Re: How do you put a TV station on the Mbone?

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "George Bonser" <gbonser () seven com>

> So using multicast for things like software updates to computers over
> the general internet to the general public probably isn't going to
> work.
> Encryption is also an issue because it doesn't really work well over
> multicast. How do I encrypt something in a way that anyone can decrypt
> but nobody can duplicate? If I have a separate stream per user, that
> is
> easy. If I have one stream for all users, that is harder. The answer
> is probably in some sort of digital signature but not really
> encryption.

Um, yeah; that'd be private key digital signature.

> Using public/private key encryption over multicast, I would have to
> distribute the private key so others could decrypt the content. If
> they have the private key, they can generate a public key to use to
> generate content.


> Encryption is probably overkill anyway. What is needed is a mechanism
> simply to say that the content is certified to have come from the
> source it claims to come from. So ... basically ... better not to use
> multicast for anything you really might have any security issues with.
> Fine for broadcasting a video, not so fine for a kernel update.

Nah; you're overthinking it.  Signed updates solve the problem just fine.

Note that Linux (SuSE/YAST/YOU) does this already.

But you *are* expanding the attack surface, and the signature/PKI 
infrastructure has to be correspondingly more robust.

Cheers,
-- jra