1 / 22

Performance modelling of security protocols

Performance modelling of security protocols. Nigel Thomas and Yishi Zhao Newcastle University. Why security and performance?. Security adds an overhead to the actions performed. Different protocols, algorithms or parameters add different overheads.

mulan
Download Presentation

Performance modelling of security protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Performance modelling of security protocols Nigel Thomas and Yishi Zhao Newcastle University

  2. Why security and performance? • Security adds an overhead to the actions performed. • Different protocols, algorithms or parameters add different overheads. • Hence to optimise the performance we can alter the choice of protocol/algorithm/parameters. • This might also lead to a change in security properties; hence a security vs performance tradeoff.

  3. Example 1: performance vs encryption algorithm

  4. Example 2: performance vs key length

  5. Example 3: performance of different functions

  6. Performance modelling of protocols • Normally we form an abstract model with many simplifications which we then analyse and compare to the original (or simulation) empirically. • This is not generally acceptable to the security community, as small changes in the protocol can radically alter the security properties. • Instead, some clear (“formal”) correspondence between the protocol specification and the model specification is required.

  7. Idealised view Verification Security analysis Formal transformation

  8. Case study: two non-repudiation protocols • Non-repudiation is used to agree a set of actions such that the participants cannot later deny the agreement. • Many non-repudiation use a trusted third party and public publication of (encrypted) messages, e.g. a bulletin board. • We have investigated two protocols proposed by Zhou and Gollman: • J. Zhou and D. Gollmann, A Fair Non-repudiation Protocol, in: Proceedings of IEEE Symposium on Security and Privacy, IEEE Computer Society, 1996. • J. Zhou and D. Gollmann, Observation on Non-repudiation, in: Advances in Cryptology, LNCS 1163, Springer-Verlag, 1996.

  9. Zhou & Gollman (1)

  10. Zhou & Gollman (2)

  11. Features of our models • Hand crafted in PEPA: • Explicit naming of protocol actions. • All delays are negative exponential. • Data not represented. • No network delays, no misbehaviour, no failures. • Server always available. • “Pure” processor sharing (=infinite threading). • No contention for bulletin board access.

  12. ZG1 protocol 1. A → B : fNRO, B, L, C, NRO (sendB) 2. B → A : fNRR, A, L, NRR (sendA) 3. A → TTP : fSUB, B, L, K, sub_K (sendTTP) 4. B ↔ TTP : fCON, A, B, L, K, con_K (publish & getByB) 5. A ↔ TTP : fCON, A, B, L, K, con_K (publish & getByA)

  13. Initial PEPA version of ZG1 Where, L={sendTTP,getByB,getByA}, K= {sendB,sendA,work}

  14. Deriving a PEPA performance model • This initial PEPA model needs to be transformed in order to perform performance analysis. • Add multiple components. • Make the model cyclic. • Introduce competition for service at TTP. • The model also requires changes to facilitate solution. • Remove passive actions. • Partially evaluate A and B.

  15. ZG3 protocol 1. A → TTP : fNRO, TTP, B, M, NRO (request) 2. A ↔ TTP : fNRS, A, B, Ts, L, NRS (publish1& getByA1) 3. TTP → B : A, L, NRO (sendB) 4. B → TTP : fNRR, L, NRR (sendTTP) 5. B ↔ TTP : L, M (publish2 & getByB) 6. A ↔ TTP : fNRD, Td, L, NRR, NRD (publish2 & getByA2)

  16. ZG1 MVA and ODE solutions

  17. ZG1 ODE solution (big model!)

  18. ZG1 vs ZG3

  19. Conclusions • Estimating the costs (as well as the benefits) of security is important. • We can derive performance models which explicitly represent the protocol (“almost” automatically). • We can solve these models very efficiently using a variety of methods. but… • We need to be careful not to introduce new behaviours or approximation errors, • The modelling expert remains in the loop!

  20. Papers • Y. Zhao and N. Thomas, Efficient solutions of a PEPA model of a key distribution centre, Performance Evaluation, in press, doi:10.1016/j.peva.2009.07.005, 2010. • Y. Zhao and N. Thomas, Comparing Methods for the Efficient Analysis of PEPA Models of Non-repudiation Protocols, in: Proc. 15th International Conference on Parallel and Distributed Systems, IEEE Computer Society, 2009. • Y. Zhao and N. Thomas, Experiences of using the PEPA performance modelling tools with a non-repudiation protocol, in: Proc. 23rd European Simulation Multiconference, SCS Publishers, 2009. • Y. Zhao and N. Thomas, Approximate solution of a PEPA model of a key distribution centre, in: Performance Evaluation - Metrics, Models and Benchmarks: SPEC International Performance Evaluation Workshop, LNCS 5119, Springer Verlag, 2008. • C. Lamprecht, A. van Moorsel, P. Tomlinson, N. Thomas, Investigating the efficiency of cryptographic algorithms in online transactions, International Journal of Simulation: Systems, Science and Technology, 7(2), pp. 63-75, 2006. • S. Dick and N. Thomas, Performance analysis of PGP, in: Proceedings 22nd UK Performance Engineering Workshop, Bournemouth University, 2006.

More Related