SeCol: Secure Collaborative Applications using Group Communication and Publish/Subscribe Systems Himanshu Khurana NCSA

Project Overview Goal: develop novel security solutions that minimize trust liabilities in messaging infrastructures Dates: Sep 1, Aug 31, 2006 Budget: $200k Personnel Himanshu Khurana (PI) Rakesh Bobba (Security Engineer) Weiting Cao (PhD Student) Radostina Koleva (Consultant)

Introduction Collaborative applications need a messaging infrastructure E.g., conferencing uses group communication, tickers (stock, news, game-score) uses pub/sub Widespread use requires secure messaging infrastructures Integrity and authentication typically provided via CA/PKI Works but imposes certificate distribution/revocation problems Confidentiality provided by trusted servers Servers bear significant trust liability of maintaining confidentiality of messages and keys E.g., group controllers store long term and session keys Availability provided via replication However, replicating keys makes the system insecure

Introduction Challenges for minimizing trust liability Infrastructure servers must not be able to access messages However, servers often need to process these messages Solution should not require establishment of keys between collaborating entities O(n 2 ) problem and, furthermore, does not take advantage of the presence of the messaging infrastructure Solution must scale to support a large number of users Approach Explore novel proxy encryption techniques to address the problem Convert ciphertext between keys without access to plaintext Use techniques to design secure messaging infrastructures Group communication and Publish/Subscribe infrastructures

Secure Group Communication (SGC) SGC needed to support many military and commercial applications; e.g., Conferencing (Video and/or Audio), Command-and-Control Systems, Interactive Distance-Learning Group Key Management (GKM) cornerstone of SGC Involves distribution of symmetric key to group members Must be efficient and scalable Shared key changed every time a member joins/leaves group Existing GKM Schemes Logical Key Hierarchies (LKH) using Group Controllers (GC) Advantage: Very efficient, constant number of rounds Drawback: GC is completely trusted Decentralized or Contributory Schemes Advantage: Does not involve a GC Drawback: Scale poorly

TASK - Tree-based w/ Asymmetric Split Keys Efficient and Scalable Log(n) computation and storage Log(n) message size, constant number of communication rounds Partially Trusted GC GC does not store encryption keys Confidentiality maintained even if GC is compromised Therefore, GC no longer single point of security failure Instead, GC uses proxy encryption to transform messages between members for key establishment Simpler recovery from GC compromise Assumptions GC and a member are not simultaneously compromised

Difference between LKH & TASK

Goals for Y3 Complete development and testing of prototype lines code written and partially tested Extend prototype For wireless communication using Elliptic Curve Cryptography Compatibility with other reliable messaging solutions such as NORM (NRL) Address collusion problem Simultaneous compromise of member and GC reveals GKEK Explore improvements to proxy encryption (known problem) as well as alternatives

Introduction to Pub/Sub B PB SB PB SB B B B B B B B B B B B PB SB B B Border Broker Broker Publisher Subscriber Pub/Sub Infrastructure (e.g., Gryphon, Siena) Applications: software updates, location-based services, supply chain management, traffic control, and stock quote dissemination Three types: Topic-based, type-based, and content-based Content-based considered to be the most general

Security Challenges Addressed for Content-Based Pub/Sub Systems (CBPS) Confidentiality, integrity, and authentication of events Deliver information to authorized subscribers Usage-based accounting E.g., for stock quote dissemination Solution Highlights Strong adversarial model: PBs & SBs don’t trust broker network Adversary has access to CBPS network traffic and will attempt to Violate confidentiality of events by observing them Violate integrity and authentication by inserting/modifying fake events and subscriptions No security associations (e.g. keys) needed between PBs and SBs No modifications needed to existing matching & routing algorithms Scales to support an Internet-scale pub/sub infrastructure

Confidentiality Adversary has access to network traffic  contents cannot be disclosed to brokers One approach: perform computations on encrypted data Difficult to implement in practice Require modifications to matching and routing techniques Observation Only selected parts of an event’s content need to be confidential Matching and routing can be accomplished without these parts Our Approach Encode events in XML documents Selectively encrypt sensitive parts of events Use Bertino and Ferrari’s XML document dissemination techniques Distribute keys to authorized subscribers Using Jakobsson’s proxy encryption techniques

Confidentiality Examples Encrypted Packages Cleartext Event Contents Message: id 100 YHOO Message: id 100 YHOO E k (70.2) Encrypt Message: id 200 8/5/04 NY-CA 10-3 Message: id 200 8/5/04 NY-CA E k (10-3) Encrypt Enc PK (k) E k ()  symmetric key encryption (e.g., AES) using key k Enc PK ()  El Gamal public key encryption using key PK

Distributing Keys to Authorized Subscribers PB SB 123n Proxy Security and Accounting Service (PSAS) … n servers with t of n threshold key sharing of K PS Border Broker B 2 Border Broker B 1 … broker network Register/ Publish Transform Register/ Receive For each EG decryption key (K PS, PK PS ): K ps =  K PSi where K PSi is a key share held by any server i=1 t RSA Signature Key (K PS, PK PS ): K ps =  K PSi where K PSi is a key share held by any coordinator i=1 m clcl l coordinators with m of l sharing of K PS c1c1 c2c2 …

Goals for Y3 Complete scalability analysis A single PSAS can support 10s of thousands of subscribers Address potential leakage of sensitive event contents Formal security analysis of solution Implementation of prototype Leverage existing pub/sub systems Siena, supports XML encoding of events Leverage existing threshold cryptographic libraries CODEX, leverages COCA

Questions? Himanshu Khurana and Radostina Koleva, “Scalable Security and Accounting Services in Content-based Publish/Subscribe Systems”, International Journal of E-Business Research, to appear, Himanshu Khurana, “Scalable Security and Accounting Services in Content-based Publish/Subscribe Systems”, i n proceedings of the E- Commerce Track of the ACM Symposium on Applied Computing (SAC), March Himanshu Khurana, Rafael Bonilla, Adam Slagell, Raja Afandi, Hyung- Seok Hahm, and Jim Basney, “Scalable Group Key Management with Partially Trusted Controllers”, in the International Conference on Networking, Reunion Island, April Himanshu Khurana, Luke St. Clair, and Weiting Cao, “Scalable Group Key Management with Partially Trusted Controllers”, in preparation for submission to the Journal of Communication and Networking.