International Conference on Software Technology and Engineering Modules

Uttaranchal University
[2017]

A Study on Secure Group Communication

Vipin Chandra1, Shubham2, Rajat Bhatt3
1
CSE Department, Uttaranchal University, Dehradun
2
CSE Department, Uttaranchal University, Dehradun
3
CSE Department, Uttaranchal University, Dehradun
1
iamvipindevrari@gmail.com
2
spal5776@gmail.com
3
rajatbhatt500@gmail.com

Abstract - Communication security is the discipline of in preventing unauthorized interceptors of from accessing any communication
in an eavesdrop form, when two entities are communicating and do not want a third party to listen in for that they need to
communicate a way not capable to interception. In recent years, secure communication have become a very important subject of
research. The new service for wireless and wire network is to provide confidentially, authentication, authorization and data integrity.
Infect, security services are necessary to protect basic applications in each and every field especially, in banks and defence.

Keywords - Group Communication, Authentication Control, Security Policy, Encryption, Security Services, Security Methodology.

whether verbal or nonverbal, are important to groups because

I. INTRODUCTION
This is paper on secure group communication and
security over the network. We describe concept of security
and trying to describe how to protect, it is essential to know
what we are trying to protect like we are protecting a
communication. We start with discussion of the basic concept;
group communication. Many people sometimes say that group
communication is that when we are communicating things in
any group or organization. We describe here the group
communication. We also trying to describe authentication
control and discussion about the typical controls like password
length, password complexity, account restriction etc. We
discuss security policy development and a good security
policy will not be much more complicated because it must be
easily accessible to its audience. The security must be concise
an easy to read in order to be effective. We then discuss the
five steps to better security in secure group communication.
The five-steps process, followed carefully in order helps
ensure that security effort address important, specific problem
in a controlled ,effective manner and that security costs are
managed and appropriate to the values of the assets they
protect. These We discuss why security is required and
techniques of security. There are two techniques of security;
cryptography and stenography. Both play important role in
security. We also discussion about the security methodology
and the three modes of security can be applied to any situation,
and those are the three Ds; defense, deterrence and detection.
The main purpose of this paper is to aware about security and
discuss about another things related to the security.
II. GROUP COMMUNICATION
The term "group communication" refers to the messages
that are exchanged by group members. These messages,
it is through the exchange of messages that group members
participate, maintain the group identity, determine goals,
motivate participation, and do the many things that keep the
group intact. Group communication is used for replication of
services & data and service discovery. There are some issues
in group communication like reliability and ordering[1].
There are two types of group communication:
• Broadcast (message sent to everyone)
• Multicast (message sent to specific group)
III. AUTHENTICATION CONTROL
Authentication is the process by which people prove
that they are who they say they are. In the real world , we do
this quite frequently by using our driver's license, passport or
even a mutual acquaintance to prove identity. It’s interesting
that the driver’s license, a non-digital expression of identity,
actual fulfils the information security goals of providing at
least two factor authentication. Two factor authentication is an
authentic system that is based on at least two of the
following[2]:
• Something you have
• Something you are
• Something you know
This was not always the case. For many years, the
driver’s license did not require a photo ID. It was a much
weaker form of identification, because it require only
something you had (the license), and it was often abused.
Computer security similarly need stronger controls than
simple password (something you know), but it is difficult to
move the vast majority of system to something stronger, and
there is little agreement on what that “something stronger”
should be.
 International Conference on Software Technology and Engineering Modules
In any case, ample of tools are available to eventually
compromise password if the machine is in the physical
possession of the attacker, or if the attacker can obtain
physical possession of the password database. Every system
should be physically protocol, but where a centralized
database of accounts exists, extra precautions should be taken.
In addition user training and account controls can strengthen
password and make the attacker’s job harder – perhaps hard
enough that attacker will move on to easier pickings.
Authentication Controls
In addition to understanding and choosing strong
authentication algorithms and training users to create and use
strong passwords, authentication controls can be used to
enforce a strong password policy. There are some typical
controls[3]:
1) Password Length: A number of characters can
be assigned as the minimum password length.
The maximum password length is limited by the
operating system. Opinions vary, but commonly
recommended number is seven or eight
characters. This is based on compromise
between a longer password being more difficult
to crack , and too long password being more
difficult to crack , and a too-long password
inevitably being written down by the user
because it is too long to remember, and thus
being more available for theft.
2) Password Complexity or Filters: Some systems
allows you to set password filters. When a
password is changed, the new password is
evaluated for its adherence to some standard or
is compared to known weak passwords.
Passwords are rejected if they don’t meet the
system standard. For example ,a password filter
might require that password use three of the
following character types: uppercase and
lowercase characters, numbers, and special
symbols.
3) Password History: When users are required to
frequently change their password, they may
tempted, in spite of a strict policy to the
contrary, to reuse password . A password history
requirement prevents the reuse of a password by
remembering the last few passwords for each
user. This provides a list against which any new
password of user may be checked. Previously
used password that are recorded in the list will
be rejected. How many previous password the
system remembers can be set of the system –
Uttaranchal University
[2017]
numerous sources advise a password history of 9
to 15.
4) Maximum Password Age: Users may be
required to change their password on a regular
schedule. This can be accomplished by
specifying a number of days after which user
must change their password. A typical
recommendation is 30 days.
5) Account Restriction: Limiting user access to
system is an important component of security.
Some systems allow restrictions as to the time of
the day and the workstations at which a
particular account can be used.
6) Account Lockout: When a password-cracking
attack is directed at specific accounts, an attacker
may eventually deduce the password. To limit
the possibility that this will happen, account
lockout parameters can be set to lock out the
account after the number of logon tries. The
current recommendation is to set this number
high perhaps 30 or so, so that simple fumble-
fingered mistakes on the part of valid user does
not result in an account lockout. An additional
concern is that an attacker could run an attack on
the entire account list, and if an account lockout
is set, lock all accounts, which would result in
successful denial of service attack. While this is
possible, such attacks are not currently being
reported.
IV. SECURITY POLICY DEVELOPMENT
A security policy should not be developed only by an
Information Technology organisation. It should be a joint
effort among all the organisations that will be affected by its
rules. A good security policy will not be much more
complicated because it must be easily accessible to its
audience. The security must be concise an easy to read in
order to be effective. Whether its audience is all employees ,
management, or support staff, the policy need to be readable
and understandable so that everyone can fulfil there correct
role and apply the security policy to there daily efforts. The
security policy is a part of hierarchy of management controls.
Its scope is defined by a scope definition, which is
performance is advance of a development of the security
policy. The needs of the business drive the principles of the
security policy, and the security policy defines parameters that
are used in building computers, networks, and data storage
infrastructure. The overall approach is to begin with what and
why, proceed to the how, when, and when other details. The
security policy tells its audience what must be done. A
 International Conference on Software Technology and Engineering Modules
security policy is the essential foundation for an effective and questions helps define the business requirement and leads the
comprehensive security program. A security policy should be
in written form. It provides instructions to employees about
what kinds of behaviour or resources usage are require and
acceptable, and about what is forbidden and unacceptable[4].
Fig. 1 Security policy audience
A security policy gives clear instructions to IT staff
and security professionals about how to restrict authority and
enact access controls, authentications methods, privacy
practices, and accounting techniques. A security policy also
provides information for all employees about how to help
protect their employer's assets and information, and it
provides instructions regarding acceptable ( and unacceptable )
practices and behaviour. A security policy is the primary way
in which management's expectations for guidance to the
people building, installing, and maintaining computer
systems, so they don't have to make those decisions by
themselves. A security policy does not specify technologies or
specific solutions; it defines a specific set of intentions and
conditions that will help protect a company's assets to conduct
business. We can say a security policy is the statements of
responsible decision-makers about how to protect a company's
physical and information assets. In its basic form, a security
policy is a documents that describes a company's or
organization's security controls and activities.
Security policies often include rules intended to:
• Preserve and protect valuable, conferential, or
proprietary information from unauthorized access
of disclosure.
• Limit or eliminate potential legal liability from
employees or third parties.
• Prevent waste or inappropriate use of organisation
resources.
There are five steps to better security in secure group
communication[4]. The five-steps process, followed carefully
in order helps ensure that security effort address important,
specific problem in a controlled ,effective manner and that
security costs are managed and appropriate to the values of the
assets they protect.
Before undertaking any security effort , ask the
following question. This inquire is part of the analysis phase
that should be part of any implementation effort. These
Uttaranchal University
[2017]
implementation .To the solution that fits those business
recruitment.
A. Assets
What is to be protected? Identifying the assets
that will be protected by security measures in a
critical first steps in any security implementation.
Failure to ask this question may lead to inadequate
security controls, security control that protect the
wrong thing. For example, designing are an e-
commerce web site, asking this question may lead to
designer to identify the following as need to
protected: Customer name and address, credit cards
number, web server availability. Encryption of the
network connection, location date on a separate
database and encrypting that data , a firewall with
denial – of – service protection capability , and
redundant web servers and needed to protect these
things. Failure to ask this question may lead to the
designer to forget about encryption, especially in the
database or redundancy or denial – of – service filters.
The answer to this question is a simple list of assets
to be protected .
B. Risks
What are the threat vectors vulnerabilities and
risks? After the assets to be protected have been
identified in question 1, the threat to those assets
should be enumerated along with their possible
sources. The vulnerabilities associated with the
assets that might be exploited by the threat should
then be discovered. The risks, which are the
likelihood and cost of each realized threat, should
also be identified. Together these 3 factors provide
information necessary to determine its security
controls to consider, where they might be placed
(for example, inside or outside the firewall, on the
network, or on servers), and how much to spend on
them
(based on the expected loss identified in the risk
analysis, if may not make sense to spend more
money on a security control then the asset is worth,
or the cost of realized threat).The answer to this
question is the result of a risk analysis.
C. Protections
How will the assets be protected? Once the
business requirement have been identified and
documented as question 1, and the risk analysis has
been completed based on question 2, the security
practitioner can then consider the actual policies,
process, and technique that will be used to provide
appropriate level of production to the asserts against
their associated threat vectors. The security
practitioner can then be assumed that they are well
positioned for success in their security
implementation. Some protections will be provided
 International Conference on Software Technology and Engineering Modules
procedurally, that is, by providing user and
administrator with instructions about how to conduct
their business, along with appropriate enforcement.
Some protection will be provided by defensive
technology such as firewall, access control device,
filtering software, authentication mechanism,
encryption, and the like. Other protections will be
provided by detective and deterrent controls, such as
monitoring software and manual monitoring by
administrators, which is then used by Human
Resource to correct employee behavior. The answer
to this question is the list of general techniques that
will used to protect the assets.
D. Tools
What will done to ensure that protection? Given
the broad categories of protection identified by
question 3,a specific selection of tools follow. At this
stage, a product evaluation takes place, usage
policies are identified where needed and procedure
that must be documented are defined. The answer to
this question is the list of protective steps that will be
taken.
E. Priorities
In what will be protective steps be implemented?
Once the tools and techniques to protect the assets
from the threats have been identified, and assuming
the organization does not have enough resources to
implement everything simultaneously, priorities
should be assign to each tools and technique, so they
can be implemented in a reasonable order. Turning
on a web server before installing a firewall may be a
good idea; instead, installing a firewall first, then
hardening the web server, then implementation
encryption on,may make the most sense. The details
vary for each environment, these five questions,
asked in order, help the implementer to consider all
the factors that should lead to a successful
implementation.
V. TYPES OF SECURITY AND SECURITY SERVICES
Generally security can be categorised under the
following headings to make a secure group communication[5]:
A. Hiding the content or nature of a
communication.
B. Hard to trace routing methods – through
unauthorized third-party systems, or relays.
C. Hiding the fact that a communication takes
place.
D. Security by obscurity is similar to needle in a
haystack.
E. Hiding the parties to a communication –
preventing identification, promoting
anonymity.
F. Encryption
Uttaranchal University
[2017]
It is a technique which is widely used in
computer networks to enhance security. It
makes plain text unintelligible by means of
some types of reversible encoding scheme
developed around a private key known only to
the transmitter and receiver.
G. Random Traffic
It is use to creating random data flow to
make the presence of genuine communication
harder to detect and traffic analysis less
reliable.
There are five services which are provided
to make secure group communication in
computer network:
A. Confidentiality
Confidentiality means that the message
should be confidentiality. The transmitted
message must make sense to only the intended
receiver. To all others, the message must be
garbage. When a customer communications
with her bank, she expects that the
communication is totally confidential. It
specifies only the sender and the intended
recipient should be able to access the contents
of message. Confidentially gets compromised
if an unauthorized person is able to access a
message. Example of compromising the
confidentiality of message is show in Figure.
Here the user of computer A sends a message
to user of computer of B. (Actually, from here
onwards, we shall use the term A to mean the
user A, B mean user B etc, although we shall
just show the computers of user A, B etc).
Fig. 2 Loss of Confidentiality
Another user C gets access to this message,
which is not desired and therefore, defeats the
purpose of confidentially. Example of this
could be a confidential email message sent by
A to B, which is accessed by C without the
permission or knowledge of A and B. This
type of attack is called as interception.
 International Conference on Software Technology and Engineering Modules
Interception causes loss of message
confidentially.
B. Integrity
When the content of a message are change
after the sender send it, but before it reaches
the indented recipient we say that the integrity
of a message is lost. For example suppose you
create a check for $100 to pay for the goods
bought for US. However when you see your
next account statement, you are stated to see
that the check resulted in payment $1000. This
is the case for the loss of message integrity.
User C temper with the message integrity sent by
sent by user A, which is actually design for user
B. User C somehow manage to access it, access
it to change it to user B. User B has no way to
knowing the content the content of message
where change another user. A has sent it. User
A also does know about the change. This type of
check is called modification.
Fig. 3 Loss of integrity
C. Authentication
Authentication mechanisms help establish
proof of identities. The authentication process
ensures that the origin of a electronic message
or document is correctly identified. For
instance, suppose that user C sends an
electronic document over the Internet to user
B. However, the trouble is that user C had
posed as user A when the sent this document
to user B. How would user B know that the
message has come from user C, who is posing
as user A? A real life example of this could be
the case of a user C, posing as user A, sending
a funds transfer request to bank B. This
concept is shown in Fig 4.
Uttaranchal University
[2017]
Fig. 4 Absence of authentication
D. No repudiation
Message no repudiation means that a
sender must not be able to deny sending a
message that he or she, in fact, did send. The
burden of proof falls on the receiver. This
concept is shown in Fig 5.
Fig. 5 Establishing non repudiation
VI. SECURITY TECHNIQUES
The actual implementation of security goals needs
some techniques. Two techniques are prevalent today; one is
very general (cryptography) and one is specific
(stenography)[6].
A. Cryptography
Some security mechanism listed in the
previous section can be implemented using cryptography.
Cryptography, a word with Greek origins, means "secret
writing". However, we use the term refer to the science and art
of transforming message to make them secure and immune to
attack. Although in the past cryptography referred only to
the encryption and decryption of message using secrete keys,
today it is define as involving three distinct mechanism:
symmetric - keys encipherment, asymmetric - key
decipherment, and hashing. We will briefly discuss these
mechanisms here.
1) Symmetric- Key Encipherment: In symmetric- key
encypherment (sometimes called secrete- key
encipherment or secrete key cryptography), an entity,
say Alice, can send a message to another entity, say
Bob, over an insecure channel with the assumption
that an adversary, say Eve, cannot understand the
content of the message by simple eavesdropping over
the channel. Alice encrypts the message using an
 International Conference on Software Technology and Engineering Modules
encryption algorithm; Bob decrypts the message
using a decryption algorithm. Symmetric - key
encipherment uses a single secrete key for both
encryption and decryption. Encryption / decryption
can be thought of as electronic locking. In
symmetric - key enciphering. Alice puts the message
in a box and locks the box using the shared secrete
key; Bob unlocks the box with the same key and
takes out the message.
2) Asymmetic- Key Encipherment: In asymmetric- key
encipherment (sometimes called public- key
encipherment or public- key cryptography), we have
the same situation as the same situation as the
symmetric- key encipherment, with a few exception.
First, there are two keys instead of one: one public
key and one private key. To send a secured message
to Bob, Alice first encrypts the sage using Bob's
public key. To decrypt the message, Bob uses his
own private key.
3) Hashing: In hashing, a fixed- length digest is
created out of a variable- length message. The digest
is normally much smaller than the message. To be
useful, both the message and the digest must be sent
to Bob. Hashing is used to provide check values,
which was discussed earlier in relation to providing
data integrity.
B. Steganography
Another technique that was uses for secret
communication in the past is being revived at the present time:
steganography. The word steganography with the origin in
Greek, means "cover writing", in contrast with cryptography,
which means "secret writing". Cryptography means
concealing the content of a message by enciphering while
stenography means concealing the message itself by covering
it with something else.
1) Historical Views: History is full of facts and myths
about the use of steganography. In China war
message were written on thin piece of silk and rolled
into a small ball and swallowed by the messenger. In
Rome and Greece message were carved on piece of
wood, that were dipped into wax to cover the writing.
Invisible inks (such as onion juice or ammonia salts )
were also used to write a secrete message between
the lines of the covering message or on the back of
the paper; the secrete message was exposed when the
paper was heated or treated with another substance.
2) Modern Use: Today, any form of data, such as text,
images , audio or video can be digitized, and it is
possible to insert secrete binary information into the
data during digitization process. Such hidden
Uttaranchal University
[2017]
information is not necessarily used for secrete; it can
also used to protect copy write, prevent tampering, or
add extra information.
3) Text Cover: The cover of secrete data can be text.
There are several ways to insert binary data into an
announces text. For example, we can use single space
between words to represent the binary digit 0 and
double space to represent binary digit . The following
short message hidden the 8- bit binary representation
of the letter A in ASCII code (01000001).
VII. SECURITY METHODOLOGY
Security is just about keeping people out of your
network. Security access into your network in the way you
want to provide it, allow people to work together. There are
many branches of security. If you consider the field of
security as a hierarchy, you have "security" at the root and
many branches leading outward from that. For example,
national security, information security, and economic security
may be considered subsets of the entire discipline of security.
Beneath those are more sub divisions. Under this heading, we
are considering network security which is a subset of
information security, which is a subset of security ( see Figure
6). The field of security is concerned with protecting general
assets. Information security is concerned with protecting
information and information resources, such as books, faxes,
computer, and voice communications. Network security is
concerned with protecting data, hardware, and software on a
computer network. These definitions are important because
they demonstrate the hierarchical relationship of network
security in relation to other branches of security. A focus only
on the security of computers leads to blind spots that attackers
might leverage to bypass the protective mechanisms employed
on the network. It is important to consider network security in
the context of its relationship to other security divisions, as
well as to the rest of enterprise[7].
Fig. 6 The hierarchy of security specializatons
 International Conference on Software Technology and Engineering Modules
The Three Ds of Security
The field of information security evolves constantly,
but the foundations of good security practice have not
changed throughout history. If you are to succeed in
protecting your assets, you must consider the lesson learned
from successful security strategies, as well as those learned
from poor ones. The basic principles apply equally well to any
situation or environment, regardless of whether you apply
them to defend computers, networks, people, houses or any
other assets[7].
Three modes of security can be applied to any situation, and
those are the three Ds of our security:
• Defense
• Deterrence
• Detection
Defense is often the first part of security that comes
to mind, and it is the easiest for people to understand. The
desire to protect ourselves seems almost instinctive, and
defense usually precedes any other protective efforts.
Defensive measures reduce the likelihood of a successful
compromise of value able assets, thereby lowering risk and
potentially saving the cost of incidents that might otherwise
not to be avoided. Conversely, the lack of defensive measures
leaves valuable assets exposed, inviting higher costs due to
damage and loss. However defense is only one part of a
complete security strategy. Many companies (perhaps most
companies) rely only on a firewall to defend their information
assets, and these companies are vulnerable because they are
ignoring weakness in the other modes of security – deterrence
and detection.
Deterrence is the second mode of security. Deterrence
is the idea behind laws against breaking into and entering a
house, assaulting another person, and entering a computer
network without authorization—are all illegal and are
punished with varying sentenced success. Deterrence is often
considered to be an effective method of reducing the
frequency of security compromises, and there by the total loss
due to security incidents. Without the threat deterrence offers,
attackers who otherwise might have thought twice may go
ahead and cause damage. Many companies implement
deterrent control for their own employees, using threats of
discipline and termination of violations of policy.
The third mode of security, and often the last
commonly implemented on computer networks, is detection.
Relying on defense or deterrence, the security strategy often
neglects the detection of crime in progress. Many people
consider an alarm system sufficient to alert passers-by of an
attempted violation of a security parameter (such as using an
alarm for a house or car) and they rarely employ security
enforces, who are trained to respond to an incident , to
monitor these alarm systems . Without adequate detection, a
security breach may go unnoticed for hours, days, or even
forever.
Uttaranchal University
[2017]
Consider personal security to network security s a
useful exercise. The principles of both are the same. In fact,
network security relies on the same principles as any other
branch of security.
Consider the three Ds of security in terms of house.
What would you do if you had something valuable in your
house (such as diamond ring) that you wanted to protect while
providing access? You would want to use all three modes. For
defense, you would lock your doors and use modern key
management key management technology to allow access to
those you wish to authorize. For deterrence, you would expect
your lawmakers to pass laws, and you might use other
methods to discourage the theft of your valuables, such as
keeping dogs and or other detection technology to alert you
the instant a breach occurs.
Each of the three Ds is equally important, and each
complements the others, as shown in figure 7. A defensive
strategy discourages attempts to undermine the business goals
and processes and keeps the corporate efficiency focused on
productive efforts.
Fig. 7 The three Ds of security
VIII. CONCLUSIONS
In this paper we presented the Secure Group
Communication, in which we describe that how security play
an important role in communication. We also describe about
authentication, which is the process by which people prove
that they are who they say they are and two factor
authentication is an authentic system that is based on at least
two; something you have & something you are. We also
describe in this paper how to control the authentication and
types of authentication control like password length, password
complexity, account restriction, account lockout etc. The
security must be concise an easy to read in order to be
effective. The security policy is a part of hierarchy of
management controls. Its scope is defined by a scope
definition, which is performance is advance of a development
of the security policy. The needs of the business drive the
principles of the security policy, and the security policy
defines parameters that are used in building computers,
networks, and data storage infrastructure. There are five steps
 International Conference on Software Technology and Engineering Modules
to better security in secure group communication; assets, risks,
protections, tools and priorities. As we know security is very
sensitive issue, the main idea is to have group members
actively participate to the security of the “multicast group”.
Since, the group security is distributed among the group
members. We are focus on the security in this paper like that
security policies, security services, security techniques and
security methodology. The goal of this paper presentation is
that to aware the people about secure group communication
and security.
ACKNOWLEDGEMENT
You are see only the name of us as a author of
this paper, but actually this text would never be
complete without the help of many talented people.
Allow us to offer some heartfelt words of thanks to the
many people who made this paper possible. First and
foremost, thanks to all of our classmates at Uttaranchal
University Dehradun, We have the pleasure of studying
with them. You all are extremely talented people and We
Uttaranchal University
[2017]
learn many things from all of you. Special thanks to
Kapil Joshi for his help to made this paper possible. Last
but not least, thanks to our family and friends who help
us to complete this paper.
REFERENCES
[1] Andrew S. Tanenbaum, Vrije University, Amesterdam; Computer
Networks, 4th Ed., 2003.
[2] Andrew S. Tanenbaum, David J. Wetherall; Computer Networks, 4th
ed., Vrije University, University of Washington, 2012.
[3] Uyless D. Black, Computer Networks: Protocols Standards And
Interfaces 2nd Ed, Prentice Hall, United States, 1996.
[4] Jerry FitzGerald, Alan Dennis, Business Data Communications and
Networking, The University of Michigan, 1995.
[5] Atul Kahate; Cryptography and Network Security, 2nd Ed, Head
Technology, Practice PrimesouringTM Division i-Flex Solutions
Limited, Pune,2003.
[6] Behrouz A. Forouzan; Cryptography and Network Security, 2 reprint ,
New Delhi, New York, 2009.
[7] Roberta Bragg Mark Phodes-Ousley Keith Strassberg with Brian
Buege, Glen Carty, Bernard Chapple, Anil Desai, Thomas Knox, Nick
Efford; Network Security: The Complete Reference, 3rd reprint, New
York, 2005.