An Architecture for Secure Wide-Area Service Discovery Todd D. Hodes, Steven E. Czerwinski, Ben Y. Zhao, Anthony D. Joseph, and Randy H. Katz Imrich Wireless Networks 8, 213-230 (2002) 2005. 10. 17. MMLAB, Seongil Han sihan@mmlab.snu.ac.kr
Contents Introduction Design concepts Operations Wide-area support Features and components Design concepts Operations SDS servers and services Secure communications Wide-area support Multi-criteria search Query filtering
Introduction Service discovery system Features Security Flexible and multi-criteria search Wide-area deployed Fault tolerence Scalability
Components Clients Services SDS server Discover the services, using query Services Announce their own descriptions SDS server Solicit information from the services and manage queries from clients
Design concepts Announcement-based XML service descriptions ‘Soft State’ Periodic multicast announcements and caching Fast react to faults XML service descriptions Flexibility and semantic-rich content Privacy and authentication Hybrid of asymmetric and symmetric-key cryptography Authentication : certificate Capabilities Hierarchical organization
SDS servers Basic operations Cluster operation and fault tolerance Send authenticated messages periodically List of the domain Multicast address for service announcements Desired service announcement rate Contact information for CA and CM Well-known SDS multicast channel Cluster operation and fault tolerance Load balancing, mirrors Accepting services and clients Register the services’ description Process the clients’ queries
Services Find the correct SDS server Listen for SDS server announcements Not a one-time task Send the descriptions to SDS server Proper channel, proper frequency Contact Capability Manager Defining the capabilities for individual users
Secure SDS communications Authenticated server announcements Sign but not encrypt announcements Timestamp Secure one-way service description announcements Hybrid public / symmetric key system Authenticated RMI Two-way authenticated and encrypted Use certificates for authentication ID Ciphered Secret Payload {…, Expire, SK, …}EK {…datas…}SK
Multi-criteria search Very difficult function Complex queries and wide-area distribution Mechanism category Centralization Single point of failure Name-specified mapping Hashing, only single criteria Flooding Scalability
Wide-area support Objective Filtered query flooding (query filtering) Full rechability Multi-criteria selection Filtered query flooding (query filtering) Dynamic construction and adaptation of the neighbor relationship Set of hierarchical interconnections Multiple tree with various metrics Application-level filtering infrastructure Aggregation and query routing Bloom-filtered crossed terminals (BCT)
Filtering Terminal set Bloom filter Routing Nth-degree crossed terminal set Lexigraphic concatenation Reduction of N ⇔ increase of ‘false positive’ Bloom filter Routing Parent based filtering (PBF) Full indexing Adaptation of service change Table rebuilt, per-bit count v1 v1 v2 HIT S1 S2 query MISS False Positive query
Other issues Range query, wildcards Soft-state messaging BCT supports neither naturally Known false positives (KFPs) caching Soft-state messaging Updates Differences + fragment of table Queries Stateless, always with query Query replies Stateless, except for KFPs
Summary SDS Complex query Automatic handle of failures Security-minded XML Service-specific tag Powerful query Soft-state and announcement-based