into an authentic stream to cause illegal stream distribution or DoS attack. Hence, IPTV service should provide source authentication to prevent these attacks. A service provider who has authority to provide content could broadcast fabricated content to harvest an illegal profit. For instance, a service provider could forge stock prices and broadcast forged data. Accordingly, source authentication for IPTV should provide non-repudiation service to prevent a service provider who forges content denying what s/he sent. A new source authentication protocol is needed to, to replace the above two proto- cols, to meet the requirements of IPTV needs. Important factors for IPTV source authentication are summarized below. 1. Each packet in the stream could be used as soon as it is received. 2. If there is packet loss, subscribers could verify the remaining of packets. 3. If there is a Denial of Service (DoS) attack from an adversary, subscribers could withstand it. 4. Source authentication for IPTV has to provide a non-repudiation service not to deny content transmission. 5. Computation and communication overhead may be low to provide flexible service, such as broadcasts to mobile phones.
  6. 6. root H1,4 H5,8 H1,2 H3,4 H5,6 H7,8 H1 H2 H3 H4 H5 H6 H7 H8 P1 P2 P3 P4 P5 P6 P7 P8 Fig. 4 Structure of Merkle tree 4 The Proposed Protocol IPTV source authentication should be efficient both to the service provider and to the receiver to offer real-time broadcasts. The efficiency of authentication verification process on the subscriber side, where the computing power of Set-top box is not gen- erally powerful, is more important than generation of authentication data on the ser- vice provider. The service provider and the subscriber have to be robust withstand a DoS attack, to offer stable service under an attack, and provide non-repudiation ser- vice for later disputes. Generally, the means of authenticating a source is either a symmetric key, pre- shared between a sender and a receiver, or a digital signature via an asymmetric key. Symmetric key operation is faster than asymmetric key operation. However, if a sym- metric key is applied to source authentication under group communication, a sender and the remaining n group members should share n number of Pre Shared Keys (PSKs) to distinguish source from group members, and the sender has to construct n MACs (Message Authentication Codes). This is not applicable in the case of message broadcasting because the complexities of MAC computation and communication are O(n). Thus, utilization of a digital signature scheme is a popular method of source au- thentication for broadcast messages. A digital signature can provide adequate authen- tication services that include message integrity and non-repudiation service, but it is too expensive to generate and verify these signatures. There is high latency of verifica- tion on the receiver side that reduces the quality of service. Hence, an IPTV service requests efficient source authentication protocol that enables real-time broadcasting. A naive solution is to sign a minimum number of packets with a digital signature scheme to minimize the number of verifications. We propose source authentication for the data stream transmitted by the service provider that satisfies live streaming service via a modified Merkle Tree (MT). MT generates a set of siblings for the receiver to check authenticity of transmitted packets. Fig. 4 depicts an example of MT. The sender constructs a binary tree for 8 Ps. The
  7. 7. TSi : MPEG2 transport stream H(root) Wi : Set of TSi’s siblings Signature : Signature of ECM Payload and H(root) Full Binary Merkle Tree ECM1 TS1 W1 TS2 W2 TS3 W3 ... TSn Wn ECM2 TS1 W1 ... ECM Payload H(root) Signature aa Fig. 5 Stream of proposed protocol output via the hash function of Ps, becomes the leaf node of a MT. Each internal node is the hash value for concatenation of its right and left children. MT is constructed via these iterated processes. The root of MT has to sign via a digital signature scheme to provide source authentication for transmitted packets. When the packet is transmitted, the packet, the corresponding siblings and signature of root are transmitted together. For instance, The sibling set for P3 is {H4, H1,2, H5,8}, a gray circle in Fig. 4. Thus, P3, corresponding set of siblings, and a signature of root will be delivered together and the root can be recovered as root = H((H1,2, (H(P3), H4)), H5,8). The receiver can verify the packet by checking a signature of root. Once the root of tree is authenticated, the remaining packets of the corresponding tree that construct a MT can be verified through comparison of the root constructed via light operations such as hash with authenticated root. MT could provide source authentication in case of packet loss due to set of siblings and signature of root that transmitted with packet. Thus, the receiver does not have to buffer the transmitted packets to verify authenticity. This property provides resilience to DoS and pollution attacks. The receiver could check the authenticity of transmitted packets as soon as they are received. MT is suitable to authenticate a real-time broad- casting service, such as IPTV. The communication overhead per packet of the MT scheme is high due to siblings and signatures. Thus, we need to modify MT to offer low communication overhead and fast authentication latency. We utilize the MT scheme to provide source authentication for live streaming and modify the transmission of the set of siblings and signature of the root, due to high communication and computation overheads. As mentioned in Section 3, ECM and EMM, called CAS messages, are signed by the service provider to authenticate their sources. Thus, if a root of MT is included in those packets and is signed together, we need only one signing process to both the CAS messages and the root. The signature of MT transmitted together with each transmitted packet in the original MT scheme is not included in each packet due to high communication overhead. Instead, the CAS message will include the root of MT and the signature of the modified CAS message. Each data stream packet (TS) will include the set of siblings as well. That is, we do
  8. 8. tree(m1) + sign tree(m2) + sign m1 packets period ECM period ECM m1 packets m2 packets time Fig. 6 Live streaming flow not need an additional signing process on the sender side and signature verification process on the receiver side, and communication overhead will reduce slightly. The ECM transmission period is shorter than that of EMM. Hence, it is suitable for the service provider to sign ECM to authenticate TSs and to reduce communication overhead. The current commercial IPTV system in Korea utilizes a 0.1 sec transmis- sion period for ECM. A subscriber who wants to join the service has to wait for ECM to get CW, because there might be ECM packet loss. Generally, people are impatient to wait for some time to watch TV. The sender constructs MT with leaf nodes that are hashes of TSs and signs the root of MT with ECM to authenticate the MT root. The constructed root is a representative value of TSs. That is, the equivalent effect of signing each TS is achieved by signing the root. The service provider concatenates the set of siblings of the nodes along the path from the TS to the root, with the corresponding TS, and transmits these generated packets with TS. Fig. 5 depicts the stream of the proposed protocol and Wi is the set of siblings that corresponds to the TSi. TSs with the corresponding set of siblings and ECMs are transmitted to the subscriber. For instance, If there is 8 TSs between ECM1 and ECM2, W1 will be {H2, H3,4, H5,8}. First, the receiver checks the signature included in ECM to authenticate ECM. Then, the receiver can check whether these TSs are valid, comparing the root deli- vered via ECM with the root generated by the receiver. If those TSs are not valid, the receiver may discard those packets without buffering. Hence, there is one signature verification for one tree and some hash operation to verify the transmitted TSs. Fig. 6 shows live streaming of proposed protocol. The notion of tree(mi) stands for time of construction MT, corresponding to stream of mi. After the construction and signing process, the stream starts transmitting to subscribers.
  9. 9. Table 1 Number of operation and processing delay on sender side Stream Hash (188Bytes) Hash (32Bytes) Concatenation Delay (ms) 5Mbps 256 255 255 0.55 10Mbps 512 511 511 1.1121 20Mbps 1024 1023 1023 2.2217 Table 2 Number of operation and processing delay on receiver side Stream Hash (188Bytes) Hash (32Bytes) Concatenation Delay (s) 5Mbps 1 8 8 10Mbps 1 9 9 1.1121 20Mbps 1 10 10 2.2217 5 Security and Performance Analysis 5.1 Authentication Latency Generally, block-based source authentication, which reduces the number of signature verification operations at each receiver, should collect entire packets of the block to verify source of packets before the verification process. Thus, authentication latency is very high. (m, n) coding protocol such as SAIDA [5] should collect more than n pack- ets to verify source of packets. However, our protocol provides short authentication latency, comparing the root of hash tree, delivered with the ECM signed by a service provider with a root calculated via a hash operation. There is no additional signature verification process, because we utilize the ECM signing process of current CAS. Therefore, the subscriber could veri- fy the source of the multimedia data stream via computationally light hash operations. We simulate to evaluate the additional delay at both sender and receiver sides to provide IPTV source authentication. The simulation program is written in C and runs on a 1.6 GHz Pentium Dual Core Linux PC, with a XySSL 0.9 cryptography library [9]. MD5-128 is used for the hash function and RSA with 1024 bits key is used as the digital signature scheme. Table 1 and Table 2 depict processing delay and number of operations to generate authenticated packets and to verify those packets according to the bit rate of stream, respectively. Our protocol provides short authentication latency at the receiver side. On the other hand, there is slight latency to generate MT. Howev- er, it is possible to reduce latency at the sender side, because CAS is more powerful than the Set-top box. ITU-T Recommendation, Y.1540 and Y.1541 [10] provide QoS parameters such as IP Packet Transfer Delay (IPTD), IP Packet Delay Variation (IPDV), IP Packet Loss Ratio (IPLR) and IP Packet Error Ratio (IPER) and 5 QoS classes. We could be sure if our protocol is suitable for IPTV service, because our
  10. 10. propose protocol affects only IPTD. IPTD of class 4 (Multimedia service) is 1 sec, and the additional delay to process source authentication (i.e. processing delay on sender side and receiver side) is so short that QoS of IPTV cannot be influenced by additional delay. 5.2 Resilience to Packet Loss Source authentication via block-based authentication or hash chaining scheme has correlations between packets. Hence, if there is packet loss, the remainder of the packet, which consists of the entire block or chain, might be affected. However, our protocol eliminates correlation between packets, and transmits packets with a set of siblings so that the receiver could generate the root with which it is used to compare the authentic root within ECM and verify authenticity of packets regardless of packet loss. In spite of these characteristic of our protocol, if ECM is lost, it is impossible to authenticate packets that consist of the corresponding tree. We do not consider this situation in our protocol, because of current CAS characteristics that could not de- scramble the multi-media stream without CW transmitted within ECM. 5.3 DoS Resilience It is possible for an adversary to transmit a forged message (or randomly generated message) to a subscriber and cause a victim to disturb in his/her verification process and to increase computational overhead at the receiver side. In the case of source authentication via a hash chaining scheme, an adversary can mix forged packets without block signature so that the buffer of that victim might overflow due to packet buffering until arrival of the block signature Our protocol utilizes MT to authenticate a set of packets and filters transmitted packets from an adversary via a comparing process between a root of the tree within ECM and a root calculated by a packet and a set of siblings. 5.4 Non-repudiation The service provider could not deny that s/he sent packets to receivers, because of the digital signature of a set of packets. If there is a dispute between a service provider and receivers after transmission, the non-repudiation service could provide legal evi- dence of packets sent. 5.5 Computation Overhead Computation overhead can be divided into two aspects, sender side (service provider) and receiver side (subscriber). A sender needs O(nlogn) hash operations to generate Merkel tree, and does not need additional signing process of root. We utilize this scheme to sign ECM and a root of MT, because current CAS does sign ECM. Gener-
  11. 11. Table 3 Number of hash operation and average time to find eqivalence Operation Hash output (8bit) Hash output(16bit) Hash output (32bit) Number of Operation 256 65536 4294967296 Time (s) 0.00067 0.17391 3.16595 ally, the service provider’s server is a powerful machine to multiplex and scramble the data stream. Thus, our focus is to reduce computation overhead and authentication latency at the receiver side. Conversely, a receiver first verifies signature of ECM that contains root of MT and verifies source of a packet via O(logn) hash operations to compare the computed root with the authenticated root. 5.6 Communication Overhead The number of siblings transmitted with TS is O(logn). Variable n is determined by the ECM transmission period and bit-rate of multimedia stream. It is possible to utilize of a portion of the hash output to reduce communication overhead of the proposed protocol. The security strength of hash output relies on the hash output size, to reduce hash output size, could be vulnerable to a brute force attack. Thus, the service provid- er has to decide hash output size according to the situation. An adversary can forge TS by finding an equivalent hash output with an authentic one after receiving TS prior to transmitting the authentic TS to subscribers. We have to choose a proper hash output size which makes it impossible for an adversary to find the equivalent hash output, to prevent this kind of attack. That is, the service provider should make it impossible for an adversary to find an equivalent hash output within 1/2 of maximum RTT (Round- Trip Time) of IPTV service. Table 3 shows the average time to find the equivalent hash output according to the hash output size. The relationship of hash output size and security strength is a trade-off. A system administrator should adjust an appropriate hash output size according to data stream importance. 6 Conclusion We proposed source authentication protocols for IP-TV system. Until now, to the best of our knowledge, there has not been a source authentication protocol for IPTV, Up to now, most proposed IPTV protocols are not for the subscribers but are to protect profits for the service provider and content providers. We propose a scheme to achieve subscriber rights to enjoy an authentic content via source authentication of the transmitted stream and to offer legal evidence for any subsequent disputes between the service provider and subscribers. Our proposed protocol is very efficient to both the service provider and receivers, especially on the receiver side, which provides low authentication latency suitable for live streaming service, because there is no addition-
  12. 12. al signing and verification process. It also offers QoS for the content, due to packet loss tolerance and prevents the subscribers from suffering DoS attack. Despite of these advantages, our protocol has a drawback. As we mentioned in Sec- tion 5, the communication overhead of our protocol is slightly higher because of the set of siblings transmitted with packets. Because the relationship between the hash output size and the security strength of hash function is trade-off, the service provider has to choose an adequate hash output size according to their situation and content importance. References 1. Won. Young J. et al., “End-user IPTV traffic measurement of residential of broadband access networks,” Proc. of IEEE NOMS Workshops 2008, Apr. 2008, pp. 95-100 2. T. Yoshimura, “Conditional access system for digital broadcasting in Japan,” Proc. of IEEE, Jan. 2006, pp. 318-322 3. B. Lu et al., “A scalable key distribution for conditional access system in digital pay-tv sys- tem,” IEEE Trans. On Consumer Electronics, May. 2004, pp. 632-637 4. R. C. Merkle, “A digital signature based on a conventional encryption function,” Advances in Cryptography, CRYPTO’87, 1987, pp.369-378 5. J. M. Park et al., “Efficient multicast packet authentication using signature amortization,” Proc. IEEE Symp. Security and Privacy, May 2002, pp. 227-240 6. A. Perrig et al., “Efficient authentication and signing of multicast streams over lossy chan- nels,” Proc. IEEE Symp. Security and Privacy, May 2000, pp. 56-73 7. A. Perrig et al., “Efficient and secure source authentication for multicast,” Net. and Distrib. Sys. Sec. Symp., Feb. 2001, pp. 35-46 8. ITU-T, “Security architecture for systems providing end-to-end communications,” ITU-T Rec. X.805, 2003 9. XySSL Project, 10. Neal Seitz, “ITU-T QoS Standards for IP-Based Networks,” IEEE Communications Maga- zine, Jun. 2003, pp. 82-89