Authenticated Multicast

Unicast vs Multicast

HTTP, the foundation of any data exchange on the Web, is a unicast service with pairwise incoming and return links established to a server for transport. Unlike television, the internet was never designed for video delivery, and streaming and telecommunications infrastructure today do so with incredible inefficiencies.

Multicast is a one-to-many communication where many parties on the network are consuming a single shared stream, such as live video or a shared file. It significantly enhances network efficiency by reducing redundant traffic and scales networks without compromising on the quality of service (QoE).

Challenges of Multicast on the Web

However, multicast transmission comes with its own challenges. Unlike unicast, there isn’t always a return stream to the sender in multicast delivery, making it more difficult to deploy for network operators because of high routing complexity, limiting content and service availability.

Another major limitation of multicast is security. Compared to unicast communications, multicast and broadcast communications introduce new security challenges. Many multicast and broadcast applications need "data origin authentication" (DOA), or "source authentication" to guarantee that a received message had originated from a given source and was not manipulated during the transmission. In unicast communication, a pairwise security association between one sender and receiver can provide data origin authentication using symmetric-key cryptography (such as a message authentication code, MAC). When the communication is strictly pairwise, the sender and receiver agree upon a key known only to them. When it comes to groups, a single key is shared among multiple members using a symmetric-key approach. However, this approach does not ensure data origin authentication. If the stream is public, it's difficult to determine the origin of a message without the sender buffering windows and digitally signing them. This verification process adds extra latency and battery drain for the end user.

Authenticated Multicast at Blockcast

Blockcast removes the requirement for advanced routing with an overlay multicast service and edge cache to provide regular unicast services, all directly within the access network. Content providers are also spared the complexities of multicast while still leveraging Blockcast’s OpenCaching API, a standard IETF CDN interconnection interface. Our controller will then generate appropriate configurations for DVB-mABR, 5G-feMBMS, and ATSC 3.0 datacasts.

To solve the security limitation of multicast, we send Timed Efficient Stream Loss-Tolerant Authentications (TESLA) to quickly and efficiently verify the integrity of services over Real-Time Transport Object Delivery over Unidirectional Transports (ROUTE) protocol, which is critical to prevent the spread of misinformation with fake and malicious content. TESLA mainly uses symmetric cryptography and time-delayed key disclosure to achieve the asymmetry property required for data origin authentication. These verifications are quick to compute and can be verified on low-end devices with minimal resources and latency on the order of milliseconds.