Provide Privacy of Broker less Publish/Subscribe System using Shared Key Signature Schema

advertisement
International Journal of Engineering Trends and Technology (IJETT) – Volume 33 Number 2- March 2016
Provide Privacy of Broker less
Publish/Subscribe System using Shared Key
Signature Schema
Varadi Vandana1, Chintada Sunil Kumar 2
1
Final M.Tech Student, 2Asst.professor
1,2
Dept of CSE, Sarada Institute of Science, Technology and Management (SISTAM), Srikakulam,
Andhra Pradesh
Abstract:
Publish/Subscribe System is an emerging
communication model which runs in distributed
environment. It is a messaging system, where the
messages/events are published by publishers and
received by subscribers based on their subscription.
In the existing messaging systems, broker acts as a
middleware in between two parties and all the
communication is done through the broker. In this
case, the broker failure can be the bottleneck of
whole system. To overcome this drawback, there is a
system proposed which uses broker less architecture
for the content based publish/subscribe system. In
publish/subscribe system, publisher and subscriber
are loosely coupled and do not keep trust on each
other. So, the basic security mechanisms like
authentication and confidentiality are difficult to
achieve and hence, a challenging task. The proposed
system provides the novel approach to achieve
authentication and confidentiality in a broker less
content based publish/subscribe system using the
Dynamic Encryption Algorithm. Before performing
encryption of and decryption of data the publisher
will be verified by the subscribers. After completion
of authentication process the subscriber will get
perform the decryption process and get original
plain format data. In this paper we are propose
shred key signature schema for authentication of
publisher and dynamic encryption for encryption
and decryption of transferring data. In this paper we
can also implement multi-level diffe Hellman key
exchange protocol for generation of secret key. By
implementing those concepts we can improve
privacy of transferring data and also provide
efficient authentication.
Keywords: security, multi-level differ Hellman,
dynamic encryption algorithm, cryptograph,
authentication..
I. INTRODUCTION
Now a days, Internet is a rapidly growing and there
is a need arise to transfer information between
different entities. These entities are nothing but the
human being. The uncountable entities are widely
ISSN: 2231-5381
spread globally and hence their locations and
behaviour becomes vary. Therefore, to bring these
distributed entities to be closer and to make them
scalable, more efficient and reliable techniques are
required for information distribution. The
synchronous peer to peer communication models are
not able to satisfy these requirements. So, the
publisher/subscriber
asynchronous
messaging
system has been experiencing highest popularity due
to its inherent decoupling feature. This system
allows distribution of information from event
producers i.e. publishers to event consumers i.e.
subscribers. There are different types of system
infrastructure such as topic based systems and
content based systems. The publish/subscribe
system’s decoupling feature allows publishers to be
unknown from subscriber with the aspects such as
space, time, synchronization. Publishers transfers
information using publish/subscribe system,
subscribers registers events/messages of interest
using subscriptions. Without knowing the subscriber
details to publisher and vice versa the events are
routed to the relevant subscribers. In traditional
systems, broker is used to route the events/messages
from publishers to subscribers. This leads to security
questions. Broker can be malicious while routing
and can read the plain text information. Failure of
brokers can leads to the whole system down. So,
providing security to the pub/sub system becomes a
challenging task.
To address this issue, a recent system comes with a
broker less publisher-subscriber architectures. For
this event forwarding overlay is used [1].
Subscribers can receive the published events only on
the subscription of that event. There are two
ways/models for specifying the subscriptions: 1)
Topic Based Subscription 2) Content Based
Subscription. In a topic based subscription, one
particular topic is specified and all the events
relevant to that topic are sent to the related
subscribers. There is no restriction on the message
content in the topic based model. Whereas, content
based subscription model is the most expressive in
nature. Using this model subscriber can define the
restrictions or constraints on message contents.
Content based model for subscription is helpful for
http://www.ijettjournal.org
Page 69
International Journal of Engineering Trends and Technology (IJETT) – Volume 33 Number 2- March 2016
large scale distributed applications such as
environmental monitoring, stock exchange, news
distribution, public sensing and traffic control. By
considering the expressiveness and asynchronous
characteristics, we are using the content based model
in our proposed system.
Now, the question of security comes in picture. To
provide a security in a broker less publish/subscribe
systems a new approach with authentication and
confidentiality is proposed. In this approach,
according to the subscription all subscribers are
allowed to maintain their credentials. Private keys
associated with the subscribers are also labelled with
the credentials. These credentials can be numeric or
string attributes. For mapping each encrypted event
with a set of credentials, an dynamice Encryption
(IBE) mechanism [2] will be used to ensure the
decryption of event by the subscriber only on
successful match between the credentials with the
event and the private key. IBE also allows
subscribers to verify the authenticity of the received
event.
II. RELATED WORK
The mechanisms used for confidentiality of both
event and filters should not require to share the
secret keys of publishers and subscribers. It should
also allow event filtering to route the events to
intended subscribers. These are the weak points of
existing systems. So, here proposed a mechanism to
address all these issues. L. Liu [6] presented an
Event Guard framework for the construction of
secure wide area pub-sub systems. Event Guard
mechanisms provides the security guarantees,
system’s over all simplicity, scalability and
performance. The framework has three main
components. First is a security guards suite. It is
plugged-into a content based pub-sub system,
second component is a scalable algorithm for key
management that will be used to enforce access
control on subscribers, and the third component is a
publish-subscribe network design that recovers
quickly from the difficult situations.
R. Molva [7] suggested a set of security
mechanisms.
It
allows
privacy-preserving
forwarding of the encrypted contents based on
subscriber’s interests. The system ensures both data
confidentiality with regards to publishers
and the subscribers privacy with respect to their
interests in a model where the publishers, the
subscribers and the intermediate nodes (brokers) in
charge of data forwarding do not trust each other.
The scheme uses a multi-layerencryption. In this, it
is possible for intermediate nodes to manage
forwarding tables and to perform content forwarding
not only using encrypted content but also using
encrypted subscriber messages without accessing the
plaintext of the data. This scheme also avoids key
sharing between the end-users and targets an
ISSN: 2231-5381
enhanced CBPS model where brokers can also be
subscribers at the same time.
B. Maniymaran, [8] presented a content-based
publish/subscribe system which gives detailed
overview of the “PADRES” PADRES is helpful for
correlating events, accessing data that is produced in
the past and that will be produced in the future,
counterbalance the traffic load among brokers, and
handle network failures. It can also filter, aggregate,
correlate and direct any combinationof historic and
future data. Several applications are also presented
in detail that can benefit from the content-based
nature of the pub/sub system and take advantage of
its scalability and robustness features. While
developing large-scale distributed systems that are
going to be used on the Internet, it should have a
proper middleware support, to handle the
communication needs of those application clients in
a scalable and efficient way, and without loosing
traditional middleware features.
P. Pietzuch [9] described the concept of “Hermes”.
Its is a distributed, event-based middleware and
provides peer-topeer messaging techniques for
scalable and robust event transmission. For
managing the network of event brokers Hermes uses
peer-to-peer techniques. It also adds faulttolerance
to its event transmission algorithms in the pub/sub
systems. B. Yang [10] invented the first identity
based signcryption scheme. Their scheme still has
some security weaknesses and further, proposed a
refined version of the scheme to prove its security
under the existing security model for identity-based
signcryption.
III. PROPOSED SYSTEM
In Our proposed system makes use of content based
model for routing the published content from
publisher to the appropriate subscriber. The
message/event to be published has an ordered set of
attributes. These attributes have a unique name,
types of data and its field. Further, event will match
with the subscription, if the contents in the attributes
suits the constraints required by the subscription
then only subscriber can get the event he/she want.
Proposed system uses the shred key signature
schema to provide the authentication and
confidentiality transferring data using dynamic
encryption algorithm. By implementing this concept
we can reduce number of keys generation and also
efficient authentication process. The implementation
procedure of dynamic encryption algorithm is as
follows.
http://www.ijettjournal.org
Page 70
International Journal of Engineering Trends and Technology (IJETT) – Volume 33 Number 2- March 2016
1).The Index Generation Process:
1.1. Initiate Table: The initial table size is (16*16)
rows and columns as shown in figure-, the table
entries values are ranging from 0-F (16). Both,
the sender and the receiver should have the
same copy of the initial table [15], the initial
table is not secret it could be announced to the
9 3 E 4 1
C 6
E 2 0 9 1 1 B 9 B
3
3
D
0
D
6
C
F
1
2
4
8
E
8
6
C
B
5
8
0
B
5
C
C
3
E
9
1
4
F
9
6
B
D
0
A
0
6
2
9
F
A
E
1
8
6
2
4
A
F
2
0
4
D
7
F
3
F
0
3
B
D
B
0
4
1
E
6
1
8
4
F
0
2
E
C
8
C
E
2
D
5
E
E
9
4
5
0
A
9
7
3
6
0
4
1
9
D
D
C
9
6
4
4
6
E
B
5
6
6
F
9
E
6
B
5
D
D
E
7
4
F
3
2
B
0
2
3
2
2
2
5
B
5
4
E
3
D
9
4
A
A
F
6
E
2
0
5
E
7
D
A
9
2
0
9
9
7
D
3
4
7
5
9
A
C
D
A
6
7
2
C
9
0
4
C
B
7
5
A
6
9
C
E
2
9
3
1
4
E
F
8
B
8
0
7
8
B
D
B
2
F
F
F
C
3
1
3
6
7
7
5
E
9
1
D
7
9
A
4
0
7
2
A
8
E
F
2
C
2
9
6
F
7
5
D
4
F
4
6
public, see Fig. 1.
1.2. Shared value: The shared value is randomly
generated or selected by the user (see Fig. 2), the
size of this value is not specified, it is recommended
use a value that is not less than 10 digits size. The
shared value is the most important component of the
system, so it must be kept and exchanged securely;
for this reason the multi-level Diffie-Hellman key
exchange scheme is proposed [15]. The shared value
is not fixed during the communication session, the
sender or the receiver may choose to change this
value at any time during the communication,
accordingly the other communicating party must be
informed. The system could be configured to change
the shared value either manual (i.e. by the user) or
periodically according to some statistical
information (i.e. size of the sent/received data, timeslice, randomly or any other criteria).
1.2. Circular Shifts: The circular left shift and
circular down shift is shown in Fig. 7 later.
B
2
8
A
9
8
6
4
1.4. Table of Indexes: The table of indexes
generated after performing left and down circular
shifts respectively according to the values the
ISSN: 2231-5381
extracted from the shared value (known as Shdv).
Shdv is a two digits length extracted out from the
shared value, then modulo operation is used to
perform the shift operations (shifted rows/columns =
Shdv Mod 16). The output table is called the Table
of Indexes, as in Fig. 3.
F 3 A D 9 8 5 F 3 2 D 8 3 B B 6
3 D 9 A C B E 2 D 4 B C 6 5 5 B
2 9 2 6 E D 9 C 0 A 0 E 0 8 6 D
B 4 0 7 2 B 1 2 D F 4 2 4 0 6 0
0 A 9 2 9 2 D 9 6 2 1 D 1 B F A
2 A 9 C 3 F 7 6 C 0 E 5 9 5 9 0
3 F 7 9 1 F 9 F F 4 6 E D C E 6
2 6 D 0 4 F A 7 1 D 1 E D C 6 2
2 E 3 4 E C 4 5 2 7 8 9 C 3 B 9
2 2 4 C F 3 0 D 4 F 4 4 9 E 5 F
5 0 7 B 8 1 7 4 8 3 F 5 6 9 D A
B 5 5 7 B 3 2 F E F 0 0 4 1 D E
5 E 9 5 8 6 A 4 8 0 2 A 4 4 E 1
4 7 A A 0 7 8 6 6 3 E 9 6 F 7 8
2 0 9 1 1 B 9 B 9 3 E 4 1 C 6 E
4 E D C 6 7 7 E 3 6 B C 7 C E 9
1.5. The Extracted Indexes: The table of extracted
indexed is generated from the Table of Indexes (Fig.
4), where it is possible to choose the first octet as the
first index and the second octet as the second index
and so on, in this case we will have 128 indexes. In
case we use an initial table of more than (16*16) we
could pick the indexes in consistent way with the
table size (i.e. we could use the first two octets, octet
number one and octet number two as the first index
and the octets three and four as the second index and
so on).
F 3A D 9 8 5 F 3 2 D 8 . . . B C 7 C E 9
2) The Key Insertion Process
2.1. The Plain Text Data: The plain text data is the
data to be sent; this data could be of any data type
and format (i.e. text, audio, video … etc.) The plain
text data has no restriction on size, but it is
recommended to fit on one packet size minus the
key size of the Maximum Transfer Unit (MTU);
(Plain-Text-Size = (MTU)- (Key-size)).
2.2. The Key Generation: The system key is
randomly generated or could be selected by the user,
the key could be of variable length size, initially it is
1024-bit size used, the key size can be expanded to
2048 bits or even longer than that. Since the key is
dynamic the system can be configured to different
keys periodically during the communication session,
the users can change the key very frequently and the
encryption/decryption speed and operations will not
affected, where the key is sent in each single packet.
http://www.ijettjournal.org
Page 71
International Journal of Engineering Trends and Technology (IJETT) – Volume 33 Number 2- March 2016
2.3. XoR (Encryption) Process: The plain-text-data
and the key are XoRed, the first 1024 bits of the data
is XoRed with the key, the second 1024 bits of the
data is XoRed with the same key and so on until no
more plain-textdata found. If the plain-text-data is
longer or smaller than the key the only matching
lengths will be XoRed, this is the reason why we
choose a key of variable length size (greater than or
less than the plain-textsize).
2.4. The Key Insertion: The key is inserted in the
XoRed table generated from step 2.3 above, the
insertion process is performed according to the
Extracted Indexes (as explained in step 1.4), the first
octet of the key will be inserted in the XoRed table
according to the value of the first Index value and
the second key octet will be inserted according to the
second Index value and so on until the end of the
key(Figure-6 explain the process), where the
insertion is performed at the appropriate location as
indicted on the index value (i.e. (F3)16 → (243)10
the first index value in Hex. Converted to decimal
value). For more complexity we could insert the first
key octet as depending on the first three index octets
or the first four index octets. This process adds more
complexity and flexibility to the encryption process
with no operation cost and makes it harder to the
cryptanalysis.
The DEA components together composed the
algorithm architecture, when building the algorithm
simplicity was one of the main design goals,
maintaining simplicity while preserving high degree
of secrecy seems to be hard to achieve [15]. Fig. 5
below shows the detailed architecture of the
encryption process. It shows the simplicity
integration of different algorithm components. The
algorithm is very simple to use and at the same time
it is very complex to attack. The architecture is
divided into two main components glued together to
formulate the detailed algorithm architecture:
Plain text
data
Key bit
size
Shared
value
Cirular
shift
xor
Table of index
Xored table
Cipher
data
Initiate
table
Key
insertion
Extracted indexes
1) The Encryption process: this process consists of
two main parts:
1.1. The Index Generation part: The index
generation process is performed at the beginning of
the encryption/decryption process and repeated
when there is a need to change the shared value, this
means that step is less operated than the other step.
The output of the Index Generator step is the
Extracted Index. The Extracted Index resulted from
performing a regular left-circular column shift
followed by a down-circular column shift according
to the Index values, Fig. 6 shows the first three
left/down circular shifts, and Fig. 7 shows the
circular left/down shift process. The Extracted
Indexes are taken out of the final result after
performing the left/down circular shifts; the Indexes
are 128 different indexes, these indexes will remain
unchanged until the shared value is changed,
changing the shared value depends on many factors
for example to change the shared value very frequent
will add more complexity over the plain-text and
makes it harder to the attacker to guess the key, at
the same time this may affect the performance by
adding more delay to the packet.
1.3 The Key Insertion Part: The key insertion
process is the most used step in this algorithm, the
flexibility of changing the key and use a variable key
length size is the corner stone in the algorithm
strength, the user may stick to a single key during
the communication process and change the shared
value or stick to the same shared value and change
the key, the result is the same, but it is recommended
to change both of the shared value and the key, this
will make it more difficult to cryptanalysis either to
guess or extract the key. The XoR operations used to
generate the XoRed table doesn’t consume the
ISSN: 2231-5381
http://www.ijettjournal.org
Page 72
International Journal of Engineering Trends and Technology (IJETT) – Volume 33 Number 2- March 2016
machine resources and takes less operations, the
XoR operation is very fast to perform and more
enhancements like S-Boxes may be used to add
more complexity and gives confusion and diffusion
to the algorithm. Fig. 6 illustrates this process.
2) The Decryption Process: This process consists of
two main parts:
2.1. The Index Generation part: The index
generation process is performed exactly as in the
encryption part explained above (see Fig. 6). Since
the process is identical at the sender and the receiver
sides the explanation above is enough.
2.2. The Key Extraction Process: The key extraction
is the reverse of the key insertion process; the
extraction starts from the last index value (the 128th
index) and ends with the first index value (the 1st
index) in reverse order. When pointing to the key
position the algorithm will extract the next one octet,
the first extraction part represents the last key octet
and so on until the whole key recovered back from
the XoRed table.
2.3. The Decryption Process: The decryption process
is easy and straight forward, just perform an XoR
operation over the received data and the recovered
key, the output is exactly the original plain-text-data
after get decrypted
[3]. M. Srivatsa, L. Liu, and A. Iyengar, “EventGuard: A
SystemArchitecture for Securing Publish-Subscribe Networks,”
ACMTrans. Computer Systems, vol. 29, article 10, 2011.
[4] A. Shikfa, M. O¨ nen, and R. Molva, “Privacy-Preserving
Content-Based Publish/Subscribe Networks,” Proc. Emerging
Challenges forSecurity, Privacy and Trust, 2009.
[5] H.-A . J acobsen, A.K.Y. Cheung, G . Li, B. Maniymaran, V
.Muthusamy, and R.S. Kazemzadeh, “The PADRES
Publish/Subscribe System,” Principles and Applications of
DistributedEvent-Based Systems. IGI Global, 2010.
[6] P. Pietzuch, “Hermes: A Scalable Event-Based Middleware,”
PhDdissertation, Univ. of Cambridge, Feb. 2004.
[7] Y. Yu, B. Yang, Y. Sun, and S.-l. Zhu, “Identity Based
SigncryptionScheme without Random Oracles,” Computer
Standards & Interfaces,vol. 31, pp. 56-62, 2009.
[8]. A. H. Omari, B. M. Al-Kasasbeh, R. E. Al-Qutaish and M. I.
Al- Muhairat, A New Cryptographic Algorithm for the Real-Time
Applications, in Proceedings of the 7th International Conference
on Information Security and Privacy - (ISP’08), Cairo, Egypt,
from Dec. 29 Dec. 31, 2008.
[9]. C. Raiciu and D.S. Rosenblum, “Enabling Confidentiality in
Content-Based Publish/Subscribe Infrastructures,” Proc. IEEE
Second CreatNet Int’l Conf. Security and Privacy in Comm.
Networks (SecureComm), 2006.
[10]. A. Shikfa, M. O ¨ nen, and R. Molva, “Privacy-Preserving
Content- Based Publish/Subscribe Networks,” Proc. Emerging
Challenges for Security, Privacy and Trust, 2009.
[11]. M. Nabeel, N. Shang, and E. Bertino, “Efficient Privacy
Preserving Content Based Publish Subscribe Systems,” Proc. 17th
ACM Symp. Access Control Models and Technologies, 2012.
[12]. S. Choi, G. Ghinita, and E. Bertino, “A Privacy-Enhancing
Content-Based Publish/Subscribe System Using Scalar Product
Preserving Transformations,” Proc. 21st Int’l Conf. Database and
Expert Systems Applications: Part I, 2010.
[13]. J. Bacon, D.M. Eyers, J. Singh, and P.R. Pietzuch, “Access
Control in Publish/Subscribe Systems,” Proc. Second ACM Int’l
Conf. Distributed Event-Based Systems (DEBS), 2008.
BIOGRAPHIES:
IV. CONCLUSION
Due to the loose coupling between the
publisher and subscriber, it is essential to address the
security challenge of the system. To achieve this, we
have proposed a novel approach to provide the
authentication and confidentiality in a broker less
content based publish/subscribe system. In this paper
we have proposed shared key signature schema for
authentication of publisher and multi-level differ
Hellman key exchange for circular and down shift
operation of initial table. Another concept for
performing data encryption and decryption process
we are using the dynamic encryption algorithm. By
implementing those concepts we can improve the
efficiency of transferring data and also provide
authentication of publisher in a network..
V. REFERENCES
[1].E. Anceaume, M. Gradinariu, A.K. Datta, G. Simon, andA.
Virgillito, “A Semantic Overlay for Self- Peer-to-Peer
Publish/Subscribe,” Proc. 26th IEEE Int’l Conf. Distributed
Computing Systems (ICDCS), 2006.
[2] Muhammad Adnan Tariq, Boris Koldehofe and Kurt
Rothermel , “Securing Broker-Less Publish/Subscribe Systems
Using Identity- Based Encryption” , IEEE TRANSACTIONS ON
PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2,
FEBRUARY 2014
ISSN: 2231-5381
Varadi Vandana, is student
in M.Tech(CSE) in Sarada
Institute
of
Science
Technology and Management,
Srikakulam. She has received
her B.Tech (C.S.E ) from
Avanthi’s
St.
Theressa
Institute Of Engineering and
Technology, Vizianagaram.
She is interesting areas are
data mining and network
security
Chintada
Sunil
Kumar
working as a Asst Professor of
CSE in Sarada Institute of
Science,
Technology
and
Management
(SISTAM),
Srikakulam, Andhra Pradesh.
He received his M.Tech (CSE)
from Jntuk, Kakinada. Andhra
Pradesh. His interest research
areas are Database management
sysytems,Computer
Architecture, Image Processing, Computer Networks,
Distributed Systems. He published 4 international journals
and he was attended number of conferences and
workshops.
http://www.ijettjournal.org
Page 73
Download