Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.

Slides:



Advertisements
Similar presentations
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
By Md Emran Mazumder Ottawa University Student no:
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptographic Technologies
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Applied Cryptography for Network Security
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Web services security I
Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Secure Electronic Transaction (SET)
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Códigos y Criptografía Francisco Rodríguez Henríquez Security Attacks: Active and Passive Active Masquerade (impersonation) Replay Modification of message.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.
SeCol: Secure Collaborative Applications using Group Communication and Publish/Subscribe Systems Himanshu Khurana NCSA.
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Decentralized authorization and data security in web content delivery * Danfeng Yao (Brown University, USA) Yunhua Koglin (Purdue University, USA) Elisa.
Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .
Using Public Key Cryptography Key management and public key infrastructures.
Secure Messenger Protocol using AES (Rijndael) Sang won, Lee
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
Securing Broker-Less Publish/Subscribe Systems Using Identity-Based Encryption.
7.6 Secure Network Security / G.Steffen1. In This Section Threats to Protection List Overview of Encrypted Processing Example.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Network Security Celia Li Computer Science and Engineering York University.
Security Review Q&A Session May 1. Outline  Class 1 Security Overview  Class 2 Security Introduction  Class 3 Advanced Security Constructions  Class.
SELS: A Secure List Service Himanshu Khurana, Adam Slagell, Rafael Bonilla NCSA, University of Illinois Appeared in the ACM Symposium of Applied.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
e-Health Platform End 2 End encryption
The Secure Sockets Layer (SSL) Protocol
Presentation transcript:

Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois

Introduction B PB SB PB SB B B B B B B B B B B B PB SB B B Border Broker Broker Publisher Subscriber Pub/Sub Infrastructure (e.g., Gryphon, Siena) Applications: software updates, location-based services for wireless networks, supply chain management, traffic control, and stock quote dissemination Three types: Topic-based, type-based, and content-based Content-based considered to be the most general

Security Challenges Addressed for Content-Based Pub/Sub Systems (CBPS) Confidentiality, integrity, and authentication of events Usage-based accounting E.g., for stock quote dissemination Solution Highlights Strong adversarial model: PBs & SBs don’t trust broker network Adversary has access to CBPS network traffic and will attempt to Violate confidentiality of events by observing them Violate integrity and authentication by inserting/modifying fake events and subscriptions No security associations (e.g. keys) needed between PBs and SBs No modifications needed to existing matching & routing algorithms Scales to support an Internet-scale pub/sub infrastructure

Confidentiality Adversary has access to network traffic  contents cannot be disclosed to brokers One approach: perform computations on encrypted data Difficult to implement in practice Require modifications to matching and routing techniques Observation Only selected parts of an event’s content need to be confidential Matching and routing can be accomplished without these parts Our Approach Encode events in XML documents Use Bertino and Ferrari’s XML document dissemination techniques to selectively encrypt sensitive parts of events Distribute keys to authorized subscribers using Jakobsson’s proxy encryption techniques

Confidentiality Examples Encrypted Packages Cleartext Event Contents Message: id 100 YHOO Message: id 100 YHOO E k (70.2) Encrypt Message: id 200 8/5/04 NY-CA 10-3 Message: id 200 8/5/04 NY-CA E k (10-3) Encrypt Enc PK (k) E k ()  symmetric key encryption (e.g., AES) using key k Enc PK ()  El Gamal public key encryption using key PK

Distributing Keys to Authorized Subscribers 123n Proxy Security and Accounting Service (PSAS) … n servers with t of n threshold key sharing Border Broker B 2 PBSB Border Broker B 1 … broker network Register/ Publish RegisterTransform Register/ Receive For each PB, an EG decryption key (x, y): x =  x i where x i is a key share held by any server, y = g x i=1 t RSA Signature Key (K ps, PK ps ): K ps =  K ps i where K ps i is a key share held by any server i=1 t clcl Coordinators c1c1 c2c2 …

Integrity and Authentication Event integrity and authentication Needed to ensure that event contents come from an authentic source and have not been modified We use XML signatures for event integrity and authentication Assume subscribers can verify publisher’s certificates Should signatures be applied on cleartext or encrypted contents? Signing only encrypted contents is considered insecure Signing cleartext contents  intermediate components (e.g. PSAS) can’t verify signature Therefore, use two signatures First one over cleartext, second one over encrypted contents Transformation request integrity and authentication Needed to prevent unauthorized transformations We use XML signatures request integrity and authentication

Protocol Overview PB Register SB Register public key, interests Get Public Key PSAS (n servers, signature key shared in t-of-n manner) B1B1 B2B2 Initialization Co-sign Request Signed Public Key (generate t-of-n decryption key for PB) Publisher and Subscriber Registration

Protocol Overview PB PSAS (transforms event for subscriber) B1B1 B2B2 SB... Publish (pac) Match & Route Deliver (pac’) Transform(pac, PK sb ) Transformation process produces a verifiable certificate Used to provide usage-based accounting Event publication, routing, and delivery

Scalability via multiple PSASs PB PSAS 1 PSAS 2 B1B1 BiBi BjBj SB BtBt... Publish (pac) Match & Route Transform( pac, PK ps2 ) pac’ Forward Match & Route Transform( pac’, PK sb ) pac’’ Deliver (pac’’)

Security Analysis Confidentiality provided by encrypting sensitive contents of events Remain encrypted from publication to delivery Transformation process at PSAS maintains confidentiality Integrity and Authentication provided via digital signatures Subscribers can verify signatures over cleartext contents Brokers and PSAS can verify signatures over encrypted contents Usage- based accounting Publicly verifiable transformation certificates generated by PSAS

Conclusions and Future Work Proposed novel approach for security in CBPS Confidentiality, integrity, and authentication of events Usage-based accounting Future Work Detailed scalability and cost analysis Prototype implementation using Siena (supports XML events) Available threshold cryptographic libraries

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.