A Framework for Secure End-to-End Delivery of Messages in Publish/Subscribe Systems Shrideep Pallickara, Marlon Pierce, Harshawardhan Gadgil, Geoffrey.

Slides:



Advertisements
Similar presentations
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Advertisements

1 A Scalable Approach for the Secure and Authorized Tracking of the Availability of Entities in Distributed Systems Shrideep Pallickara, Jaliya Ekanayake.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Grid Security. Typical Grid Scenario Users Resources.
Chapter 5 Network Security Protocols in Practice Part I
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Cryptography Basic (cont)
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Web services security I
JMS Compliance in NaradaBrokering Shrideep Pallickara, Geoffrey Fox Community Grid Computing Laboratory Indiana University.
Scalable Security and Accounting Services for Content-based Publish/Subscribe Systems Himanshu Khurana NCSA, University of Illinois.
1 On the Creation & Discovery of Topics in Distributed Publish/Subscribe systems Shrideep Pallickara, Geoffrey Fox & Harshawardhan Gadgil Community Grids.
June 25 th PDPTA Incorporating an XML Matching Engine into Distributed Brokering Systems.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
A Transport Framework for Distributed Brokering Systems Shrideep Pallickara, Geoffrey Fox, John Yin, Gurhan Gunduz, Hongbin Liu, Ahmet Uyar, Mustafa Varank.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Shrideep Pallickara, Jaliya Ekanayake, Geoffrey Fox Community Grids Lab Indiana University Collaborative Analysis of Distributed Data Applied to Particle.
DIGITAL SIGNATURE.
Securing Broker-Less Publish/Subscribe Systems Using Identity-Based Encryption.
June 18 th ACM Middleware NaradaBrokering: A Middleware Framework and Architecture for.
Network Security Celia Li Computer Science and Engineering York University.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Confidentiality Using Symmetric Encryption Chapter 7.
Scripting based architecture for Management of Streams and Services in Real-time Grid Applications Authors Harshawardhan Gadgil, Geoffrey Fox, Shrideep.
Key management issues in PGP
IPSec Detailed Description and VPN
Chapter 5 Network Security Protocols in Practice Part I
Web Applications Security Cryptography 1
Reviews Rocky K. C. Chang 20 April 2007.
Symmetric Cryptography
CSE 4905 IPsec.
Tutorial on Creating Certificates SSH Kerberos
Grid Security.
Computer Communication & Networks
Chapter 18 IP Security  IP Security (IPSec)
IT443 – Network Security Administration Instructor: Bo Sheng
Network Security.
Secure Sockets Layer (SSL)
Public Key Encryption Systems
CSCE 715: Network Systems Security
Shrideep Pallickara, Hasan Bulut & Geoffrey Fox Community Grids Lab
Tutorial on Creating Certificates SSH Kerberos
CSE 4095 Transport Layer Security TLS, Part II
Cryptography Basics and Symmetric Cryptography
Chapter 7 STRENGTH OF ENCRYPTION & Public Key Infrastructure
NAAS 2.0 Features and Enhancements
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Multi-party Authentication in Web Services
Wireless Reliable Messaging Protocol for Web Services (WS-WRM)
Securing the CASP Protocol
Path key establishment using multiple secured paths in wireless sensor networks CoNEXT’05 Guanfeng Li  University of Pittsburgh, Pittsburgh, PA Hui Ling.
Multi-party Authentication in Web Services
Cryptography and Network Security
Security Of Wireless Sensor Networks
The Secure Sockets Layer (SSL) Protocol
COMPSCI210 Recitation 5 Oct 2012 Vamsi Thummala
Chinese wall model in the internet Environment
Security of Wireless Sensor Networks
CSCE 715: Network Systems Security
CSCE 715: Network Systems Security
Security Attacks, Mechanisms, and Services
Public Key Encryption Systems
Cryptography and Network Security
Review of Cryptography: Symmetric and Asymmetric Crypto Advanced Network Security Peter Reiher August, 2014.
National Trust Platform
Lecture 36.
Lecture 36.
Presentation transcript:

A Framework for Secure End-to-End Delivery of Messages in Publish/Subscribe Systems Shrideep Pallickara, Marlon Pierce, Harshawardhan Gadgil, Geoffrey Fox, Yan Yan, Yi Huang spallick@indiana.edu Community Grids Lab, Indiana University IEEE/ACM GRID 2006 http://www.naradabrokering.org

Motivation As applications have gotten increasingly distributed there is a need for ensuring the secure and authorized distribution of data. IEEE/ACM GRID 2006 http://www.naradabrokering.org

Messaging Systems Messaging is the routing of content from the producer to the consumer. This can be point-to-point or many-to-many. Messaging Infrastructures underlie most complex systems Approaches to messaging include systems such as queuing, P2P systems and publish/subscribe. IEEE/ACM GRID 2006 http://www.naradabrokering.org

Publish/Subscribe Systems IEEE/ACM GRID 2006 http://www.naradabrokering.org

Messages & Selectivity IEEE/ACM GRID 2006 http://www.naradabrokering.org

Topic Discovery Scheme Create topics that are unique in space and time in a decentralized fashion Establish topic provenance Deterministic cryptographic verification of ownership Restrict discovery of topics to only those that possess valid credentials or within a defined set Establish topic life-cycle Manage topic collections & organization IEEE/ACM GRID 2006 http://www.naradabrokering.org

Security Scheme: Desiderata Thwart eavesdropping Tamper-evidence Authorized data generation/consumption Specify allowed actions Duration of rights Identity assertion & Non-repudiation Transport-independent Cope with attack scenarios IEEE/ACM GRID 2006 http://www.naradabrokering.org

Leveraged cryptographic tools Symmetric keys for payload encryptions and decryptions Message digests for tamper evidence PKI for signing and verifications For secure “dialogue” between two entities use combination of symmetric and asymmetric keys IEEE/ACM GRID 2006 http://www.naradabrokering.org

Security Scheme: Components IEEE/ACM GRID 2006 http://www.naradabrokering.org

Communications/Interactions All interactions are through the exchange of discrete messages Need to know the communication topic Entities are selective about who can discover its communication topic(s) Topic owner needs to first discover the KMC willing to host the secure topic Based on credentials supplied during discovery Willing KMCs will respond with their communication topics (secured) in the responses IEEE/ACM GRID 2006 http://www.naradabrokering.org

Entity-KMC Interactions IEEE/ACM GRID 2006 http://www.naradabrokering.org

Security Scheme: Broker Processing IEEE/ACM GRID 2006 http://www.naradabrokering.org

Coping with a couple of attacks Denial of Service attacks Unauthorized generation of data is not allowed Deluging KMC is difficult Quite hard to “guess” the 128-bit UUID Network location know only to hosting broker Replay attacks For every entity maintain information about last timestamp Discard messages published in the past For higher publish rates, maintain combination of NTP timestamps and message numbers No need to keep track of message identifiers IEEE/ACM GRID 2006 http://www.naradabrokering.org

IEEE/ACM GRID 2006 http://www.naradabrokering.org

Benchmark Topologies http://www.naradabrokering.org 4 CPU (Xeon machines), 2GB RAM 100 Mbs network IEEE/ACM GRID 2006 http://www.naradabrokering.org

Encryption {AES 256, PKCS7 padding CBC mode} Operation Mean Standard Deviation Error Publisher Costs Initialization Vector 1.108 0.025 0.003 Encryption 1.421 0.055 0.005 Signing Payload 15.518 0.126 0.013 Header 15.238 0.112 0.011 Broker Costs Token and Message Validation 6.989 0.199 0.020 Replay-attack check 0.031 0.0 Subscription validity 0.027 0.004 Subscriber Costs Verify Token + Header 3.74 0.13 Verify Payload 1.64 0.032 Decryption 1.41 0.021 0.002 Encryption {AES 256, PKCS7 padding CBC mode} Signing {1024-bit RSA, 160-bit SHA-1} IEEE/ACM GRID 2006 http://www.naradabrokering.org

Conclusions Topic provenance lays the groundwork for the security framework Since the scheme is transport independent, it is applicable for systems that can’t use SSL E.g. Audio/Video conferencing systems Overheads introduced by the security scheme relate to cryptographic operations. No significant increase in message size Jitter introduced by scheme is quite low Since the nature of processing is determined by the contents in autonomous messages the system can enforce secure and best-effort schemes equally well. IEEE/ACM GRID 2006 http://www.naradabrokering.org

Future Work Detecting security compromises In case of a compromise Issue authentication challenges at regular intervals Issue queries from a previously negotiated set of queries/responses during initialization Shorter key lifetimes In case of a compromise Compute new keys Propagate compromise info to relevant nodes within the system IEEE/ACM GRID 2006 http://www.naradabrokering.org

Related Work GKMP – For Multicast Groove – Secure shared spaces GSI WS-Security IEEE/ACM GRID 2006 http://www.naradabrokering.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.