Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Scalable Approach for the Secure and Authorized Tracking of the Availability of Entities in Distributed Systems Shrideep Pallickara, Jaliya Ekanayake.

Published byKassandra Shean Modified over 9 years ago

Similar presentations

Presentation on theme: "1 A Scalable Approach for the Secure and Authorized Tracking of the Availability of Entities in Distributed Systems Shrideep Pallickara, Jaliya Ekanayake."— Presentation transcript:

1 1 A Scalable Approach for the Secure and Authorized Tracking of the Availability of Entities in Distributed Systems Shrideep Pallickara, Jaliya Ekanayake & Geoffrey Fox Community Grids Lab Indiana University

2 2 Motivation Proliferation of distributed systems Interactions predicated on knowledge of the availability of entities  Control messages, protocol handshakes, actions and data interchange  Track resources at all times Load, usage patterns etc Remedial actions in response to failures  Failure suspicions, failures, shutdown

3 3 Definition of Terms Entity  Resource, service, instruments, clients etc Tracing  Process of probing, and becoming aware of, the availability of an entity Traced Entity  The entity whose availability is being probed Trackers  Entities initiating availability probes for a traced entity Traces  Messages encapsulating the state of a traced entity

4 4 Push or Pull Push  Traced entities push traces to the trackers at regular intervals  Receipt of such pushed traces provides info on availability Pull  Trackers poll the availability at regular intervals  Decisions based on the outcome of the poll

5 5 Issues in developing solution In simple scheme every entity issues a trace every second  Does not scale well  With increasing scale every entity is inundated with traces Entities operate in myriad domains  May deploy different transports for communications

6 6 Desired Features Reduction of complexity  Reduce the number of entities that a given entity needs to communicate with Push/pull requires some entity to communicate with a rather large set Transport independent Selectivity in traces  For e.g. register ONLY to receive change notification traces Authorization  Restrict who is allowed to be part of the tracing process Security  Make the trace itself confidential Cope with some classes of DDoS attacks

7 7 Publish/Subscribe Systems

8 8 NaradaBrokering Provisions an enabling infrastructure for building distributed systems  Has services, and makes these services accessible to entities through simple invocations. Processing at the service, and the infrastructure may be complicated, but this is shielded from the clients Dissemination is based on the pub/sub paradigm Open-source project http://www.naradabrokering.org http://www.naradabrokering.org Deployed in a wide variety of domains  GIS, Audio/Video conferencing, collaboration, Geoscience and Physics 1425 classes, 157 packages and 300,000 lines of code

9 9 The NaradaBrokering Substrate

10 10 Topic Discovery Scheme Create topics that are unique in space and time in a decentralized fashion Establish topic provenance  Deterministic cryptographic verification of ownership Restrict discovery of topics  Possess valid credentials  Specified ACL Establish topic life-cycle Manage topic collections & organization

11 11 Our scheme Leverage pub/sub for disseminating traces Facilitate selectivity in trace consumption by trackers  Different types of Traces are issued over different topics. Restrictions on authorizations related to topics over which traces are issued  Discovery of these topics  Actions associated with these topics Traces demonstrate authorization, tamper-evidence and source  Unambiguously verify this Secure the distribution of traces

12 12 Trace Topic Topic related to trace information related to a given entity  Derivative topics are constructed from this At creation time, the traced entity must specify who is authorized to trace it  ACL or based on credentials Register a descriptor that will facilitate discovery  Availability/Traces/Entity-ID

13 13 Constrained Topics Systems Topics Derivative topics managed by the broker  Multiple derived topics facilitates trace selectivity Constraints are based on  Limits on performed actions  Proof of authorization to perform action  Security  Dissemination range for the action Anatomy of a Constrained Topic  /Constrained/{Event Type}/{Constrainer}/ {Allowed Actions }/{Distribution} /{Other “/”separated Suffixes}

14 14 Registration of Trace Entity First create a Trace topic Register with broker  Over constrained topic that ONLY broker subscribes to Traced Entity needs to sign registration message  Verify credentials and tamper evidence Broker generates session identifier  Along with the trace topic, is used to derive a constrained topic ONLY the Broker subscribes to ONLY traced entity publishes to.

15 15 Broker Operations Responsible for failure detection  Must report status of traced entity to trackers Issues pings at regular intervals to traced entity  Every ping has monotonically increasing message number, and timestamp.  Ping responses should include both of these To correlate requests and responses  Failure suspicions and confirmations based on lack of ping responses Traced entity can notify broker about  LOAD, Network metrics, Graceful exits and state transitions

16 16 Registering to receive traces Need to discover trace topic associated with a given traced entity Construct appropriate derived constrained topics to initiate interactions  Selectivity allows registering to different types of traces A broker generates traces ONLY if there are entities interested in traces  GAUGE INTEREST message issued periodically

17 17 Authorization Every trace message initiated by the traced entity checked for authorization (source) and tamper evidence Traces published by broker  Broker needs to demonstrate authorization to generate traces. This is verified by every broker that receives it Cryptographic token generated by traced entity is included

18 18 Security Broker indicates that traces will be secured in the GAUGE INTEREST message. Trackers respond with their credentials. The broker secures the secret-trace-key  Using the tracker’s credentials

19 19 Performance Cryptographic Profile  1024-bit RSA with 160-bit SHA-1 and PKCS#1Padding.  Symmetric encryptions/decryptions use 192-bit AES keys 4 CPU Xeon, 2.4GHz, 2GB RAM 100 Mbps LAN JVM 1.4

20 20 Performance: Topology

21

22

23

24

25 Benchmarks: Tracker Increase

26 Optimization: Authorization

27 Conclusions Pub/Sub provides loosely-coupled framework for the tracing scheme Topic provenance lays the groundwork for the trace authorization scheme Transport independence facilitates wider use The costs introduced by the secure, authorized tracing scheme are acceptable for several applications. System can enforce secure and authorization schemes equally well. Selectivity and Change notifications reduce number of messages

Download ppt "1 A Scalable Approach for the Secure and Authorized Tracking of the Availability of Entities in Distributed Systems Shrideep Pallickara, Jaliya Ekanayake."

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech

Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Agent Caching in APHIDS CPSC 527 Computer Communication Protocols Project Presentation Presented By: Jake Wires and Abhishek Gupta.

Agent Caching in APHIDS CPSC 527 Computer Communication Protocols Project Presentation Presented By: Jake Wires and Abhishek Gupta.
Core Web Service Security Patterns

Core Web Service Security Patterns
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.

SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.
Distributed Publish/Subscribe Network Presented by: Yu-Ling Chang.

Distributed Publish/Subscribe Network Presented by: Yu-Ling Chang.
Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.
Principles for Collaboration Systems Geoffrey Fox Community Grids Laboratory Indiana University Bloomington IN 47404

Principles for Collaboration Systems Geoffrey Fox Community Grids Laboratory Indiana University Bloomington IN 47404
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
1 A Framework for Network Monitoring and Performance Based Routing in Distributed Middleware Systems Gurhan Gunduz Advisor: Professor.

1 A Framework for Network Monitoring and Performance Based Routing in Distributed Middleware Systems Gurhan Gunduz Advisor: Professor.

Similar presentations

Ads by Google