Eventguard A System Architecture For Securing Publish -Books Pdf

EventGuard A System Architecture for Securing Publish
01 Apr 2020 | 12 views | 0 downloads | 42 Pages | 576.11 KB

Share Pdf : Eventguard A System Architecture For Securing Publish

Download and Preview : Eventguard A System Architecture For Securing Publish


Report CopyRight/DMCA Form For : Eventguard A System Architecture For Securing Publish



Transcription

An important characteristic of pub sub overlay services is the decoupling of pub. lishers and subscribers combined with content based routing protocols enabling a. many to many communication model Such a model presents many inherent ben. efits as well as potential risks On one hand by offloading the task of identifying. destination addresses of publications to the pub sub overlay network it not only. allows message routing to be handled in a way that avoids unnecessary message. replications but also enables dynamic and fine grained subscriptions As a result. pub sub overlay services have proven to be scalable and effective for wide area in. formation dissemination On the other hand many security concerns exist in such. an environment regarding authenticity confidentiality integrity and availability of. publications and subscriptions such as the confidentiality integrity and authentic. ity of subscriptions and publications, Most research and development of pub sub systems to date have been largely. dedicated to the performance and scalability of pub sub networks as well as the. expressiveness of event publication and subscription models nodes Carzaniga et al. 2001 Banavar et al 1999 Datta et al 2003 Only recently a few researchers. have studied specific security requirements of pub sub networks Wang et al 2002. pointing out attacks threatening message integrity unauthorized writes and au. thenticity fake origins in addition to message confidentiality unauthorized reads. and the risks of bogus publications and fake subscriptions Unfortunately most of. the existing secure event distribution protocols proposed so far focus only on the. content confidentiality risks in pub sub networks Raiciu and Rosenblum 2006 Opy. rchal and Prakash 2001 The lack of a more holistic security framework has been. a major hurdle in deploying pub sub systems for mission critical applications that. could greatly benefit from them, In this paper we present EventGuard a framework for securing a pub sub. overlay service EventGuard simultaneously supports in network matching and. secure content based routing but makes careful design choices to tradeoff perfor. mance with security This is achieved by separating event attributes into two types. routable attributes that are used for in network matching and secret attributes. whose confidentiality needs to be guaranteed For example the secret attribute. patientRecord in an event e hhtopic cancerTraili hage 25i hpatientRecord. recordii should be intelligible to only a subscriber S who has subscribed for f. hhtopic EQ cancerTraili hage 20ii but not to a subscriber S who has sub. scribed for f hhtopic EQ cancerTraili hage 30ii The pub sub network. nodes should be capable of matching the routable attributes in an event e topic. and age in the above example against the constraints in a subscription filter f. without obtaining any information about the secret attribute patientRecord. While past work on secure content based routing have suggested using group. key management algorithms the need to keep a publisher informed of such groups. of subscribers breaks the decoupling between publishers and subscribers thereby. consequently weakening the flexibility performance and scalability of the pub sub. system In contrast EventGuard proposes to decouple key management between. publishers and subscribers as follows we associate an authorization key K f with. a subscription filter f and an encryption key K e with an event e The publisher. uses the encryption key K e to encrypt the secret attributes in an event e and. ACM Journal Name Vol V No N Month 20YY, Fig 1 Basic Pub Sub System Fig 2 EventGuard Architecture. the subscriber uses the authorization key K f to decrypt the secret attributes in. a matching event e We use hierarchical key derivation algorithms Wong et al. 2000 to map the authorization keys and the encryption keys into a common key. space The mapping ensures that a subscriber can efficiently derive an encryption. key K e for an event e using an authorization key K f for the subscription filter. f if and only if the event e matches the subscription filter f As shown in this. paper disassociating the publisher s encryption key K f with subscriber groups. offers significant benefits in terms of both flexibility and scalability. EventGuard supports token based subscription matching in the pub sub network. For content based subscriptions events may be safely filtered at the subscriber. nodes by deriving the decryption key for the event from the authorization key cor. responding to the subscription filter In order to reduce the risk of targeted selective. message dropping attack through passive logging we develop a probabilistic multi. path routing scheme to minimize the amount of information about the routable. attributes that can be inferred by the routing nodes. Besides a decoupled key management scheme and a probabilistic content based. routing scheme EventGuard comprises of suite of security guards to protect a pub. sub overlay service from various vulnerabilities and threats and ensuring authen. ticity availability confidentiality and integrity of publications subscriptions and. pub sub overlay routing We present a prototype implementation of EventGuard. on top of Siena Carzaniga et al 2001 to show that EventGuard is easily stack. able on any content based pub sub core With this prototype we have conducted. experimental evaluation of the overhead added by EventGuard to the pub sub sys. tem by comparing EventGuard with Siena Our experimental results show that. EventGuard can secure a pub sub network with minimal performance penalty. The rest of this paper is organized as follows We first present a formal pub sub. system model and a threat model which serve as the basic system model for the. design of EventGuard in Section 2 Section 3 details the design of our security. guards Section 4 presents our scalable key management algorithm and Section 5. describes EventGuard s resilient network design We present an implementation of. EventGuard and evaluate it in Section 6 Section 7 discusses some related work. followed by the conclusion in Section 8,ACM Journal Name Vol V No N Month 20YY. 2 PRELIMINARIES,2 1 Reference Pub Sub Model, In content based pub sub systems publishers publish their contents in terms of.
event notifications An event notification is a set of attributes where an attribute. is defined by its name type and value Carzaniga et al 2001 Subscribers have. the ability to express their interest in an event by sending a subscription to the. pub sub overlay network infrastructure The subscription is a predicate containing. one or more constraints filters The infrastructure notifies the subscribers of any. published notification that matches their subscribed interests. Pub sub systems typically support two levels of event matching topic based and. content based In a topic based matching scheme Aguilera and Strom 2000 every. event is marked with a topic A topic could be a simple keyword or any unique. numeric identifier A subscriber subscribes to one or more topics and receives. all the events published under these topics The pub sub network routes events. based on simple topic matching Content based matching schemes Carzaniga et al. 2001 Aguilera et al 1999 Banavar et al 1999 are layered on top of topic based. matching schemes and allow more sophisticated event matching and filtering For. example a subscriber may specify a condition on the event say stock price. 100 as a part of its subscription, A typical pub sub system implements five important primitives subscribe adver. tise publish unsubscribe and unadvertise Subscribers specify the events in which. they are interested using the subscribe function Publishers advertise the type of. events they would publish using advertise Publishers publish events via the pub. lish function A subscription is repeatedly matched until it is canceled by a call. to unsubscribe An advertisement remains in effect until it is canceled by an un. advertise We use the term messages to loosely denote all traffic on the pub sub. network including publications subscriptions advertisements unsubscriptions and. unadvertisements, Publications are specified in terms of events and subscriptions are expressed in. terms of predicate filters Formally an event e h i hname type valuei. where is some attribute of the form hname type valuei name refers to some. attribute name type refers to the data type of the attribute value corresponds. to its published value and the notation indicates that an event may comprise. one or more attributes A filter selects events by specifying a set of attributes. and constraints on the values of those attributes Formally filter f h i. hname operator valuei where is some constraint of the form hname operator. valuei name refers to some attribute name value specifies an attribute value. operator refers to a binary operator and the notation indicates that a filter may. be comprised of one or more constraints in a conjunctive form Operators typically. include common equality and ordering relations etc for numeric types. and substring prefix suffix operators for strings, An attribute h name type value i satisfies a constraint h name. operator value i if and only if name name value is of type and. operator value value is true When an attribute satisfies a constraint we. say that matches Equivalently when matches we say that covers For. example an attribute hprice 120i matches the constraint hprice 100i. ACM Journal Name Vol V No N Month 20YY, An event e matches a subscription filter f if for all constraints in f there exists. some attribute in e that matches When a filter is used in an advertisement it. defines the set of all possible notifications that can be generated by the publisher. An event e matches an advertisement filter f if for all attributes in e there exists. some constraint in f that covers The notion of covers can be extended in a. straightforward manner to two subscription filters or two advertisement filters or. a subscription filter and an advertisement filter, Unsubscriptions and unadvertisements serve to cancel previous subscriptions and.
advertisements respectively Given an unsubscription unsubscribe X f where X. is the identity of the subscriber and f is a filter the pub sub system cancels all. subscriptions subscribe X g submitted by the subscriber X with subscription filter. g covered by f Similarly an unadvertisement message unadvertise Y f cancels. all advertisements advertise Y g submitted by the publisher Y with advertisement. filter g covered by f, As illustrated in Figure 1 in a wide area pub sub system publishers and sub. scribers are usually outside the pub sub network though not required Typically. we have a relatively small set of known and trusted publishers and a much larger. set of unknown subscribers A natural choice for the topology of a pub sub net. work is a hierarchical topology see Figure 1 Other plausible topologies include. peer to peer and mixed topologies like super peer topologies Carzaniga et al 2001. For the sake of simplicity in this paper we assume a hierarchical topology for the. pub sub network When a node n receives a subscription request subscribe m f. from node m it registers filter f with identity m If filter f is not covered by any. previously subscribed filters at node n then node n forwards subscribe n f to its. parent node Note that node m could be a subscriber or simply another node in. the pub sub overlay network that forwarded a subscription request to node n. Effectively for every publisher a pub sub dissemination tree is constructed with. the publisher as the root the subscribers as the leaves and the pub sub routing. nodes as the intermediate nodes of the tree The publications flow from the root. publisher to the leaves subscribers of the tree Similarly advertisements un. subscriptions and unadvertisements are propagated from the root to the leaves of. the tree Note that a node n in the pub sub network may belong to one or more. pub sub dissemination trees or so called pub sub network channels and each cor. responds to a publisher and a topic of events that the publisher publishes through. this channel When a node n receives a publication notification publish Y e from. Y to publish the event e it uses the pub sub dissemination tree to which it belongs. to identify all active subscriptions whose filters f1 f2 fp are matched by. the event e Then node n identifies and forwards event e to those of its children. nodes X1 X2 Xq that have subscriptions with subscription filters covered. matched by a subset of filter fi 1 i p,2 2 Threat Model. The pub sub overlay service model is comprised of three entities publishers sub. scribers and routing nodes In this section we present our threat model for all. these entities, Publishers EventGuard assumes that authorized publishers are honest All pub. ACM Journal Name Vol V No N Month 20YY, lications by authorized publishers are assumed to be valid and correct However. one could build a feedback mechanism wherein the subscribers rate the publish. ers periodically Srivatsa et al 2005 Xiong and Liu 2004 Over a period of time. subscribers would subscribe only to high quality publishers and the low quality. publishers would eventually run out of business However unauthorized publishers. may masquerade as authorized publishers and flood the network and consequently. the subscribers with incorrect or duplicate publications advertisements or unad. vertisements, EventGuard assumes that event attributes can be partitioned into routable at.
tributes that are used for in network routing and secret attributes whose con. fidentiality needs to be preserved from unauthorized entities This partition is. publisher specific and applies to all subscribers subscribing to that publisher On. one hand this restriction allows EventGuard to be highly scalable while retain. ing attractive security properties On the other hand this restriction limits the. class of events that can be protected by EventGuard For example in location. based events e g hname building room timei the choice of secret attributes. is application specific In such scenarios one may use a common minimum set of. routable attributes however we note that reducing the number of routable at. tributes reduces the overall performance of a pub sub system. Subscribers EventGuard assumes that authorized subscribers may be partially. dishonest Concretely we assume that an authorized subscriber does not reveal. publications to other unauthorized subscribers otherwise this would be equivalent. to solving the digital copyrights problem However unauthorized subscribers may. be curious to obtain information about publications to which they have not sub. scribed Also subscribers may attempt to spam or flood the pub sub network with. duplicate or fake subscriptions and unsubscriptions. Routing nodes EventGuard assumes that some of the nodes on the pub sub net. work may exhibit dishonest behavior However we also assume that a significant. fraction of the pub sub nodes are non malicious so as to ensure that the network is. alive A pub sub network is alive if it can route messages and maintain its connec. tivity despite the presence of malicious nodes Malicious nodes may eavesdrop or. corrupt pub sub messages routed through them Malicious nodes may also attempt. to selectively say based on topic stockQuote or randomly drop pub sub mes. sages Further malicious nodes may attempt to flood other nodes and subscribers. 2 3 EventGuard Overview, EventGuard is designed to be completely modular and operates entirely above a. content based pub sub core EventGuard requires minimal coupling with the pub. sub core and hence can be easily ported from one pub sub core to another Figure. 2 shows EventGuard s architecture EventGuard is comprised of three components. The first component is a suite of security guards that guard the pub sub system. from various security threats discussed in Section 2 2 The second component is. a light weight key management service to provide identification and authorization. control for advertisements and subscriptions in the pub sub system The third com. ponent is a resilient pub sub network that is capable of handling node failures and. selective and random dropping based DoS attacks,ACM Journal Name Vol V No N Month 20YY. Security Guards EventGuard comprises of six guards securing six critical pub. sub operations subscribe guard advertise guard publish guard unsubscribe guard. unadvertise guard and routing guard These guards are built on top of content. based routing primitive available in a pub sub network with the goal of protecting. these operations from various attacks discussed in Section 2 2. Key Management Service EventGuard relies on a thin trusted meta service. M S to create keys that are used for confidentiality and access control in the. pub sub network and signatures that are used to ensure the authenticity of con. trol activities such as subscribe unsubscribe advertise and unadvertise The M S. also supports a periodic rekeying operation to efficiently handle unsubscriptions in. a large pub sub system The M S may also include an access control engine that. determines the set of filters that a subscriber is authorized to subscribe for and the. set of filters that a publisher is authorized to publish under As described later in. this paper access control is implicitly enforced by issuing the right set of encryp. tion and decryption keys to the authorized publishers and authorized subscribers. respectively, Resilient pub sub network EventGuard achieves resilience to node failures and. message dropping based attacks by constructing a network topology that is richer. than the popular tree based event dissemination topology Although a strict tree. based topology minimizes the communication cost in the pub sub content routing. network it is not robust for handling node failures and message dropping attacks. Srivatsa et al 2006 We improve the resilience of the pub sub network by modify. ing the tree structure to incorporate multiple independent paths Srivatsa and Liu. 2004 from the publisher to subscribers,3 EVENTGUARD BASIC SECURITY GUARDS. In this section we present a high level functional overview of EventGuard We. first introduce the three building blocks used by EventGuard tokens keys and. signatures Then we describe how EventGuard uses these primitives to develop six. safeguards for securing the six important pub sub operations subscribe advertise. publish unsubscribe unadvertise and routing In this section we first describe. EventGuard mechanisms in the context of a topic based pub sub system Then we. present EventGuard mechanisms to handle more complex subscriptions. Signatures play a fundamental role in achieving message authentication and pro. tecting the pub sub services from flooding based DoS attacks EventGuard uses. a probabilistic signature algorithm for achieving authenticity A signature scheme. is probabilistic if there are many possible valid signatures for each message and. the verification algorithm accepts any of the valid signatures as authentic In the. first prototype of EventGuard we use ElGamal ElGamal 1985 as the probabilistic. signature algorithm A signature on any message M using ElGamal yields a tuple. hr si The r component of the signature is guaranteed to be unique with high. probability Further if the same message M is signed twice by the same entity x. we get two different but valid ElGamal signatures of M All messages originating. at entity x are signed using its private key rk x and all its signatures are verified. using its corresponding public key pk x EventGuard uses the trusted meta service. M S to create signatures for advertisements and subscriptions Subscriptions and. ACM Journal Name Vol V No N Month 20YY, advertisements are authenticated using signatures ensuring that malicious nodes.
cannot flood the pub sub network with bogus publications or phony subscriptions. EventGuard requires the ability to generate public private keys and certificates for. the MS and the publishers in the pub sub network using OpenSSL OpenSSL. EventGuard uses in built mechanisms for distributing certificates and public keys. As described later in this paper publishers and subscribers receive MS s public key. with certificate when they send their first advertisement or a subscription request. to the MS Subscribers also receive a publisher s public key with certificate from. advertisements disseminated through the pub sub network by the publishers. We have introduced tokens keys and signatures as fundamental building blocks. of EventGuard The next challenge is to design and construct the six concrete. safeguards for the following six essential operations subscribe advertise publish. unsubscribe unadvertise and routing,3 1 Subscribe Guard. Subscribe guard is designed for achieving subscription authentication subscription. confidentiality and subscription integrity and preventing DoS attacks based on spu. rious subscriptions Suppose that a subscriber S wishes to subscribe for a topic w. In EventGuard subscriber S sends the topic w to the EventGuard trusted meta. service M S indicating that it wishes to subscribe for topic w At this point the. M S may act as the authority for implementing a cost model for the pub sub sys. tem For example the M S may collect a subscription fee for every subscription. the subscription fee may be dependent on the topic w Let w be the original. subscription filter for topic w sent to M S by the subscriber S sb w denote the sub. scription permit issued by M S upon receiving a subscription w from subscriber. S and w denote the legal subscription transformed from w by M S in two. steps 1 replacing topic w with token T w and 2 signing the subscription with. the subscription signature provided by M S Both are included in the subscription. permit sb w generated by M S They are defined as follows. w htopic EQ wi,sb w hK w T w sigM S T w U ST w i,w htopic EQ T w i hsig AN Y sigM S T w i. The M S verifies access rights for a subscriber if such access control rules are. mandated by the publisher and sends a subscription permit sb w to the subscriber. S The key K w for topic w is derived as K w KHrk M S w where rk M S. denotes the M S s private key and KHK w denotes a keyed hash of string w using a. keyed hash function KH say HMAC SHA1 Krawczyk et al and a secret key K. EventGuard supports periodic epoch based rekeying to ensure that subscribers. cannot read events past their subscription epoch The token T w for topic w is. derived as T w H K w where H x denotes a hash of string x using a one. way hash function H say MD5 Rivest 1992 or SHA1 Eastlake and Jones 2001. U ST S w is a special token given to the subscriber to enable safe unsubscription. discussed later under unsubscribe guard Observe that if any two subscribers. subscribe for topic w they get the same encryption key K w and the same token. ACM Journal Name Vol V No N Month 20YY, The signature sigM S T w is an ElGamal signature by the M S on the token. T w in the subscription permit sb w provided to subscriber S The signature has. two parts sigM S T w hr si Note that the r component of the signature is. always unique Therefore we use r component of the signature as the subscrip. tion identifier This signature serves us three purposes First it enables nodes in. the pub sub network to check the validity of a subscription Second we use the. subscription identifier the r component of the signature to detect and curb DoS. attacks based on subscription flooding Note that even if two subscribers S and. S subscribe for the same topic w sigM S,S T w 6 sigM S T w discussed later. under routing guard Third it is used to construct the special token U ST S w. KHrk M S r where r denotes the r component of the M S s signature We use. U ST S w to prevent DoS attacks based on fake unsubscription discussed later. under unsubscribe guard, Upon receiving a subscription permit sb w from the M S subscriber S trans.
forms its original subscription filter w to a legal subscription filter w The. subscriber S could then submit and deploy the signed subscription w on the pub. sub network Consequently any publication that includes the token T w is routed. to S Routing nodes on the pub sub network are not able to perform unautho. rized reads or writes on the content of any subscription message thus guaranteeing. subscription confidentiality and integrity Further nodes compromised due to DoS. attacks even though malicious are not able to attack the pub sub network by. flooding fake subscriptions, A subscriber S may restrict the number of publications it would like to receive. For example a subscriber may use sb w1 and sb w2 to construct a subscription. filter that is a conjunction of filters f w1 and f w2 In general a subscription. filter f h w1 w2 wm i where w described above,3 2 Publish Guard. Publish guard is designed to safeguard publication confidentiality publication au. thenticity and DoS attacks based on bogus publications and spam Suppose a. publisher P wishes to publish a publication pbl under topics w1 w2 wm The. topics are used to categorize the content pbl The content pbl could be any arbi. trary sequence of bytes including text multimedia and so on For each topic wi. the publisher fetches the topic s token T wi and its encryption key K wi from. the M S A publication event e is constructed as follows Let e denote the original. publication message and e denote a legal event publication transformed from e. using tokens and content encryption of publication messages We formally define. them as follows, e hhpublisher P i hcontent pbli htopic w1 i htopic wm ii. e hhpublisher P i hcontent EKr pbl i htopic T w1 i hT w1 EK w1 Kr i. htopic T wm i hT wm EK wm Kr ii, The key Kr is a random encryption key generated each time a publisher needs to. publish an event P sends the event e along with its signature namely sigP e we. note that the certificate for a publisher s public key is distributed to the subscribers. using the advertisement message described in the following section Observe that. ACM Journal Name Vol V No N Month 20YY, any subscriber for topic wi possesses the key K wi An authorized subscriber uses.
the key K wi to decrypt the random key Kr and uses the random key Kr to. decrypt the publication pbl, The publisher uses an ElGamal signature to sign its publications The first. component of the signature is used as the publication identifier The signature. serves two purposes First it enables nodes in the pub sub network to check the. validity of a publication a publisher s public key is distributed to pub sub network. nodes and subscribers via advertisements as discussed later under advertise guard. Second we use the publication identifier the r component of the signature to. detect and curb a DoS attack based on publication flooding discussed later under. routing guard, When multiple publishers publish on a common topic it might be essential to. ensure that the publications from a publisher P are not readable by another pub. lisher P EventGuard handles this problem using a small modification to the. authorization key K w for topic w Instead of having a topic key shared across all. users the MS can generate a per publisher authorization key for topic w as K P w. KHrk M S P k w The MS distributes K P w to a publisher The MS uses. K P w to derive authorization keys for subscribers that subscribe to a topic w from. publisher P This incurs almost no additional key generation cost On the other. hand the subscriber group approach has to maintain separate groups for every. publisher P,3 3 Advertise Guard, Advertise guard is designed for achieving advertisement authentication advertise. ment confidentiality and integrity and preventing DoS attacks based on bogus. advertisements Suppose a publisher P wishes to publish events under topic w. Publisher P sends w and its public key pk P to the M S At this point the M S. may charge a publication fee to the publisher that is some arbitrary function of w. w is the original advertisement filter for topic w. w hpublisher EQ P i htopic EQ wi,ad w hK w T w sigM S T w k P k pk P U AT w i. w hpublisher EQ P i htopic EQ T w i hsig AN Y sigM S T w k P k pk P i. The M S sends an advertisement permit ad w to the publisher P The key K w. the token T w and the signature sigM S T w k P k pk P are computed in the. same manner as that for subscriptions The special token U AT P w is used for. unadvertisements discussed in unadvertise The publisher then constructs the. advertisement filter and propagates it to the pub sub network Note that the. public key pk P is essential for the pub sub nodes and the subscribers to verify. the authenticity of publications,3 4 Unsubscribe Guard.
Unsubscribe guard is designed to prevent unauthorized unsubscribe messages flood. ing of unsubscribe messages and spam When a subscriber S wishes to unsubscribe. from a topic w S sends hT w sigM S T w U ST w i to the M S The M S. checks if sigM S T w is a valid signature on T w The M S uses the special token. ACM Journal Name Vol V No N Month 20YY, U ST S w to ensure protection from DoS attacks based on fake unsubscription The. M S checks if U ST S w is indeed equal to KHrk M S sbId where sbId denotes. the subscription identifier namely the r component of the signature sigM S T w. Note that the signature sigM S T w and the token T w are sent to the pub sub. network nodes when the subscriber S subscribes for the topic w However the. subscriber S is never required to reveal the special token U ST S w to the pub sub. network Hence no malicious node in the pub sub network would be able to fake an. unsubscribe request Moreover the use of U ST S w prevents some subscriber S. 6 S who has subscribed for topic w and thus possesses signature sigM S T w. token T w and key K w from unsubscribing subscriber S from topic w We use. w to denote the original unsubscription message for topic w. w htopic EQ wi,usb w hsigM S T w k sbId i,w htopic EQ T w i hsig AN Y sigM S T w k sbId i. The M S sends an unsubscription permit usb w to the subscriber S Note that the. signature includes the token T w and the original subscription s identifier sbId. Subscriber S would unsubscribe from topic w by sending w to the pub sub net. work Nodes in the network use the M S s signature to check the validity of an. unsubscription and use the unsubscription identifier usbId the r component of. signature sigM S T w k sbId to detect and curb DoS attacks based on unsub. scription flooding, In EventGuard an authorization key K f act like a capability issued to au. thorize subscribers to read all events e that match the filter f As described in. our subscription model see Section 2 1 all subscriptions are accompanied by a. payment and are valid for one time epoch We use a rekeying algorithm that is. similar to the lazy revocation epoch based periodic rekeying algorithms used in. several group key management protocols Yang et al 2001 At the beginning of a. new epoch if the subscribers need to refresh their subscriptions then they must. obtain new authorization keys from the MS To avoid flash crowds attempting to. subscribe at the beginning of a new epoch we evenly space out the epoch intervals. on a per topic basis We also adaptively vary the length of the epoch on a per topic. basis using the subscription history Detailed discussion on choosing the per topic. epoch length is outside the scope of this paper,3 5 Unadvertise Guard. Unadvertise guard is designed to prevent the pub sub network from unadvertise. ment flooding When a publisher P wishes to unadvertise for a topic w P sends. hT w sigM S T w k P k adId U AT w i to the M S Similar to those illus. trated in unsubscribe guard the special token U AT P w is computed as follows. U AT P w KHrk M S adId where adId denotes the advertisement identifier. namely the r component of the signature sigM S T w Note that the use of. U AT w ensures DoS attacks based on phony unadvertisements Let w de. ACM Journal Name Vol V No N Month 20YY, Fig 3 Handling Flooding based DoS attacks in EventGuard.
note the original unadvertisement message for topic w. w hpublisher EQ P i htopic EQ wi,uad w hsigM S T w k P k adId i. w hpublisher EQ P i htopic EQ T w i hsig AN Y sigM S T w k P k adId i. Upon receiving an unadvertise request from publisher P the M S generates an. unadvertisement permit uad w and send it back to the publisher P The publisher. P uses the advertisement signature sigM S T w k P k adId included in the permit. to create a legal unadvertise request and submit it to the pub sub overlay network. This signature similar to unsubscription is used by the routing nodes to check its. authenticity and detect DoS attacks based on unadvertisement flooding. 3 6 Routing Guard, The pub sub network nodes route messages based on tokens the pseudonym for. topics Besides performing the functionality of a regular pub sub node we require. the nodes to perform additional checks to ensure safety from DoS attacks Now. we discuss the checks implemented by nodes to protect the pub sub network from. flooding based DoS attacks, EventGuard requires nodes on the pub sub network to perform two security. checks The first check is based on signatures for maintaining sender authentic. ity and the second check is based on detecting duplicate messages Subscriptions. unsubscriptions advertisements and unadvertisements are verified for the M S s. signature The publications are verified for its publisher s signature Duplicates. are checked using the r component of the signature Recall that we designate the. r component of the ElGamal signature as the message s identifier When a node. receives two subscriptions with the same identifier it blocks the later one With. the guarantee of sender authenticity and the prevention of duplicate messages no. flooding attack could propagate beyond one good pub sub node Figure 3 illus. trates this point In Figure 3 a malicious bad node B1 attempts a flooding based. DoS attack to all its neighbor nodes Observe that no invalid message incorrect. signatures and no duplicate message from node B1 would propagate beyond the. non malicious good nodes G1 G2 G3 and G4 More importantly none of the. nodes marked X would be hit by this DoS attack Thus by deploying routing. guards in the pub sub network EventGuard can effectively isolate the effect of. flooding attacks, We implement the routing guard i e the two security checks on each routing. ACM Journal Name Vol V No N Month 20YY, node in three steps First we require a node to maintain the history of identifiers.
previously seen by it Second we augment each EventGuard message with a times. tamp that is signed by the M S for advertisement subscription unadvertisement. and unsubscription or signed by the publisher for a publication Third a non. malicious node blocks any message if the condition ct ts max delay is met. where ct is the current time ts is the timestamp on a message and max delay is a. system defined parameter Nodes only need to maintain a history of identifiers for. a time duration of max delay Note that max delay must account for time skew. between nodes and routing and communication delays on the pub sub network. 4 EVENTGUARD KEY MANAGEMENT, We have so far described EventGuard mechanisms for a simple topic based sub. scription models In this section we extend EventGuard mechanisms to handle. more sophisticated content based matching operators see Section 2 1 for the defi. nition of topic based and content based matching operators In section 3 we used a. per topic key to enforce event confidentiality from routing nodes and unauthorized. subscribers However content based pub sub networks may use more sophisticated. matching operators such as numeric attribute based matching operators In. this section we present secure and scalable key management algorithms to enforce. event confidentiality for content based matching operators. 4 1 Overview, Secure event dissemination with content based matching operators refers to preserv. ing the confidentiality of secret attributes in an event from unauthorized subscribers. and the routing nodes in the pub sub network Most existing key management so. lutions for pub sub networks use group key management protocols to manage sub. scribers grouped together based on their subscriptions However given a flexible. subscription filter based authorization model every event can potentially go to a. different subset of subscribers In the worst case for N S subscribers there are 2N S. subgroups thereby making it infeasible to set up static groups for every possible. subgroup Although some optimizations have been proposed for dynamic groups. such as key caching Opyrchal and Prakash 2001 the worst case key management. cost remains at O 2N S due to its inherent design, EventGuard improves past solutions to the key management problem using a. completely different design philosophy Our key management algorithms disasso. ciate keys from subscriber groups and ensure that the key management cost is. independent of the total number of the subscribers N S in the pub sub system. This is achieved by associating a subscription key K f with a filter f and an en. cryption key K e with an event e such that it is computationally feasible to derive. K e from K f using routable event attributes if and only if e matches f While. this offers complete confidentiality to secret attributes in an event the routable. attributes may be vulnerable to some inference attacks by the pub sub network. nodes EventGuard uses a resilient network see Section 5 to support probabilistic. multi path event routing to allow scalable content based routing while minimizing. the amount of information about the routable attributes that can be inferred by. the routing nodes The primary idea here is to route events from a publisher to. its subscribers probabilistically using multiple independent paths such that the fre. ACM Journal Name Vol V No N Month 20YY, quency of all tokens routing labels on an event appears nearly indistinguishable. for all the routing nodes in the pub sub network,4 2 Key Management Algorithms.
In EventGuard event confidentiality is implemented using authorization keys and. encryption keys These keys serve complementary purposes An encryption key. is used to encrypt an event so as to maintain its confidentiality from the routing. nodes and the subscribers who have not subscribed to that event An authoriza. tion key is used as an authorization permit for subscribers to decrypt an event We. embed encryption and authorization keys into a common key space using hierar. chical key derivation algorithms Wong et al 2000 such that a subscriber can use. its authorization keys to efficiently derive the encryption keys only for those events. that match their subscriptions In this section we describe our key management. algorithm and present a detailed quantitative analysis that highlights the benefits. of our approach against the group key management approach. We use authorization keys and encryption keys to support access control on pub. sub systems These keys serve complementary purposes An encryption key is used. to maintain the confidentiality of an event from subscribers who have not subscribed. to that event An authorization key is designed to encode content based matching. semantics into a key derivation algorithm such that an authorized subscriber can. efficiently derive the encryption keys for those events that match their subscriptions. In this paper we demonstrate our approach using four different types of publication. subscription matching topic or keyword based matching numeric attribute based. matching category based matching and string based suffix prefix matching. For topic or keyword based matching an authorization key K f associated with. a filter f htopic EQ cancerTraili must be capable of decrypting the message. msg in event e hhtopic cancerTraili hmessage msgii On the other hand. a key K f associated with filter f htopic EQ humanGenomei should not be. able to decrypt msg in event e For numeric attribute based matching a key K f1. used for the filter f1 hhtopic EQ cancerTraili hage 20ii and a key K f1. used for the filter f1 hhtopic EQ cancerTraili hage 30ii must be capable. of decrypting the message msg in event e1 hhtopic cancerTraili hage 35i. hmessage msgii On the other hand key K f1 should be capable of decrypting. the message msg in event e 1 hhtopic cancerTraili hage 25i hmessage msgii. but not the key K f1 For category based matching a key K f2 used for filter f2. hhtopic EQ cancerTraili hnews unclassifiedNewsii a key K f2 used for. f2 hhtopic EQ cancerTraili hnews classifiedNewsii and a key K f2. used for f2 hhtopic EQ cancerTraili hnews secretNewsii must be capable. of decrypting the event e2 hhtopic cancerTraili hnews unclassifiedNewsi. hmessage msgii On the other hand only K f2 should be capable of decrypting. the message msg in e 2 hhtopic cancerTraili hnews secretNewsi hmessage. msgii but not the keys K f2 and K f2 For string based prefix suffix matching a. key K f3 used for filter f3 hhtopic EQ cancerTriali hname PF aii and a key. K f3 used for the filter f3 hhtopic EQ cancerTriali hname PF anii should. be capable of decrypting the message msg in event e3 hhtopic cancerTriali. hname andyi hmessage msgii On the other hand only K f3 must be capable. of decrypting the message msg in e 3 hhtopic cancerTriali hname alexi. ACM Journal Name Vol V No N Month 20YY,Fig 4 Key Tree Category Hierarchy. hmessage msgii but not the key K f3, In the following sections we first describe our techniques to handle simple sub. scriptions that consists of a topic and at most one constraint say f hhtopic. EQ cancerTraili hage 15ii A complex subscription could consist of con. straints combined using the and Boolean operators We have described algo. rithms to handle numeric attribute based in network matching in Srivatsa and Liu. 2007 In this paper we describe our key management algorithms for category based. matching Section 4 3 string based prefix suffix matching Section 4 4 followed. by techniques to handle complex subscriptions in Section 4 5. 4 3 Category Based Matching, In this section we present techniques for access control on named categories that. are typically arranged as a category tree In a category tree the children of a. node represent more detailed information about the same topic than its parent and. thus may be considered more confidential An example category hierarchy that is. applicable in a military scenario is shown in Figure 4 A subscriber who subscribes. for secretNews1 is implicitly entitled to receive all publications published under. categories classifiedNews1 and unclassifiedNews however the converse is not. true Additionally a subscriber who subscribes for secretNews1 is not permitted. to read events categorized under classifiedNews2 In general we use a category. matching operation such that an event e hname value i matches a filter f. hname value i if and only if value is an ancestor of value in a category. tree named name, Our key derivation algorithm supports category based subscriptions Given a. category say news we can construct a subscription filter f hnews cati The. filter f matches any event e hnews vi if and only if v is an ancestor of cat on. the category tree We associate an authorization key K f with every subscription. filter f and an encryption key K e with every event e The authorization keys and. the encryption keys satisfy the following properties. Given K f it should be computationally easy to derive a key K e if v. ancestor cat, Given K f it should be computationally infeasible to derive a key K e if v.
ancestor cat, We construct keys that satisfy the above mentioned properties as follows We map.

Related Books

PERSIAPAN 10 INDONESIA KEMERDEKAAN

PERSIAPAN 10 INDONESIA KEMERDEKAAN

anggota Panitia Sembilan. Setelah tugas BPUPKI dipandang selesai, BPUPKI dibubarkan. Sebagai gantinya pada tanggal 7 Agustus 1945 dibentuk Dokuritsu Junbi Inkai atau Panitia Persiapan Kemerdekaan Indonesia (PPKI). 230 Ilmu Pengetahuan Sosial VIII Anggota PPKI berjumlah 21 orang Indonesia yang mewakili berbagai daerah di Indonesia, dan ditambah 6 orang lagi tanpa sepengetahuan Jepang. PPKI ...

81Killer Tips

81Killer Tips

Stand up straight and tall with a dumbbell or weight in each hand. Slowly lean over sideways until your hand reaches your knee. Straighten back up and do the other side. 7. Oblique Bend Get down on all fours. Keeping your back straight, slowly raise one leg, keeping the knee bent at a 90 degree angle. When your thigh is parallel to the floor, pulse your foot up slowly for a beat of ten.Lower ...

WORK ASSIST VEHICLE Operator Manual

WORK ASSIST VEHICLE Operator Manual

CROWN MANUAL OF RESPONSIBILITY The User shall ensure that the vehicle is operated and maintained according to the Crown Manual of Responsibility. A copy of the Manual of Responsibility, along with the Service Manual, is stored in a tube under the platform. Return the manuals to the tube after use. Page 5

Land Information Ontario Data Description

Land Information Ontario Data Description

Land Information Ontario Data Description ... 16R-1234, M-123 6 CROWN_SURVEY_LOCATION_NUMBER VARCHAR2(100) No The reference number for the survey plan number used in the Crown Disposition. Include survey part and lot number. e.g. CL 12345 . Page 3 of 18 # Column Name Column Type Mandatory Short Name 7 SITE_NAME VARCHAR2(125) No The name of the non-freehold disposition. This should NOT be ...

Building Engagement The Influence of Physical Structure on ...

Building Engagement The Influence of Physical Structure on

Building Engagement The Influence of Physical Structure on Social Interaction By Lindsey J. Davis A paper submitted to the faculty of The University of North Carolina at Chapel Hill in partial fulfillment of the requirements for the degree Master of Public Administration April 3, 2010 This paper represents work done by a UNC-Chapel Hill Master of Public Administration student. It is not a ...

Recovering Software Architecture Product Lines

Recovering Software Architecture Product Lines

It is composed of three main activities: 1) Reverse-Engineering of SA variants; 2) SAPL Reconstruction; and 3) Variants Derivation. In the following, we describe each activity. 1) Reverse-Engineering of SA Variants: The ?rst activity in our approach is to use reverse-engineering techniques to extract a software architecture variant from the source code of each software variant. As we will ...

Engineering Bulletin Trane Catalytic Air Cleaning System

Engineering Bulletin Trane Catalytic Air Cleaning System

Trane Catalytic Air Cleaning System Engineering Bulletin May 2020 CLCH-PRB023D-EN SAFETY WARNING Only qualified personnel should install and service the eq uipment. The installation, starting up, and servicing of heating, ventilating, and air-conditioning equipment can be hazardous and requires specific knowledge and training.

C576I P/N : 49031-101 SUBREV : L DRAWN BY : DATE : 07.01 ...

C576I P N 49031 101 SUBREV L DRAWN BY DATE 07 01

39874-101 double adhesive foam tape 1" x 4"x1 42 39776-102 assembly, ramp, efx 44 39779-102 assy, ramp pivot 45 39783-101 assy, lift nut and yoke 46 50589-104 assy, stairarm, c556/c576i, right, 47 50589-103 assy, stairarm, c556/c576i, left, s 48 48336-101 wheel,overmolded,black 49 57055-104 efx pedal/tape kit, comm efx's 50 39768-102 assembly,link,total body 56 39833-102 assembly, crank arm ...

The Catholic Parish of Christ Church, Heald Green

The Catholic Parish of Christ Church Heald Green

Communion. This prayer of St Ignatius of Loyola is often used at Holy Communion: Soul of Christ, sanctify me. Body of Christ, save me. Blood of Christ, inebriate me. Water from the side of Christ, wash me. Passion of Christ, strengthen me. O Good Jesus, hear me. Within your wounds hide me. Permit me not to be separated from you. From the wicked foe, defend me. At the hour of my death, call me ...

GAZETI RASMI LA SERIKALI YA MAPINDUZI YA ZANZIBAR

GAZETI RASMI LA SERIKALI YA MAPINDUZI YA ZANZIBAR

GAZETI RASMI LA SERIKALI YA MAPINDUZI YA ZANZIBAR 17!"#$%' 27 Nd. Makame Juma KHAMIS Mkurugenzi. Idara ya Utumishi na Uendeshaji 28 Nd. Jokha Khamis MAKAME Afisa Mdhamini Afisi Kuu Pemba 29 Nd. Mohamed Hanau VUAI Mhasibu Mkuu Baraza la Mapinduzi 30 Nd. Mohamed Manzi HAJI Mhasibu Mkuu Idara ya Utumishi na Uendeshaji 31 Nd. Jabir Kipenda JABIR ...