An Efficient Authentication and Key Distribution Protocol for Multicast Service in Space-Ground Integration Network

Satellite communication technology has attracted the attention of researchers in the study of the sixth-generation (6G) mobile communication network because of its advantages of achieving global coverage with high cost-eﬀectiveness and not being aﬀected by terrain factors and human activities. In order to achieve eﬃcient interconnection between terminals and networks, it is a new development trend of communication technology to integrate satellite communication networks and ground communication networks to construct the Space-Ground Integration Network (SGIN). Multicast service is widely used by network service providers to provide business services to users. Due to the characteristics of higher delay of space communication and unstable link compared with the ground network, if the ground multimedia multicast security protocol is directly applied to the space communication, it is diﬃcult to guarantee the eﬃciency of the corresponding business service. The existing security protocols in the space information network are usually designed to ensure the security of end-to-end communication, and there are few studies on the security of multimedia multicast services. In view of the above situation, we design a new multicast service security protocol for the SGIN to realize the secure and eﬃcient transmission in multicast services. In the protocol, we ﬁrst design a key derivation scheme for the shared key between UE and BM-SC based on the existing 5G-AKA mechanism. Then, we propose a group-based multicast service registration mechanism. Finally, we propose a secure and eﬃcient key distribution and update process of multicast service group key based on China Remainder Theorem (CRT). The formal veriﬁcation tool Scyther is employed to analyze the security of the proposed protocol, and the results show that our scheme has valid security properties. We analyze the performance of the scheme by comparing it with the existing schemes in three aspects, such as signaling overhead, computational overhead, and bandwidth overhead. The comparison results show that our scheme is superior to other existing schemes. Finally, we build an experimental environment and test the delay, transmission rate, and CPU usage of the proposed system. The results show that our scheme improves the eﬃciency of multicast services while ensuring network security.


Introduction
With the rapid development of ground communication network technology for large-scale applications, users not only have more diversified demands on network service types but also have higher requirements on service of quality. Since the coverage of ground network is limited based on the construction conditions and maintenance costs of ground infrastructure in different regions, satellite communication technology has attracted extensive attention in the planning of the 6G mobile communication network for its features of easy global coverage, negligible impact of terrain and human activities on the ground, and low cost of global coverage compared with ground networks [1].
At present, high throughput Geosynchronous Earth Orbit (GEO) satellite is the main carrier of satellite communication services. GPS, GLONASS, BeiDou, Galileo, and other satellite navigation systems mainly use the Middle Earth Orbit (MEO) satellites to provide positioning and navigation services for ground mobile terminals. Since SpaceX launched the first batch of Starlink satellites in 2019, the large-scale satellite network technology in Low Earth (2) A group-based multicast service registration mechanism is proposed. Massive users can initiate multicast service registration requests to BM-SC at the same time, which largely reduces computational overhead and bandwidth overhead. In addition, the signaling conflicts can be avoided when massive users access the BM-SC to obtain multicast services at the same time. (3) e secure and efficient distribution of the multicast service group key is completed by using the China Remainder eorem (CRT). It simplifies the key layering mechanism, improves the efficiency of key management, and ensures the security of multicast service data transmission. (4) A dynamic update mechanism for multicast service group key is proposed to ensure that the newly added member cannot obtain the previous multicast service data, and the exiting member cannot obtain the subsequent multicast service data. (5) We use the formal verification tool Scyther to analyze the security of the scheme, and the results show that our scheme has good security properties. (6) Compared with the existing schemes in terms of signaling overhead, computational overhead, and bandwidth overhead, the comparison results show that our scheme has superiority in performance. (7) Finally, we built an experimental environment according to the proposed scheme and tested the delay, transmission rate, and CPU usage of the system. e results show that our scheme improves the efficiency of multicast services on the premise of ensuring network security.
is work is structured as follows. Section 2 mainly describes the existing research related to the security protocol of the SGIN. Section 3 introduces the knowledge of the Chinese Remainder eorem. Section 4 establishes the system model according to the requirement of the network multicast service. In Section 5, a new security protocol for network multicast service in the SGIN is designed. e security analysis of the proposed protocol is described in Section 6. In Section 7, we present the performance analysis. e conclusion is outlined in Section 8.

Related Work
SGIN security not only involves the security strategies adopted by the ground segment and the space segment respectively but also includes the fusion of security protocols when information is transmitted across domains. e service security protocols in the ground mobile network are relatively mature by mainly using the 4G MBMS security protocol and 5G-AKA mechanism released by 3GPP committee. e security technology of satellite communication is relatively slow in development. e security protocols published mainly include the Space Communication Protocol Specification-Security Protocol (SCPS-SP) [11] and Space Data Link Security (SDLS) [12] formulated by the Consultative Committee for Space Data Systems (CCSDS), the Digital Video Broadcasting (DVB) series security protocols [13] proposed by the European Telecommunication Standards Association (ETSI), the Bundle Security Protocol (BSP) in Delay-Tolerant Network (DTN) [14], and the GEO-Mobile Radio (GMR) [15] security design mainly for high orbit narrow-band satellite mobile communication system. Since the communication frequency, bandwidth, and power resources of satellite networks are severely limited, it is necessary to reduce protocol redundancy while increasing network security. erefore, designing a multicast service security protocol for the SGIN characterized by large-scale, heterogeneous, and highly dynamic topology is challenging. e existing classical satellite network security protocols mainly design security strategies for data encryption, authentication, access control, and privacy protection at the data link layer or network layer to achieve the confidentiality and integrity of data and prevent the illegal use of network resources. SCPS-SP is applied between the network layer and the transport layer in the system. After processing the Transport-Protocol Data Unit (T-PDU), it is encapsulated into Security-Protocol Data Unit (S-PDU). According to the different security requirements of users, it provides end-to-end data confidentiality, integrity, and authentication security services for these T-PDUs. However, the single encryption algorithm and security protection measures of the same level in SCPS-SP are difficult to adapt to the data security guarantee of multinetwork integration. SDLS is implemented through an additional security sublayer between the data link layer and the network layer. It provides security services including authentication, encryption, and authentication encryption but does not provide security guarantees against denial of service and traffic analysis. e DVB-RCS2 protocol standard [16], as the first industry standard proposed for satellite interactive application, defines a security architecture that can provide channel activity information protection, control, and management information protection, Network Control Centre (NCC), and Return Channel via Satellite Terminal (RCST) authentication, antijamming, and ground intercept probability functions. However, the protocol has a hidden danger of man-in-the-middle attack. e DTN research group proposed a delay-tolerant message-oriented overlay architecture, which is the Bundle layer between the transport layer and the application layer.
e Bundle Security Protocol (BSP) provides DTN with a basic security mechanism including end-to-end security and hop-by-hop security. Because the DTN network cannot establish a path from the source node to the destination node before data transmission, it is difficult to achieve routing security and multicast security by using BSP. GMR standard protocol refers to the 2G/3G system protocol of the ground cellular network. e GMR standard protocol mainly includes the following secure functions: International Mobile Subscriber Identity (IMSI) confidentiality, IMSI authentication, user data confidentiality, signaling information element confidentiality, and International Mobile Equipment Identity (IMEI) confidentiality. e rapid iteration of ground mobile communication technology makes satellite mobile communication adapt to the new 5G or the future 6G mobile communication system protocol.
In recent years, several key technologies such as encryption, authentication, and key management have been improved in satellite security protocols [17][18][19][20][21][22][23][24][25][26][27][28]. Arezou et al. proposed a three-factor user authentication and session key protocol based on elliptic curve cryptography [17]. e scheme provided reliable temporary secret, antileak attack, and perfect forward secret in satellite networks, but it has relatively high computational complexity. Izwa et al. proposed a lightweight authentication and key agreement scheme for LEO satellite communication by using a one-way hash function to improve the security of the protocol [18]. It protected against offline password guessing, replay, stolen verifier, impersonation, and denial of service attacks. An authentication and key update scheme was proposed by Zhang et al. which achieved user anonymity and reduced the protocol overhead by adopting the hash algorithm [19]. However, Qi et al. analyzed that Zhang's schemes could not resist the stolen verifier attack and the denial of service attack and lacked the invalid user update process, and the database query was complicated in practice. erefore, they proposed an enhanced authentication scheme to resist these two attacks, in which users must hold a legal smart card to complete the authentication, and did not need to maintain the verifier table [20]. Subsequently, a secure authentication mechanism based on elliptic curve cryptography and symmetric cryptography was proposed by Qi et al. [21]. Different from the previous two schemes, the ground control center in this scheme would not obtain the user's password information, and it allowed the user side to update the password information according to their own needs, giving them a better user experience. Yang et al. realized the user's identity anonymous roaming authentication under Space Information Network (SIN) [22]. ey verified the legitimacy of user identity using group signatures, using the elliptic curve signature algorithm to verify satellite and ground station identity. In addition, physical layer security [23,24], blockchain [25,26], and quantum technology [27,28] are hot topics in solving the security problems of satellite networks. However, physical layer security technology is more suitable for the point-to-point communication security guarantee, blockchain technology requires high computing, storage, energy resources, and quantum key distribution, and other security technologies are in the exploration stage. Most of the above research are devoted to improving the security and communication efficiency of satellite or ground network, but it is difficult to solve the problem of secure and efficient transmission across domains in the SGIN.
To provide secure and efficient multicast services in the SGIN, it is necessary to design a simple and reliable protocol flow based on existing ground and satellite network security protocols. According to the characteristics of network services, key technologies such as shared key derivation and distribution, group multicast service registration, group key distribution, and group key dynamic update should be optimized. Finally, the secure transmission of multimedia multicast service between ground segment and space segment is realized.

Preliminary
e Chinese Remainder eorem is an important theorem in number theory, which is used to solve the system of linear congruence equations [29]. In order to solve the answer quickly, mathematicians use the structured approach to give the specific form of the general solution. Let m 1 , m 2 , . . . , m k be a set of pairwise relatively prime positive numbers; then, for any given k positive integers, a 1 , a 2 , . . . , a k , the system of linear congruence equations, Notice that since the moduli are relatively prime and M i is the product of all the moduli other than m i , M i has an inverse element modulo Figure 1, our Space-Ground Integration Network model consists of 6 parts: groundbased node networks, space-based node networks, gateway, content provider, Home Subscriber Server (HSS), and BM-SC. rough this integrated system, a UE can connect to the BM-SC via the satellite and obtain multicast services.

System Model. As shown in
(1) Ground-based node networks, which consist of different types of UEs, are requesters/initiators of multicast services. (2) Space-based node network, which consists of multiple satellites, is the access network in the architecture. It is mainly responsible for forwarding and processing messages between the UE and the core network. (3) Content provider is the provider of data in the system. (4) HSS is a core network element that stores the mapping relationship between User Security Settings (USSs) and user identity identifiers, that is, IMSIs. In our model, the HSS will provide the user's USS and IMSI to the BM-SC. (5) BM-SC is an organization with functions such as key distribution, key update, data transmission, and member authority management.

Design
Objectives. e proposed scheme is to realize the access authentication of UE in multicast services and the group key agreement between users and the BM-SC. Our scheme should meet the following security requirements: (1) Mutual authentication: e scheme needs to complete entity identity authentication between the UE and the BM-SC. Based on this, the scheme realizes that only authorized legal users can use multicast services, and only legal BM-SCs can provide users with real and reliable data information. (2) Resistance to protocol attacks: Our scheme is expected to resist entity impersonation attacks, replay attacks, man-in-the-middle attacks, and so on. (3) Conditional anonymity: Our scheme is expected to realize the anonymity of user identity to protect the privacy of users; that is, users do not use their real identity to interact in the network but through temporary identification, (4) Unlinkability: Unlinkability means that an attacker cannot determine whether two messages are sent by the same user.

The Proposed Authentication Scheme
In this section, we introduce the shared key agreement process which improves the 5G AKA mechanism [30], the group-based multicast service registration process, the group key distribution process, and the key update process based on the CRT. In these processes, we implement the mutual authentication and key agreement between the UEs and the BM-SC in multicast service and update keys when group membership changes. Specifically, our scheme includes the following: (1) the shared key agreement process between the UE and the BM-SC, (2) the user multicast service registration process, (3) the multicast key distribution process, and (4) the key update process. We will describe our proposed scheme in detail as follows.

Shared Key Agreement Process in Multicast Service.
As shown in Figure 2, our scheme realizes the identity authentication of the UE based on the 5G AKA mechanism at this stage to verify whether the user is authorized to access the network. During this process, we also negotiate a session key K i , a random prime number Z i , and the user temporary identity identifier TID i shared between UE i and BM-SC. K i will be used for the generation of the important parameter MRK i in the multicast service registration process. e key distribution process is implemented by relying on Z i . e specific steps are described as follows: (1) First, the UE i generates a prime number Z i and uses the public key of Home Network (HN) to encrypt and generate Z i pb and sends the access authentication request message (SUCI, Z i pb , (mbs req )) to the ground Service Network (SN) through the satellite network, where the SUCI is the terminal identity in the 5G AKA authentication process defined by the 3GPP committee, and mbs req is the multicast service request flag and its length is 1 bit.    and user temporary identity TID i � h(IMSI, K i ), where K DF is the key derivation function, h is the one-way hash function, CK, IK, and RAND are the key negotiation parameters shared by the UE and the HN in the 5G AKA process, and BM − SC ID is the identity of the BM-SC. (5) Finally, the HN sends Z i , K i , and TID i to the BM-SC.

Multicast Service Registration Process.
In the previous stage, through the improved 5G AKA process, a secure channel has been established between the UE and the Satellite-RAN and between the Satellite-RAN and the BM-SC. As shown in Figure 3, the mutual authentication between multiple UEs and BM-SC is realized based on group authentication at this stage to verify in batches whether multiple users are legitimate users of multicast services. e specific process is as follows: (1) e UE i generates a random number r i and then sends a multicast service registration request message (TID i , r i ) to the Satellite-RAN. (2) e Satellite-RAN sends all registration requests (TID 1 , TID 2 , . . . , TID n , r 1 , r 2 , . . . , r n , uG id , sRA N id , R sat ) received within a certain period of time to the BM-SC, where uG id is used to identify the user group, sRAN id is the identity of the Satellite-RAN, and R sat is a random number generated by the Satellite-RAN. (3) e BM-SC generates a random number R after receiving the message and obtains the long-term shared key K i according to TID i . en the BM-SC sequentially calculates and stores the following parameters for the identity authentication of each UE: (1) multicast request key MRK i � K DF(K i , "mbs mrk "); (2) message authentication code whether RES 0 is equal to XRES 0 . If the verification is passed, UE i 's multicast service registration is completed.

Multicast Key Security Distribution Process.
After successful registration, the BM-SC uses Z i to realize the secure distribution of multicast group key based on the CRT. As shown in Figure 4, the specific process is as follows: (1) Firstly, the BM-SC generates a random number GK as the group key, and executes the following process.
Step 2: Step 5: a ≡ n i�1 zx i y i (mod zg). en, the content provider transmits the multimedia multicast service (MMS) data to the BM-SC, and the BM-SC uses the group key GK corresponding to each service to encrypt the data and transmit the data to the users of the multicast service.

Group Key Update Process.
In view of the situation that users of multicast services leave or join the group, we need to design the corresponding key update schemes. In section 5.3, we can see that b is the most important factor in the group key agreement request message, and UE i can calculate the group key GK based on b and known Z i . erefore, we focus on the update of b, and the specific process is designed in four scenarios as follows: (1) Group key update when a single user leaves When UE i leaves the group, the BM-SC reselects a group key GK ′ and calculates b according to the following steps: Step 1: a ′ ≡ a − zx i y i (mod zg).

Security and Communication Networks
When UE i joins the group, the BM-SC reselects a group key GK ′ and calculates b according to the following steps: Step 1: a ′ ≡ a(mod zg), According to Equation (1), we can calculate Step (3) Group key update when multiple users leave When K UEs leave the group, the BM-SC reselects a group key GK ′ and calculates b according to the following steps. Here, K UEs are represented as (UE 1 , UE 2 , . . . , UE k ).
(4) Group key update when multiple users join When K UEs join the group, the BM-SC reselects a group key GK ′ and calculates b according to the following steps. Here, K UEs are represented as (UE n+1 , UE n+2 , . . . , UE n+k ).
Step 1: Step 2: Step 3: Step 4: zx i y i � X i Y i .
Step 5: a ′ ≡ a zx i y i + n+k n+1 zx i y i (mod zg ′ ). Figure 5 shows our key layering mechanism. Based on the derived CK, IK in the 5G AKA mechanism and random prime number Z i , we obtain the shared key K i and random prime number Z i between a UE and the BM-SC in the shared key agreement process of multicast service. e two keys are used in the multicast service registration and key distribution phases, respectively. e details are as follows:

Key Layering Mechanism.
(1) CK, IK: CK, IK are generated during the access authentication process between the UE and the HN based on the 5G AKA mechanism.
(2) Z i : e random prime number Z i is sent by the UE to the HN during the shared key agreement process of multicast service and forwarded by the HN to the BM-SC. (3) K i : K i is derived by the UE and the HN according to CK and IK in the shared key agreement process of multicast service. (4) MRK i : MRK i is derived by the UE and the BM-SC according to K i in the multicast service registration stage and is used to realize the mutual authentication between the UE and the BM-SC. (5) GK: In the key distribution stage, GK is the group key selected by the BM-SC, and the UE calculates GK according to Z i .

Security Analysis
e proposed scheme includes user access authentication and shared key establishment, service registration, and group key distribution in multicast scenarios. Among them, the security of access authentication is guaranteed by the 5G AKA protocol securely, and the security of group key distribution is guaranteed by the CRT. In this section, we conduct the formal and informal security analyses for the service registration process.

Scyther Simulation.
In this paper, we use the Scyther tool [31,32] to verify the security of the service registration process. Scyther is an automated protocol analysis tool that is widely used in protocol security analysis. e security analysis using Scyther is based on the assumption of perfect cryptography; that is, the long-term shared key or private key is not leaked. During the security analysis, researchers can choose multiple security models such as Dolev-Yao and Canetti-Krawczyk. Scyther is suitable for fewer participating roles in the protocol, and the protocol itself relies on a thirdparty encryption protocol.
Researchers can analyze the proposed protocol through the following process based on the SPDL language. Firstly, the protocol is described by events such as sent and recv, so as to realize the modeling of the protocol. Secondly, Scyther uses the claim event to declare the expected security properties, such as Alive, Weakagree, Niagree, Nisynch, Commit, and Secret, to verify whether the protocol is resistant to replay attacks, man-in-the-middle attacks, and tampering and forgery.
During the analysis process, the Scyther tool explores all possible evidence trees for protocol attacks. By default, the space of the search tree is bounded, but the search range can be expanded by changing the parameters. erefore, the protocol tool can achieve unbounded verification. If the search range is reached or all verifications are completed, Scyther will display the verification results on the graphical interface. If the verification is passed, the graphical interface will display "ok"; otherwise, the security attribute will display "fail" and give the existing attack graph. Figure 6 shows the security simulation result of the service registration process. It can be seen from the figure that there are three roles in our established model: UE, SAT, and BM-SC, which represent UE, Satellite-RAN, and BM-SC in the protocol, respectively. We use four claim types, Alive, Weakagree, Niagree and Nisynch, to describe our expected security properties. Meanwhile, in terms of security model, we choose the Dolev-Yao model. According to the analysis results, the security properties of our protocol are verified under the test; that is, the protocol can complete entity identity authentication and can resist replay attacks, message tampering and forgery, man-in-the-middle attacks, and so forth.

Informal Security Analysis.
In this section, we analyze the security of the protocol from the perspective of the security requirements that the scheme needs to meet.
(1) Mutual authentication: In this scheme, on the one hand, the UE verifies the identity of the BM-SC by checking MAC i in AUTN i . On the other hand, the satellite network and the BM-SC perform the identity authentication on the UE, respectively. Specifically, the Satellite-RAN aggregates the authentication response value of the group user to obtain RES 0 and then generates HRES � h(R, RES 0 ) and realizes the authentication of the UE by comparing whether HRES and HXRES are equal. After the authentication, the Satellite-RAN forwards the aggregated message RES 0 to the BM-SC to authenticate the UE. (2) Conditional anonymity: e anonymity of the UE is achieved through the temporary identity TI D. e Satellite-RAN and the BM-SC do not store the mapping table of the user's real identity and temporary identity, and the one-way hash algorithm makes it impossible to obtain the user's real identity through reverse operation. erefore, the UE can realize the identity anonymity for the Satellite-RAN, the BM-SC, and other users and adversaries. At the same time, this anonymity is conditional. e HN locally stores the IMSI corresponding to the TID, so the HN can obtain the real identity of the UE.
(3) Resistance to replay attacks: In our scheme, we employ a double random number mechanism. Each entity will add random numbers when sending messages, such as R sat , R. If a received message contains a previously received random number, then the message will be ignored, which prevents replay attacks. (4) Resistance to impersonation attacks: Impersonation attack refers to an attacker impersonating the identity of a legitimate authorized user. In our solution, the access authentication is implemented for users based on the 5G AKA process in the first stage, and the mutual authentication between the UE and the BM-SC is implemented for users in the registration process. If an attacker wants to impersonate an identity, he needs to calculate RES, but the lack of K i makes him unable to succeed. (5) Resistance to man-in-the-middle attacks: A man-inthe-middle attack means that an attacker needs to  Security and Communication Networks pretend to be both sides of the conversation so that they think they are communicating with each other directly. In our scheme, the mutual authentication is achieved between the UE and the BM-SC, so there is no possibility of attackers masquerading successfully. (6) Unlinkability: e one-way hash function and random number RAND are used in the generation of the user's temporary identity, which makes it impossible for an attacker to determine that two TI Ds belong to the same user and that two messages belong to the same user.

Performance Analysis
In this section, we evaluate the performance of our scheme by comparing it with existing schemes [18][19][20][21][22] in terms of computational overhead, bandwidth overhead, and signaling overhead, which are three important aspects for evaluating the performance. In addition, we built an experimental environment based on our scheme and measured the delay of the registration and key distribution process, the data transmission rate, and the CPU usage to further evaluate the performance of our scheme.

Signaling Overhead.
Since multiple users are often involved in multicast service registration, we compare the signaling overhead of our proposed scheme and the previous scheme when n users perform the registration process. Table 1 shows that the signaling overhead of our scheme is only slightly higher than that of the scheme in [22] and lower than those of other schemes because our scheme adopts the way of aggregating messages. With the increasing of the number of users, our scheme has more significant advantages in signaling overhead, which shows that our scheme can effectively alleviate the signaling conflict when a large number of users concurrently execute the service registration process.

Computational Overhead.
In terms of the computational cost of the registration process, it involves the time cost of various operations: XOR operation T x , concatenation T c , exponential operation T e , dot product T pm , bilinear pairing operation T p , point addition operation T pa , oneway hash operation T h , and symmetric encryption and decryption operation T e/d . Among them, XOR and concatenation require shorter execution time, so these two types of operations are ignored in the computational overhead. e rest of the operations follow the calculation rules and data given in [33], and Table 2 lists the time overhead required for each calculation.
As shown in the third column of Table 1, we calculated the computational overhead of our scheme and the previous schemes. Figure 7 shows how the computational overhead of each scheme changes as the number of authenticated users increases. It can be clearly seen from the figure that the computational overhead of our scheme is much smaller than those of other schemes in [18][19][20][21][22], so it is more suitable for large-scale user multicast service registration. is is because our scheme mainly relies on the hash operation with a small amount of computation operations and adopts the method of processing authentication requests by using satellites to aggregate multiple messages.

Bandwidth Overhead.
On the premise of achieving the same security as AES-128, we make the following settings in order to fairly compare the bandwidth overhead of our proposed scheme with the previous schemes. We assume that the key length based on the symmetric cryptosystem is 128 bits, the lengths of the public key and private key based on finite field are 3072 bits and 256 bits, respectively, the point on the elliptic curve is 320 bits, the output values of the hash functions such as MAC and RES are uniformly 160 bits, the random number is 128 bits, the length of the serial number and AMF identifier in 5G AKA is 48 bits, and the length of the identification and timestamp is 32 bits. e bandwidth overheads of our scheme and the previous schemes in [18][19][20][21][22] are listed in Table 1. Figure 8 intuitively shows the change of the bandwidth overhead of each scheme as the number of users increases. We can see that the proposed scheme has more advantages in the bandwidth overhead compared with other schemes as the number of users increases, since the request messages are aggregated in the service registration phase.

e Experimental Scheme.
To verify the validity and reliability of the proposed scheme, an experimental environment is built according to the network topology shown in Figure 9. e experiments simulate the multicast service of three users. Each node is deployed on a physical host that connects through a Gigabit network. e host is configured with Intel(R) Core(TM) i7-2600 CPU @ 3.40 GHz, 3 GB memory, 2 TB hard disk, and CentOS 7.4 operating system. e experiments are divided into three parts as follows: (1) In the experimental environment, the delay of establishing shared key between three users and the BM-SC, the delay of user multicast service registration, and the delay of group key security distribution are tested. Each delay is tested several times to observe and analyze the efficiency of key derivation and distribution during the multicasting. (2) After the group key distribution between the user and the BM-SC is completed, we tested the throughput rate of multicast data transmission. e data transmission adopts the ECB mode of the SM4 algorithm implemented by software for encryption and decryption. e throughput rate is sampled several times to observe and analyze the changes in data transmission performance during the multicasting.
(3) In the above two experiments, the system monitoring tool is used to monitor the CPU usage, memory usage, and system load changes of the user system in the process of key derivation, distribution, and data transmission.

Experimental Results and Analysis.
e delays of the establishment of the shared key between three users and the BM-SC, the registration of user multicast service, and the group key distribution are described in Figures 10-12, respectively. Each delay is tested 50 times. As shown in Figure 10, the maximum delay of the shared key establishment is less than 2 ms. Compared with the round-trip delay of network transmission in the experimental environment, the delay of the shared key establishment process is basically the same as that of network transmission in the communication process. erefore, the cost of shared key calculation can be ignored. As shown in Figure 11, the registration delay of multicast services is greater than 1 s. is is because the timer in the satellite network is set to 1 s; after 1 s, all multicast service registration requests received within this period are sent to the BM-SC. e delay of group key distribution is basically the same as the network transmission delay in the communication process, as shown in Figure 12. After the group key distribution between the user and the BM-SC is completed, the multicast data transmission test is performed. e length of test data is 1400 bytes, and the throughput rate is sampled 50 times during the test. From Overhead (s) Overhead (bits) [18] 4n (12T h + 1T pm )n 1088n [19] 4n (8T h )n 896n [20] 4n (8T h + 3T pm )n 1120n [21] 6n (10T h + 6T pm + 2T e/d )n 1312n [22] 3n   Figure 13, the data transmission rate is basically stable at 0.109 Gbps. e reason for the low data transmission performance is that the software encryption and decryption algorithm is used to process the data, with a performance of 0.114 Gbps, slightly higher than the data transmission rate. e performance of data transmission has reached the upper limit of the communication rate in the experimental environment.
During the data transmission between the users and the BM-SC, the CPU usage of the three users is shown in Figure 14. For multicore CPU, the usage and the system load are lower. In addition, among the whole CPU usage, the part for key derivation and distribution between the users and the BM-SC is close to 0%.
According to the above experimental results, the proposed scheme has a low computational overhead in the process of shared key establishment, multicast service registration, and group key distribution. While achieving a higher communication rate, it takes fewer hardware resources. e security requirements of multicast services are well satisfied in the SGIN.

Conclusions
In this paper, we design an efficient authentication and key distribution protocol for multicast services in SGIN. Specifically, we have completed the secure derivation of the shared key for multicast services between the UE and the BM-SC with the help of the existing 5G-AKA mechanism.
en we design a group-based multicast service registration mechanism. Finally, based on the CRT, we design a secure and efficient group key distribution and update process. Security analysis and performance analysis results show that our scheme has robust security properties and has advantages in signaling overhead, computational overhead, and bandwidth overhead. By building a real experimental environment, we tested the actual application of our scheme.      From the perspective of the delay, transmission rate, and CPU usage, our scheme has good efficiency under the premise of ensuring security.

Data Availability
No datasets were used in this paper.

Conflicts of Interest
e authors declare that they have no conflicts of interest.