SeCol: Secure Collaborative Applications using Group Communication and Publish/Subscribe Systems

Himanshu KhuranaNCSA

Project Overview

Goal: develop novel security solutions that minimize trust liabilities in messaging infrastructures

Dates: Sep 1, 2005 - Aug 31, 2006

Budget: $200k

Personnel Himanshu Khurana (PI) Rakesh Bobba (Security Engineer) Weiting Cao (PhD Student) Radostina Koleva (Consultant)

Introduction

Collaborative applications need a messaging infrastructure

E.g., conferencing uses group communication, tickers (stock, news, game-score) uses pub/sub

Widespread use requires secure messaging infrastructures

Integrity and authentication typically provided via CA/PKI Works but imposes certificate distribution/revocation

problems Confidentiality provided by trusted servers

Servers bear significant trust liability of maintaining confidentiality of messages and keys

E.g., group controllers store long term and session keys Availability provided via replication

However, replicating keys makes the system insecure

Introduction

Challenges for minimizing trust liability Infrastructure servers must not be able to access

messages However, servers often need to process these messages

Solution should not require establishment of keys between collaborating entities

O(n2) problem and, furthermore, does not take advantage of the presence of the messaging infrastructure

Solution must scale to support a large number of users

Approach Explore novel proxy encryption techniques to address the

problem Convert ciphertext between keys without access to plaintext

Use techniques to design secure messaging infrastructures Group communication and Publish/Subscribe infrastructures

Secure Group Communication (SGC)

SGC needed to support many military and commercial applications; e.g.,

Conferencing (Video and/or Audio), Command-and-Control Systems, Interactive Distance-Learning

Group Key Management (GKM) cornerstone of SGC Involves distribution of symmetric key to group members Must be efficient and scalable

Shared key changed every time a member joins/leaves group Existing GKM Schemes

Logical Key Hierarchies (LKH) using Group Controllers (GC)

Advantage: Very efficient, constant number of rounds Drawback: GC is completely trusted

Decentralized or Contributory Schemes Advantage: Does not involve a GC Drawback: Scale poorly

TASK - Tree-based w/ Asymmetric Split Keys

Efficient and Scalable Log(n) computation and storage Log(n) message size, constant number of

communication rounds Partially Trusted GC

GC does not store encryption keys Confidentiality maintained even if GC is compromised Therefore, GC no longer single point of security failure

Instead, GC uses proxy encryption to transform messages between members for key establishment

Simpler recovery from GC compromise Assumptions

GC and a member are not simultaneously compromised

Difference between LKH & TASK

Goals for Y3

Complete development and testing of prototype

9000+ lines code written and partially tested Extend prototype

For wireless communication using Elliptic Curve Cryptography

Compatibility with other reliable messaging solutions such as NORM (NRL)

Address collusion problem Simultaneous compromise of member and GC

reveals GKEK Explore improvements to proxy encryption (known

problem) as well as alternatives

Introduction to Pub/Sub

B

PB

SB

PB

PB

PB

PB

SB

SBSB

B

B

B

B

B

B

B

B

B

B

B

PB

SB

B

BBorder Broker

Broker Publisher

Subscriber

Pub/Sub Infrastructure (e.g., Gryphon, Siena)

• Applications: software updates, location-based services, supply chain management, traffic control, and stock quote dissemination• Three types: Topic-based, type-based, and content-based

• Content-based considered to be the most general

Security Challenges Addressed for Content-Based Pub/Sub Systems (CBPS)

Confidentiality, integrity, and authentication of events

Deliver information to authorized subscribers

Usage-based accountingE.g., for stock quote dissemination

Solution Highlights Strong adversarial model: PBs & SBs don’t trust broker network

Adversary has access to CBPS network traffic and will attempt to Violate confidentiality of events by observing them Violate integrity and authentication by inserting/modifying fake

events and subscriptions No security associations (e.g. keys) needed between PBs and

SBs No modifications needed to existing matching & routing

algorithms Scales to support an Internet-scale pub/sub infrastructure

Confidentiality Adversary has access to network traffic contents

cannot be disclosed to brokers

One approach: perform computations on encrypted data

Difficult to implement in practice Require modifications to matching and routing techniques

Observation Only selected parts of an event’s content need to be

confidential Matching and routing can be accomplished without these parts

Our Approach Encode events in XML documents Selectively encrypt sensitive parts of events

Use Bertino and Ferrari’s XML document dissemination techniques Distribute keys to authorized subscribers

Using Jakobsson’s proxy encryption techniques

Confidentiality Examples

Encrypted PackagesCleartext Event Contents

Message: id 100<?xml?><stock><symbol>YHOO</symbol><price> 70.2 </price><open>50</open><volume>10000</volume></stock>

Message: id 100<?xml?><stock><symbol>YHOO</symbol><price> Ek(70.2) </price><open>50</open><volume>10000</volume></stock>

Encrypt

Message: id 200<?xml?><gamescore><date>8/5/04</date><teams>NY-CA</teams><score>10-3</score></gamescore>

Message: id 200<?xml?><gamescore><date>8/5/04</date><teams>NY-CA</teams><score>Ek(10-3)</score></gamescore>

Encrypt

EncPK(k)

EncPK(k)

Ek() symmetric key encryption (e.g., AES) using key kEncPK() El Gamal public key encryption using key PK

Distributing Keys to Authorized Subscribers

PB SB

1 2 3 n

Proxy Security and Accounting Service (PSAS)

…

n servers with t of n threshold key sharing of KPS

BorderBroker

B2

BorderBroker

B1

…

brokernetwork

Register/Publish

Transform

Register/Receive

For each EG decryption key (KPS, PKPS): Kps = KPSi where KPSi is a key share held by any server

i=1

t

RSA Signature Key (KPS, PKPS): Kps = KPSi where KPSi is a key share held by any coordinator

i=1

m

cl

l coordinators with m of l sharing of KPS

c1 c2…

Goals for Y3

Complete scalability analysis A single PSAS can support 10s of thousands of

subscribers

Address potential leakage of sensitive event contents

Formal security analysis of solution

Implementation of prototype Leverage existing pub/sub systems

Siena, supports XML encoding of events Leverage existing threshold cryptographic libraries

CODEX, leverages COCA

Questions?

Himanshu Khurana and Radostina Koleva, “Scalable Security and Accounting Services in Content-based Publish/Subscribe Systems”, International Journal of E-Business Research, to appear, 2006.

Himanshu Khurana, “Scalable Security and Accounting Services in Content-based Publish/Subscribe Systems”, in proceedings of the E-Commerce Track of the ACM Symposium on Applied Computing (SAC), March 2005.

Himanshu Khurana, Rafael Bonilla, Adam Slagell, Raja Afandi, Hyung-Seok Hahm, and Jim Basney, “Scalable Group Key Management with Partially Trusted Controllers”, in the International Conference on Networking, Reunion Island, April 2005.

Himanshu Khurana, Luke St. Clair, and Weiting Cao, “Scalable Group Key Management with Partially Trusted Controllers”, in preparation for submission to the Journal of Communication and Networking.