1 A Scalable Approach for the Secure and Authorized Tracking of the Availability of Entities in Distributed Systems Shrideep Pallickara, Jaliya Ekanayake.

Slides:

Advertisements

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

Advertisements

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech

Chapter 14 – Authentication Applications

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Cryptography and Network Security Chapter 14

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Functional component terminology - thoughts C. Tilton.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Agent Caching in APHIDS CPSC 527 Computer Communication Protocols Project Presentation Presented By: Jake Wires and Abhishek Gupta.

Core Web Service Security Patterns

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.

Distributed Publish/Subscribe Network Presented by: Yu-Ling Chang.

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

Principles for Collaboration Systems Geoffrey Fox Community Grids Laboratory Indiana University Bloomington IN 47404

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

1 A Framework for Network Monitoring and Performance Based Routing in Distributed Middleware Systems Gurhan Gunduz Advisor: Professor.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

JMS Compliance in NaradaBrokering Shrideep Pallickara, Geoffrey Fox Community Grid Computing Laboratory Indiana University.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.

1 On the Creation & Discovery of Topics in Distributed Publish/Subscribe systems Shrideep Pallickara, Geoffrey Fox & Harshawardhan Gadgil Community Grids.

June 25 th PDPTA Incorporating an XML Matching Engine into Distributed Brokering Systems.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Gil EinzigerRoy Friedman Computer Science Department Technion.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

A Portal Based Approach to Viewing Aggregated Network Performance Data in Distributed Brokering Systems By Gurhan Gunduz, Shrideep Pallickara, Geoffrey.

1 Configurable Security for Scavenged Storage Systems NetSysLab The University of British Columbia Abdullah Gharaibeh with: Samer Al-Kiswany, Matei Ripeanu.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

A Transport Framework for Distributed Brokering Systems Shrideep Pallickara, Geoffrey Fox, John Yin, Gurhan Gunduz, Hongbin Liu, Ahmet Uyar, Mustafa Varank.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

SWIM-SUIT Information Models & Services

IEEE MEDIA INDEPENDENT HANDOVER DCN: MuGM Title: TGd Message Signing Proposal Date Submitted: Presented at IEEE d session.

Event Processing A Perspective From Oracle Dieter Gawlick, Shailendra Mishra Oracle Corporation March,

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.

Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: Agenda Item:

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Shrideep Pallickara, Jaliya Ekanayake, Geoffrey Fox Community Grids Lab Indiana University Collaborative Analysis of Distributed Data Applied to Particle.

Communication Paradigm for Sensor Networks Sensor Networks Sensor Networks Directed Diffusion Directed Diffusion SPIN SPIN Ishan Banerjee

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

A Collaborative Framework for Scientific Data Analysis and Visualization Jaliya Ekanayake, Shrideep Pallickara, and Geoffrey Fox Department of Computer.

Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.

HPSearch for Managing Distributed Services Authors Harshawardhan Gadgil, Geoffrey Fox, Shrideep Pallickara Community Grids Lab Indiana University, Bloomington.

Scalable, Fault-tolerant Management of Grid Services Harshawardhan Gadgil, Geoffrey Fox, Shrideep Pallickara, Marlon Pierce Presented By Harshawardhan.

Cryptography and Network Security Chapter 14

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

NaradaBrokering: Managing data distribution in distributed systems Shrideep Pallickara Community Grids Lab Indiana University.

June 18 th ACM Middleware NaradaBrokering: A Middleware Framework and Architecture for.

International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.

INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.

Scaling and Fault Tolerance for Distributed Messages in a Service and Streaming Architecture Hasan Bulut Advisor: Prof. Geoffrey Fox Ph.D. Defense Exam.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

AMSA TO 4 Advanced Technology for Sensor Clouds 09 May 2012 Anabas Inc. Indiana University.

SMARTIE Area of Activity: Framework Programme 7Framework Programme 7 ICT Objective 1.4 IoT (Smart Cities) Period:1 st September st August 2016.

Cryptography and Network Security

Shrideep Pallickara, Hasan Bulut & Geoffrey Fox Community Grids Lab

Distributed Publish/Subscribe Network

Composite Subscriptions in Content-based Pub/Sub Systems

A Framework for Secure End-to-End Delivery of Messages in Publish/Subscribe Systems Shrideep Pallickara, Marlon Pierce, Harshawardhan Gadgil, Geoffrey.

The Anatomy and The Physiology of the Grid

The Anatomy and The Physiology of the Grid

Qualifying Exam Jaliya Ekanayake.

Presentation transcript:

1 A Scalable Approach for the Secure and Authorized Tracking of the Availability of Entities in Distributed Systems Shrideep Pallickara, Jaliya Ekanayake & Geoffrey Fox Community Grids Lab Indiana University

2 Motivation Proliferation of distributed systems Interactions predicated on knowledge of the availability of entities  Control messages, protocol handshakes, actions and data interchange  Track resources at all times Load, usage patterns etc Remedial actions in response to failures  Failure suspicions, failures, shutdown

3 Definition of Terms Entity  Resource, service, instruments, clients etc Tracing  Process of probing, and becoming aware of, the availability of an entity Traced Entity  The entity whose availability is being probed Trackers  Entities initiating availability probes for a traced entity Traces  Messages encapsulating the state of a traced entity

4 Push or Pull Push  Traced entities push traces to the trackers at regular intervals  Receipt of such pushed traces provides info on availability Pull  Trackers poll the availability at regular intervals  Decisions based on the outcome of the poll

5 Issues in developing solution In simple scheme every entity issues a trace every second  Does not scale well  With increasing scale every entity is inundated with traces Entities operate in myriad domains  May deploy different transports for communications

6 Desired Features Reduction of complexity  Reduce the number of entities that a given entity needs to communicate with Push/pull requires some entity to communicate with a rather large set Transport independent Selectivity in traces  For e.g. register ONLY to receive change notification traces Authorization  Restrict who is allowed to be part of the tracing process Security  Make the trace itself confidential Cope with some classes of DDoS attacks

7 Publish/Subscribe Systems

8 NaradaBrokering Provisions an enabling infrastructure for building distributed systems  Has services, and makes these services accessible to entities through simple invocations. Processing at the service, and the infrastructure may be complicated, but this is shielded from the clients Dissemination is based on the pub/sub paradigm Open-source project Deployed in a wide variety of domains  GIS, Audio/Video conferencing, collaboration, Geoscience and Physics 1425 classes, 157 packages and 300,000 lines of code

9 The NaradaBrokering Substrate

10 Topic Discovery Scheme Create topics that are unique in space and time in a decentralized fashion Establish topic provenance  Deterministic cryptographic verification of ownership Restrict discovery of topics  Possess valid credentials  Specified ACL Establish topic life-cycle Manage topic collections & organization

11 Our scheme Leverage pub/sub for disseminating traces Facilitate selectivity in trace consumption by trackers  Different types of Traces are issued over different topics. Restrictions on authorizations related to topics over which traces are issued  Discovery of these topics  Actions associated with these topics Traces demonstrate authorization, tamper-evidence and source  Unambiguously verify this Secure the distribution of traces

12 Trace Topic Topic related to trace information related to a given entity  Derivative topics are constructed from this At creation time, the traced entity must specify who is authorized to trace it  ACL or based on credentials Register a descriptor that will facilitate discovery  Availability/Traces/Entity-ID

13 Constrained Topics Systems Topics Derivative topics managed by the broker  Multiple derived topics facilitates trace selectivity Constraints are based on  Limits on performed actions  Proof of authorization to perform action  Security  Dissemination range for the action Anatomy of a Constrained Topic  /Constrained/{Event Type}/{Constrainer}/ {Allowed Actions }/{Distribution} /{Other “/”separated Suffixes}

14 Registration of Trace Entity First create a Trace topic Register with broker  Over constrained topic that ONLY broker subscribes to Traced Entity needs to sign registration message  Verify credentials and tamper evidence Broker generates session identifier  Along with the trace topic, is used to derive a constrained topic ONLY the Broker subscribes to ONLY traced entity publishes to.

15 Broker Operations Responsible for failure detection  Must report status of traced entity to trackers Issues pings at regular intervals to traced entity  Every ping has monotonically increasing message number, and timestamp.  Ping responses should include both of these To correlate requests and responses  Failure suspicions and confirmations based on lack of ping responses Traced entity can notify broker about  LOAD, Network metrics, Graceful exits and state transitions

16 Registering to receive traces Need to discover trace topic associated with a given traced entity Construct appropriate derived constrained topics to initiate interactions  Selectivity allows registering to different types of traces A broker generates traces ONLY if there are entities interested in traces  GAUGE INTEREST message issued periodically

17 Authorization Every trace message initiated by the traced entity checked for authorization (source) and tamper evidence Traces published by broker  Broker needs to demonstrate authorization to generate traces. This is verified by every broker that receives it Cryptographic token generated by traced entity is included

18 Security Broker indicates that traces will be secured in the GAUGE INTEREST message. Trackers respond with their credentials. The broker secures the secret-trace-key  Using the tracker’s credentials

19 Performance Cryptographic Profile  1024-bit RSA with 160-bit SHA-1 and PKCS#1Padding.  Symmetric encryptions/decryptions use 192-bit AES keys 4 CPU Xeon, 2.4GHz, 2GB RAM 100 Mbps LAN JVM 1.4

20 Performance: Topology

Benchmarks: Tracker Increase

Optimization: Authorization

Conclusions Pub/Sub provides loosely-coupled framework for the tracing scheme Topic provenance lays the groundwork for the trace authorization scheme Transport independence facilitates wider use The costs introduced by the secure, authorized tracing scheme are acceptable for several applications. System can enforce secure and authorization schemes equally well. Selectivity and Change notifications reduce number of messages