securing content based routing publish-subscribe systems

Securing Securing Content Based Routing Content Based Routing

Publish-Subscribe SystemsPublish-Subscribe Systems(SIENA)(SIENA)

John.Giacomoni@colorado.eduJohn.Giacomoni@colorado.edu

2002.01.282002.01.28

What is Content Based Routing?What is Content Based Routing?

Messages Routed Based on ContentMessages Routed Based on Content• No Fixed Address Field(s)No Fixed Address Field(s)• Generally Speaking Routers Need Full Generally Speaking Routers Need Full

Access to Message PayloadAccess to Message Payload

What is Publish-Subscribe?What is Publish-Subscribe?

Event Notification SystemEvent Notification System• Producers (Publishers)Producers (Publishers)• Consumers (Subscribers)Consumers (Subscribers)• Publications are Routed to Subscribers Based on Publications are Routed to Subscribers Based on

Filters (Subscriptions)Filters (Subscriptions)

Interesting Properties of Interesting Properties of Publish-SubscribePublish-Subscribe

Publishers and Subscribers can be Anonymous Publishers and Subscribers can be Anonymous to Each Otherto Each Other

Clients Can be Linked Together to Form an Clients Can be Linked Together to Form an Ad-Hoc Network Using only the Publish-Ad-Hoc Network Using only the Publish-Subscribe Interface Subscribe Interface

What is SIENA?What is SIENA?

ScalableScalable Internet (Scale)Internet (Scale) EventEvent NotificationNotification ArchitectureArchitecture

What/How Does SIENA Work?What/How Does SIENA Work?

Exports a Publish-Subscribe APIExports a Publish-Subscribe API Employs Content Based RoutingEmploys Content Based Routing

• Accurately Route Messages To Interested Accurately Route Messages To Interested PartiesParties

• Bandwidth Consumption ReductionBandwidth Consumption Reduction

Interesting Properties ofInteresting Properties ofSIENASIENA

Notifications(Messages) Routed Based on Notifications(Messages) Routed Based on ContentContent

Unspecified Number of Clients or ServersUnspecified Number of Clients or Servers Unspecified Network TopologyUnspecified Network Topology Unspecified Communication ProtocolsUnspecified Communication Protocols Unspecified Message Delivery WindowsUnspecified Message Delivery Windows Heterogeneous Host & Authority DomainsHeterogeneous Host & Authority Domains Fault PermissiveFault Permissive

Unspecified Network TopologyUnspecified Network Topology

Single ServerSingle Server HierarchicalHierarchical General GraphGeneral Graph Hibrid/Combination TopologyHibrid/Combination Topology

Combination TopologyCombination Topology(with heterogeneous authority)(with heterogeneous authority)

Security GoalsSecurity Goals

ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability

As Described In “Secrets & Lies” by Bruce Schneier p. 121

Confidentiality GoalsConfidentiality Goals

Data (Publications)Data (Publications)• Content Might Contain Sensitive InformationContent Might Contain Sensitive Information• Routing Depends on ContentRouting Depends on Content

SubscriptionsSubscriptions• Subscriptions May Contain Sensitive InformationSubscriptions May Contain Sensitive Information• Data Flow AnalysisData Flow Analysis• AnonymityAnonymity

Integrity GoalsIntegrity Goals

Altered MessagesAltered Messages Injected MessagesInjected Messages Dropped MessagesDropped Messages

Availability GoalsAvailability Goals

Denial of Service ProtectionDenial of Service Protection• Individual ServerIndividual Server• Network CongestionNetwork Congestion

Knowing When System is Overloaded/DoS’edKnowing When System is Overloaded/DoS’ed

Additional GoalsAdditional Goals

Billing/AccountabilityBilling/Accountability AuditAudit

Conflicting GoalsConflicting Goals

Scale vs. SecurityScale vs. Security Performance vs SecurityPerformance vs Security Anonymity vs SecurityAnonymity vs Security Anonymity vs BillingAnonymity vs Billing Communication Network vs User SecurityCommunication Network vs User Security Data Confidentiality vs ExpressivenessData Confidentiality vs Expressiveness

How do we Balance These How do we Balance These Conflicting Goals?Conflicting Goals?

ObservationsObservations

Single Solution Very UnlikelySingle Solution Very Unlikely• Each Environment Will Need Its Own SetupEach Environment Will Need Its Own Setup• Military Always Does Its Own ThingMilitary Always Does Its Own Thing

Minimization of Security in the Servers Minimization of Security in the Servers Maximizes FlexibilityMaximizes Flexibility

Heterogeneous Solutions do Not Cover Heterogeneous Solutions do Not Cover Homogeneous SolutionsHomogeneous Solutions

Homogeneous Authority DomainsHomogeneous Authority Domains

Communication SecurityCommunication Security• IPSECIPSEC• SSL (requires server changes)SSL (requires server changes)• Bogus Notifications (Traffic Analysis)Bogus Notifications (Traffic Analysis)

Some Faith can be Put into SoftwareSome Faith can be Put into Software Simple Authentication Tokens Can be UsedSimple Authentication Tokens Can be Used Multilevel/Multilateral Security PossibleMultilevel/Multilateral Security Possible

• Military ApplicationsMilitary Applications

Heterogeneous Authority DomainsHeterogeneous Authority Domains

Users Cannot Trust NetworkUsers Cannot Trust Network• Unknown RecipientsUnknown Recipients• Unknown ServersUnknown Servers

Network Cannot Trust Users OR NetworkNetwork Cannot Trust Users OR Network• Publications/Subscriptions Valid?Publications/Subscriptions Valid?• Unknown 3rd Party Server Behavior Unknown 3rd Party Server Behavior

User Land ModelsUser Land Models

Accept Subscriptions and Publications as Accept Subscriptions and Publications as Public DomainPublic Domain• Subscriptions can be Obfuscated to a Certain Subscriptions can be Obfuscated to a Certain

DegreeDegree Encrypted MessagesEncrypted Messages Signed MessagesSigned Messages

Problems with Encrypted Problems with Encrypted NotificationsNotifications

Decreased Routing PerformanceDecreased Routing Performance• 100% Content Confidentiality Results in an 100% Content Confidentiality Results in an

Unroutable MessageUnroutable Message

User Land Security ModelsUser Land Security Models(Client/Client)(Client/Client)

Protects DataProtects Data Anonymity IssuesAnonymity Issues Key Management/Revocation IssuesKey Management/Revocation Issues Scaling IssuesScaling Issues

• OrganizationOrganization No Additional Load on ServersNo Additional Load on Servers

User Land Security ModelsUser Land Security Models(Client/PKI/Client)(Client/PKI/Client)

Maintains Anonymity Between Publishers and Maintains Anonymity Between Publishers and SubscribersSubscribers

No Additional Load on ServersNo Additional Load on Servers Multiple PKI’s can be in PlaceMultiple PKI’s can be in Place Billing Can be Based on Key ManagementBilling Can be Based on Key Management PKI Management IssuesPKI Management Issues

• Initial Key DistributionInitial Key Distribution

Closed-PKI, “(Public Key) Infrastructure”

Server ModelsServer Models

Trusted GatewaysTrusted Gateways Authenticated Publications/SubscriptionsAuthenticated Publications/Subscriptions

• Loss of AnonymityLoss of Anonymity• Foreign Networks Still a ProblemForeign Networks Still a Problem

AuditAudit• Loss of AnonymityLoss of Anonymity

Main ProblemMain Problem

Specifying a Security Model Without a Well Specifying a Security Model Without a Well Defined Environment Will Result in Many Defined Environment Will Result in Many ProblemsProblems

DirectionsDirections

SSL Aware Communication LayerSSL Aware Communication Layer• EncryptionEncryption• AuthenticationAuthentication

IPSEC Between ServersIPSEC Between Servers• Clients if System is HomogeneousClients if System is Homogeneous

Trusted GatewaysTrusted Gateways

Trusted GatewaysTrusted Gateways

Tunnel Flagged Messages (Encrypted) to Tunnel Flagged Messages (Encrypted) to Remote Trusted NetworksRemote Trusted Networks

Unflagged Messages Forwarded BlindlyUnflagged Messages Forwarded Blindly Rate Limit Unflagged MessagesRate Limit Unflagged Messages Minimize Need for Obfuscated PublicationsMinimize Need for Obfuscated Publications Permits Large Public SIENA BackbonesPermits Large Public SIENA Backbones

Parting Comments On Securing Parting Comments On Securing SIENASIENA

All Users are Equal in SIENAAll Users are Equal in SIENA• Concept of Users and Permissions/Roles Concept of Users and Permissions/Roles

Needs to be Introduced.Needs to be Introduced.

Trusted GatewaysTrusted Gateways

TGW TGW

Q&A Time :)Q&A Time :)