220 likes | 339 Views
Performance modelling of security protocols. Nigel Thomas and Yishi Zhao Newcastle University. Why security and performance?. Security adds an overhead to the actions performed. Different protocols, algorithms or parameters add different overheads.
E N D
Performance modelling of security protocols Nigel Thomas and Yishi Zhao Newcastle University
Why security and performance? • Security adds an overhead to the actions performed. • Different protocols, algorithms or parameters add different overheads. • Hence to optimise the performance we can alter the choice of protocol/algorithm/parameters. • This might also lead to a change in security properties; hence a security vs performance tradeoff.
Performance modelling of protocols • Normally we form an abstract model with many simplifications which we then analyse and compare to the original (or simulation) empirically. • This is not generally acceptable to the security community, as small changes in the protocol can radically alter the security properties. • Instead, some clear (“formal”) correspondence between the protocol specification and the model specification is required.
Idealised view Verification Security analysis Formal transformation
Case study: two non-repudiation protocols • Non-repudiation is used to agree a set of actions such that the participants cannot later deny the agreement. • Many non-repudiation use a trusted third party and public publication of (encrypted) messages, e.g. a bulletin board. • We have investigated two protocols proposed by Zhou and Gollman: • J. Zhou and D. Gollmann, A Fair Non-repudiation Protocol, in: Proceedings of IEEE Symposium on Security and Privacy, IEEE Computer Society, 1996. • J. Zhou and D. Gollmann, Observation on Non-repudiation, in: Advances in Cryptology, LNCS 1163, Springer-Verlag, 1996.
Features of our models • Hand crafted in PEPA: • Explicit naming of protocol actions. • All delays are negative exponential. • Data not represented. • No network delays, no misbehaviour, no failures. • Server always available. • “Pure” processor sharing (=infinite threading). • No contention for bulletin board access.
ZG1 protocol 1. A → B : fNRO, B, L, C, NRO (sendB) 2. B → A : fNRR, A, L, NRR (sendA) 3. A → TTP : fSUB, B, L, K, sub_K (sendTTP) 4. B ↔ TTP : fCON, A, B, L, K, con_K (publish & getByB) 5. A ↔ TTP : fCON, A, B, L, K, con_K (publish & getByA)
Initial PEPA version of ZG1 Where, L={sendTTP,getByB,getByA}, K= {sendB,sendA,work}
Deriving a PEPA performance model • This initial PEPA model needs to be transformed in order to perform performance analysis. • Add multiple components. • Make the model cyclic. • Introduce competition for service at TTP. • The model also requires changes to facilitate solution. • Remove passive actions. • Partially evaluate A and B.
ZG3 protocol 1. A → TTP : fNRO, TTP, B, M, NRO (request) 2. A ↔ TTP : fNRS, A, B, Ts, L, NRS (publish1& getByA1) 3. TTP → B : A, L, NRO (sendB) 4. B → TTP : fNRR, L, NRR (sendTTP) 5. B ↔ TTP : L, M (publish2 & getByB) 6. A ↔ TTP : fNRD, Td, L, NRR, NRD (publish2 & getByA2)
Conclusions • Estimating the costs (as well as the benefits) of security is important. • We can derive performance models which explicitly represent the protocol (“almost” automatically). • We can solve these models very efficiently using a variety of methods. but… • We need to be careful not to introduce new behaviours or approximation errors, • The modelling expert remains in the loop!
Papers • Y. Zhao and N. Thomas, Efficient solutions of a PEPA model of a key distribution centre, Performance Evaluation, in press, doi:10.1016/j.peva.2009.07.005, 2010. • Y. Zhao and N. Thomas, Comparing Methods for the Efficient Analysis of PEPA Models of Non-repudiation Protocols, in: Proc. 15th International Conference on Parallel and Distributed Systems, IEEE Computer Society, 2009. • Y. Zhao and N. Thomas, Experiences of using the PEPA performance modelling tools with a non-repudiation protocol, in: Proc. 23rd European Simulation Multiconference, SCS Publishers, 2009. • Y. Zhao and N. Thomas, Approximate solution of a PEPA model of a key distribution centre, in: Performance Evaluation - Metrics, Models and Benchmarks: SPEC International Performance Evaluation Workshop, LNCS 5119, Springer Verlag, 2008. • C. Lamprecht, A. van Moorsel, P. Tomlinson, N. Thomas, Investigating the efficiency of cryptographic algorithms in online transactions, International Journal of Simulation: Systems, Science and Technology, 7(2), pp. 63-75, 2006. • S. Dick and N. Thomas, Performance analysis of PGP, in: Proceedings 22nd UK Performance Engineering Workshop, Bournemouth University, 2006.