Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.

Published byPhilomena Page Modified over 8 years ago

Similar presentations

Presentation on theme: "Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois."— Presentation transcript:

1 Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois

2 Introduction B PB SB PB SB B B B B B B B B B B B PB SB B B Border Broker Broker Publisher Subscriber Pub/Sub Infrastructure (e.g., Gryphon, Siena) Applications: software updates, location-based services for wireless networks, supply chain management, traffic control, and stock quote dissemination Three types: Topic-based, type-based, and content-based Content-based considered to be the most general

3 Security Challenges Addressed for Content-Based Pub/Sub Systems (CBPS) Confidentiality, integrity, and authentication of events Usage-based accounting E.g., for stock quote dissemination Solution Highlights Strong adversarial model: PBs & SBs don’t trust broker network Adversary has access to CBPS network traffic and will attempt to Violate confidentiality of events by observing them Violate integrity and authentication by inserting/modifying fake events and subscriptions No security associations (e.g. keys) needed between PBs and SBs No modifications needed to existing matching & routing algorithms Scales to support an Internet-scale pub/sub infrastructure

4 Confidentiality Adversary has access to network traffic  contents cannot be disclosed to brokers One approach: perform computations on encrypted data Difficult to implement in practice Require modifications to matching and routing techniques Observation Only selected parts of an event’s content need to be confidential Matching and routing can be accomplished without these parts Our Approach Encode events in XML documents Use Bertino and Ferrari’s XML document dissemination techniques to selectively encrypt sensitive parts of events Distribute keys to authorized subscribers using Jakobsson’s proxy encryption techniques

5 Confidentiality Examples Encrypted Packages Cleartext Event Contents Message: id 100 YHOO 70.2 50 10000 Message: id 100 YHOO E k (70.2) 50 10000 Encrypt Message: id 200 8/5/04 NY-CA 10-3 Message: id 200 8/5/04 NY-CA E k (10-3) Encrypt Enc PK (k) E k ()  symmetric key encryption (e.g., AES) using key k Enc PK ()  El Gamal public key encryption using key PK

6 Distributing Keys to Authorized Subscribers 123n Proxy Security and Accounting Service (PSAS) … n servers with t of n threshold key sharing Border Broker B 2 PBSB Border Broker B 1 … broker network Register/ Publish RegisterTransform Register/ Receive For each PB, an EG decryption key (x, y): x =  x i where x i is a key share held by any server, y = g x i=1 t RSA Signature Key (K ps, PK ps ): K ps =  K ps i where K ps i is a key share held by any server i=1 t clcl Coordinators c1c1 c2c2 …

7 Integrity and Authentication Event integrity and authentication Needed to ensure that event contents come from an authentic source and have not been modified We use XML signatures for event integrity and authentication Assume subscribers can verify publisher’s certificates Should signatures be applied on cleartext or encrypted contents? Signing only encrypted contents is considered insecure Signing cleartext contents  intermediate components (e.g. PSAS) can’t verify signature Therefore, use two signatures First one over cleartext, second one over encrypted contents Transformation request integrity and authentication Needed to prevent unauthorized transformations We use XML signatures request integrity and authentication

8 Protocol Overview PB Register SB Register public key, interests Get Public Key PSAS (n servers, signature key shared in t-of-n manner) B1B1 B2B2 Initialization Co-sign Request Signed Public Key (generate t-of-n decryption key for PB) Publisher and Subscriber Registration

9 Protocol Overview PB PSAS (transforms event for subscriber) B1B1 B2B2 SB... Publish (pac) Match & Route Deliver (pac’) Transform(pac, PK sb ) Transformation process produces a verifiable certificate Used to provide usage-based accounting Event publication, routing, and delivery

10 Scalability via multiple PSASs PB PSAS 1 PSAS 2 B1B1 BiBi BjBj SB BtBt... Publish (pac) Match & Route Transform( pac, PK ps2 ) pac’ Forward Match & Route Transform( pac’, PK sb ) pac’’ Deliver (pac’’)

11 Security Analysis Confidentiality provided by encrypting sensitive contents of events Remain encrypted from publication to delivery Transformation process at PSAS maintains confidentiality Integrity and Authentication provided via digital signatures Subscribers can verify signatures over cleartext contents Brokers and PSAS can verify signatures over encrypted contents Usage- based accounting Publicly verifiable transformation certificates generated by PSAS

12 Conclusions and Future Work Proposed novel approach for security in CBPS Confidentiality, integrity, and authentication of events Usage-based accounting Future Work Detailed scalability and cost analysis Prototype implementation using Siena (supports XML events) Available threshold cryptographic libraries

Download ppt "Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois."

Similar presentations

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
By Md Emran Mazumder Ottawa University Student no: 6282845.

By Md Emran Mazumder Ottawa University Student no:
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,

Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptographic Technologies

Cryptographic Technologies
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Similar presentations

Ads by Google