SeCol: Secure Collaborative Applications using Group Communication and Publish/Subscribe Systems

1. SeCol: Secure Collaborative Applications using Group Communication and Publish/Subscribe Systems Himanshu Khurana NCSA

2. Project Overview • Goal: develop novel security solutions that minimize trust liabilities in messaging infrastructures • Dates: Sep 1, 2005 - Aug 31, 2006 • Budget: $200k • Personnel • Himanshu Khurana (PI) • Rakesh Bobba (Security Engineer) • Weiting Cao (PhD Student) • Radostina Koleva (Consultant)

3. Introduction • Collaborative applications need a messaging infrastructure • E.g., conferencing uses group communication, tickers (stock, news, game-score) uses pub/sub • Widespread use requires secure messaging infrastructures • Integrity and authentication typically provided via CA/PKI • Works but imposes certificate distribution/revocation problems • Confidentiality provided by trusted servers • Servers bear significant trust liability of maintaining confidentiality of messages and keys • E.g., group controllers store long term and session keys • Availability provided via replication • However, replicating keys makes the system insecure

4. Introduction • Challenges for minimizing trust liability • Infrastructure servers must not be able to access messages • However, servers often need to process these messages • Solution should not require establishment of keys between collaborating entities • O(n2) problem and, furthermore, does not take advantage of the presence of the messaging infrastructure • Solution must scale to support a large number of users • Approach • Explore novel proxy encryption techniques to address the problem • Convert ciphertext between keys without access to plaintext • Use techniques to design secure messaging infrastructures • Group communication and Publish/Subscribe infrastructures

5. Secure Group Communication (SGC) • SGC needed to support many military and commercial applications; e.g., • Conferencing (Video and/or Audio), Command-and-Control Systems, Interactive Distance-Learning • Group Key Management (GKM) cornerstone of SGC • Involves distribution of symmetric key to group members • Must be efficient and scalable • Shared key changed every time a member joins/leaves group • Existing GKM Schemes • Logical Key Hierarchies (LKH) using Group Controllers (GC) • Advantage: Very efficient, constant number of rounds • Drawback: GC is completely trusted • Decentralized or Contributory Schemes • Advantage: Does not involve a GC • Drawback: Scale poorly

6. TASK - Tree-based w/ Asymmetric Split Keys • Efficient and Scalable • Log(n) computation and storage • Log(n) message size, constant number of communication rounds • Partially Trusted GC • GC does not store encryption keys • Confidentiality maintained even if GC is compromised • Therefore, GC no longer single point of security failure • Instead, GC uses proxy encryption to transform messages between members for key establishment • Simpler recovery from GC compromise • Assumptions • GC and a member are not simultaneously compromised

7. Difference between LKH & TASK

8. Goals for Y3 • Complete development and testing of prototype • 9000+ lines code written and partially tested • Extend prototype • For wireless communication using Elliptic Curve Cryptography • Compatibility with other reliable messaging solutions such as NORM (NRL) • Address collusion problem • Simultaneous compromise of member and GC reveals GKEK • Explore improvements to proxy encryption (known problem) as well as alternatives

9. Introduction to Pub/Sub Pub/Sub Infrastructure (e.g., Gryphon, Siena) B Border Broker PB Publisher B Broker SB Subscriber B B PB B B SB PB B B B B B B SB B PB B SB SB PB PB • Applications: software updates, location-based services, supply chain • management, traffic control, and stock quote dissemination • Three types: Topic-based, type-based, and content-based • Content-based considered to be the most general

10. Security Challenges Addressed for Content-Based Pub/Sub Systems (CBPS) • Confidentiality, integrity, and authentication of events • Deliver information to authorized subscribers • Usage-based accounting E.g., for stock quote dissemination • Solution Highlights • Strong adversarial model: PBs & SBs don’t trust broker network • Adversary has access to CBPS network traffic and will attempt to • Violate confidentiality of events by observing them • Violate integrity and authentication by inserting/modifying fake events and subscriptions • No security associations (e.g. keys) needed between PBs and SBs • No modifications needed to existing matching & routing algorithms • Scales to support an Internet-scale pub/sub infrastructure

11. Confidentiality • Adversary has access to network traffic  contents cannot be disclosed to brokers • One approach: perform computations on encrypted data • Difficult to implement in practice • Require modifications to matching and routing techniques • Observation • Only selected parts of an event’s content need to be confidential • Matching and routing can be accomplished without these parts • Our Approach • Encode events in XML documents • Selectively encrypt sensitive parts of events • Use Bertino and Ferrari’s XML document dissemination techniques • Distribute keys to authorized subscribers • Using Jakobsson’s proxy encryption techniques

12. Message: id 100 <?xml?><stock> <symbol>YHOO</symbol> <price> Ek(70.2) </price> <open>50</open> <volume>10000</volume> </stock> Message: id 100 <?xml?><stock> <symbol>YHOO</symbol> <price> 70.2 </price> <open>50</open> <volume>10000</volume> </stock> Encrypt EncPK(k) Message: id 200 <?xml?><gamescore> <date>8/5/04</date> <teams>NY-CA</teams> <score>Ek(10-3)</score> </gamescore> Message: id 200 <?xml?><gamescore> <date>8/5/04</date> <teams>NY-CA</teams> <score>10-3</score> </gamescore> Encrypt EncPK(k) Confidentiality Examples Cleartext Event Contents Encrypted Packages Ek()  symmetric key encryption (e.g., AES) using key k EncPK()  El Gamal public key encryption using key PK

13. Distributing Keys to Authorized Subscribers Proxy Security and Accounting Service (PSAS) l coordinators with m of l sharing of KPS n servers with t of n threshold key sharing of KPS … 1 2 3 n cl c1 c2 … m RSA Signature Key (KPS, PKPS): Kps =  KPSi where KPSiis a key share held by any coordinator i=1 t For each EG decryption key (KPS, PKPS): Kps =  KPSi where KPSi is a key share held by any server i=1 Transform Border Broker B1 Border Broker B2 … Register/ Publish Register/ Receive broker network PB SB

14. Goals for Y3 • Complete scalability analysis • A single PSAS can support 10s of thousands of subscribers • Address potential leakage of sensitive event contents • Formal security analysis of solution • Implementation of prototype • Leverage existing pub/sub systems • Siena, supports XML encoding of events • Leverage existing threshold cryptographic libraries • CODEX, leverages COCA

15. Questions? • Himanshu Khurana and Radostina Koleva, “Scalable Security and Accounting Services in Content-based Publish/Subscribe Systems”, International Journal of E-Business Research, to appear, 2006. • Himanshu Khurana, “Scalable Security and Accounting Services in Content-based Publish/Subscribe Systems”, in proceedings of the E-Commerce Track of the ACM Symposium on Applied Computing (SAC), March 2005. • Himanshu Khurana, Rafael Bonilla, Adam Slagell, Raja Afandi, Hyung-Seok Hahm, and Jim Basney, “Scalable Group Key Management with Partially Trusted Controllers”, in the International Conference on Networking, Reunion Island, April 2005. • Himanshu Khurana, Luke St. Clair, and Weiting Cao, “Scalable Group Key Management with Partially Trusted Controllers”, in preparation for submission to the Journal of Communication and Networking.