230 likes | 355 Views
Secure Aggregation in a Publish-subscribe system. Kazuhiro Minami *, Adam Lee**, Marianne Winslett *, and Nikita Borisov * *University of Illinois at Urbana-Champaign **University of Pittsburgh. Publish-subscribe System for Wide-area Control Systems. Door card reader. Building
E N D
Secure Aggregationin a Publish-subscribe system Kazuhiro Minami*, Adam Lee**, Marianne Winslett*, and Nikita Borisov* *University of Illinois at Urbana-Champaign **University of Pittsburgh
Publish-subscribe System for Wide-area Control Systems Door card reader Building Management system Phasor measurement units Motion sensor Power Grid Monitor Routing nodes Power meters Publish-subscribe overlay network Publishers Subscribers
Information Infrastructure Needs • Scalability • Keep up with the increase of the number of installed sensors and devices publishing events frequently • Communication bandwidth and latency • Reducing the bandwidth requirements will help to reduce the deployment cost of wide-area control systems • Flexibility • Accommodate the diverse security requirements of different entities
In-network Aggregation In-network aggregation could reduce bandwidth requirements further. Subscriber & publisher f(x1,x2,x3) x1 x1 f(x1,x2,x3) x2 x2 x3 Routing node x3 Routing node Publishers Subscribers Application-level aggregation In-network aggregation
Goals of Secure Aggregation • Confidentiality • Publish aggregated data only to authorized subscribers while protecting the confidentiality of individual raw data • Integrity • Subscribers can verify the authenticity and integrity of aggregated data
System Model 1. Confidentiality policies 2. Subscription requests Security manager 4. Publication requests 3. Routing path 5. Raw data 6. Aggregated data Publishers Subscribers Routing nodes Publish-subscribe system
Our Assumptions No more than mparties collude Public Key Infrastructure Publishers Subcribers Send secrets securely Do not trust in terms of integrity of aggregate Do not trust In terms of confidentiality of private input Routing nodes Pub-sub system
Supporting Additive Aggregation as a First Step • Compute the sum of multiple values published by different publishers • Can support other functions such as • COUNT, AVERAGE, STD, etc.
v1 Psub acl(v1) Psub acl(P1.v1+P2.v2) v1+v2 v2 Psub acl(v2) Psub acl(P1.v1+P2.v2) Confidentiality Requirement • Allow publishers to disclose aggregated data only to authorized subscribers while keeping raw data private P1 v1 v1, v2 Pub-sub system Psub P2 Subscriber v2 Pub-sub system should read neither v1, v2, nor v1+v2. Publishers
E(v1+v2) E(v1) Naive Approach 1 • Use additively homomorphic encryption (i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes E(v1+v2) = E(v1)+E(v2) Violation of P1’s confidentiality policy Adversary P1 E(v1) v1 R Psub Routing node v1+v2 P2 E(v2) v1 v2 Publishers Subscriber
E(v1+v2) E(v1) E(v1+2*v2) Naive Approach 1 • Use additively homomorphic encryption (i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes E(v1+v2) = E(v1)+E(v2) P1 E(v1) Violation of Psub’s integrity policy v1 Adversary R Psub Routing node v1+v2 P2 E(v2) v1 v2 V1+ 2*V2 Publishers Subscriber
Naive Approach 2 • Attach raw data and its digital signatures to verify the integrity and authenticity of the data Too many data to send! E(v1), Sig1(E(v1)) P1 E(v1+v2), E(v1), E(v2), Sig1(E(v1)), Sig2(E(v2)) v1 R Psub Routing node Subscriber P2 E(v2), Sig2(E(v2)) v2 Publishers
Our approach • Secret splittingto protect confidential data • Homomorphic message authentication code (MAC) to ensure the integrity of aggregated data • MAC(v, g) = gv(mod p) where p is a large prime such that: MAC(v1, g) * MAC(v2, g) = MAC(v1+v2, g)
Protocol Sketch: Initial Secret Sharing • Publishers and subscribers share a secret generator g of group Gp • Publisher Pi sends secrets riand qi to a subscriber v1 P1 R g R Psub r1, q1 g r1, q1 v2 P2 R Out-of-bound channel r2, q2 g r2, q2
Protocol Sketch: Publication of data • Publisher Pi split vi – qi into v’i,1 and v’i,2 • Publisher Pi computes ci = MAC(vi + ri, g) = gvi+ri v’1,1, c1 P1 R Necessary to protect sum v1+v2 from the root routing node v’1,1, v’1,2 R Psub v’2,2 v’1,2 c1 Necessary to protect generator g from a known-plaintext attack P2 R v’2,1, c2 v’2,1, v’2,2 c2
Protocol Sketch: Publication of data • Aggregator R computes the sum v’sum of input shares and the product csum of input MACs • Aggregator R publishes v’sum and csum v’1,1, c1 P1 R v’sum ≡ v’1,1+v’2,2 +v’1,1+v’2,2, csum ≡ c1*c2 v’1,1+v’2,2, c1 R Psub v’2,2 v’1,2 v’1,1+v’2,2, c2 P2 R v’2,1, c2
Protocol Sketch: Verification • Subscriber Psub computes the real sum vsum = v’sum+q1+q2 • Psubchecks whether csum = MAC(vsum + r1 + r2, g) v’1,1, c1 P1 R v’sum ≡ v’1,1+v’2,2 +v’1,1+v’2,2, csum ≡ c1*c2 v’1,1+v’2,2, c1 R Psub v’2,2 v’1,2 g v’1,1+v’2,2, c2 r1, q1 P2 R v’2,1, c2 r2, q2
Security Properties • Confidentiality of aggregate sum • No coalition of routing nodes can obtain the sum • Confidentiality of individual data • No colluding parties of up to size m can obtain any publisher Pi’s input data vi • Integrity of aggregate sum • The probability that subscriber Psub accepts an incorrect sum is no more than 1/p where p is the prime order of group Gp
Related work • Secure aggregation in sensor networks • Integrity • Chan [CCS06], Przydatek [SenSys03] • Confidentiality • Castelluccia [Mobiquitous05], Girao [ICC06], He [INFOCOM07], Hu [SAINT03 Workshop] • Verification of aggregated query • Integrity • Haber [TR HPL06]
Summary • Secure additive aggregation protocol under the presence of untrusted routing nodes • Protect publishers’ private data with secret splitting • Homomorphic MAC scheme ensures the integrity of aggregate sum • Future work includes fault tolerance mechanisms for handling the failure of publisher nodes
Authentication of Aggregated MAC Routing node Subscribers Publishers Security manager
Future work • Formal safety proof of our algorithm • Incorporate a fault tolerant mechanism using threshold sharing scheme • Disclose the sum with m publishers out of n publishers if m is great than threshold k • Experiments with a prototype system • Performance overhead of our scheme • Support other aggregate functions such as MAX/MIN