1 / 23

Secure Aggregation in a Publish-subscribe system

Secure Aggregation in a Publish-subscribe system. Kazuhiro Minami *, Adam Lee**, Marianne Winslett *, and Nikita Borisov * *University of Illinois at Urbana-Champaign **University of Pittsburgh. Publish-subscribe System for Wide-area Control Systems. Door card reader. Building

penha
Télécharger la présentation

Secure Aggregation in a Publish-subscribe system

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Aggregationin a Publish-subscribe system Kazuhiro Minami*, Adam Lee**, Marianne Winslett*, and Nikita Borisov* *University of Illinois at Urbana-Champaign **University of Pittsburgh

  2. Publish-subscribe System for Wide-area Control Systems Door card reader Building Management system Phasor measurement units Motion sensor Power Grid Monitor Routing nodes Power meters Publish-subscribe overlay network Publishers Subscribers

  3. Information Infrastructure Needs • Scalability • Keep up with the increase of the number of installed sensors and devices publishing events frequently • Communication bandwidth and latency • Reducing the bandwidth requirements will help to reduce the deployment cost of wide-area control systems • Flexibility • Accommodate the diverse security requirements of different entities

  4. In-network Aggregation In-network aggregation could reduce bandwidth requirements further. Subscriber & publisher f(x1,x2,x3) x1 x1 f(x1,x2,x3) x2 x2 x3 Routing node x3 Routing node Publishers Subscribers Application-level aggregation In-network aggregation

  5. Goals of Secure Aggregation • Confidentiality • Publish aggregated data only to authorized subscribers while protecting the confidentiality of individual raw data • Integrity • Subscribers can verify the authenticity and integrity of aggregated data

  6. System Model 1. Confidentiality policies 2. Subscription requests Security manager 4. Publication requests 3. Routing path 5. Raw data 6. Aggregated data Publishers Subscribers Routing nodes Publish-subscribe system

  7. Our Assumptions No more than mparties collude Public Key Infrastructure Publishers Subcribers Send secrets securely Do not trust in terms of integrity of aggregate Do not trust In terms of confidentiality of private input Routing nodes Pub-sub system

  8. Supporting Additive Aggregation as a First Step • Compute the sum of multiple values published by different publishers • Can support other functions such as • COUNT, AVERAGE, STD, etc.

  9. v1 Psub acl(v1) Psub acl(P1.v1+P2.v2) v1+v2 v2 Psub acl(v2) Psub acl(P1.v1+P2.v2) Confidentiality Requirement • Allow publishers to disclose aggregated data only to authorized subscribers while keeping raw data private P1 v1 v1, v2 Pub-sub system Psub P2 Subscriber v2 Pub-sub system should read neither v1, v2, nor v1+v2. Publishers

  10. E(v1+v2) E(v1) Naive Approach 1 • Use additively homomorphic encryption (i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes E(v1+v2) = E(v1)+E(v2) Violation of P1’s confidentiality policy Adversary P1 E(v1) v1 R Psub Routing node v1+v2 P2 E(v2) v1 v2 Publishers Subscriber

  11. E(v1+v2) E(v1) E(v1+2*v2) Naive Approach 1 • Use additively homomorphic encryption (i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes E(v1+v2) = E(v1)+E(v2) P1 E(v1) Violation of Psub’s integrity policy v1 Adversary R Psub Routing node v1+v2 P2 E(v2) v1 v2 V1+ 2*V2 Publishers Subscriber

  12. Naive Approach 2 • Attach raw data and its digital signatures to verify the integrity and authenticity of the data Too many data to send! E(v1), Sig1(E(v1)) P1 E(v1+v2), E(v1), E(v2), Sig1(E(v1)), Sig2(E(v2)) v1 R Psub Routing node Subscriber P2 E(v2), Sig2(E(v2)) v2 Publishers

  13. Our approach • Secret splittingto protect confidential data • Homomorphic message authentication code (MAC) to ensure the integrity of aggregated data • MAC(v, g) = gv(mod p) where p is a large prime such that: MAC(v1, g) * MAC(v2, g) = MAC(v1+v2, g)

  14. Protocol Sketch: Initial Secret Sharing • Publishers and subscribers share a secret generator g of group Gp • Publisher Pi sends secrets riand qi to a subscriber v1 P1 R g R Psub r1, q1 g r1, q1 v2 P2 R Out-of-bound channel r2, q2 g r2, q2

  15. Protocol Sketch: Publication of data • Publisher Pi split vi – qi into v’i,1 and v’i,2 • Publisher Pi computes ci = MAC(vi + ri, g) = gvi+ri v’1,1, c1 P1 R Necessary to protect sum v1+v2 from the root routing node v’1,1, v’1,2 R Psub v’2,2 v’1,2 c1 Necessary to protect generator g from a known-plaintext attack P2 R v’2,1, c2 v’2,1, v’2,2 c2

  16. Protocol Sketch: Publication of data • Aggregator R computes the sum v’sum of input shares and the product csum of input MACs • Aggregator R publishes v’sum and csum v’1,1, c1 P1 R v’sum ≡ v’1,1+v’2,2 +v’1,1+v’2,2, csum ≡ c1*c2 v’1,1+v’2,2, c1 R Psub v’2,2 v’1,2 v’1,1+v’2,2, c2 P2 R v’2,1, c2

  17. Protocol Sketch: Verification • Subscriber Psub computes the real sum vsum = v’sum+q1+q2 • Psubchecks whether csum = MAC(vsum + r1 + r2, g) v’1,1, c1 P1 R v’sum ≡ v’1,1+v’2,2 +v’1,1+v’2,2, csum ≡ c1*c2 v’1,1+v’2,2, c1 R Psub v’2,2 v’1,2 g v’1,1+v’2,2, c2 r1, q1 P2 R v’2,1, c2 r2, q2

  18. Security Properties • Confidentiality of aggregate sum • No coalition of routing nodes can obtain the sum • Confidentiality of individual data • No colluding parties of up to size m can obtain any publisher Pi’s input data vi • Integrity of aggregate sum • The probability that subscriber Psub accepts an incorrect sum is no more than 1/p where p is the prime order of group Gp

  19. Related work • Secure aggregation in sensor networks • Integrity • Chan [CCS06], Przydatek [SenSys03] • Confidentiality • Castelluccia [Mobiquitous05], Girao [ICC06], He [INFOCOM07], Hu [SAINT03 Workshop] • Verification of aggregated query • Integrity • Haber [TR HPL06]

  20. Summary • Secure additive aggregation protocol under the presence of untrusted routing nodes • Protect publishers’ private data with secret splitting • Homomorphic MAC scheme ensures the integrity of aggregate sum • Future work includes fault tolerance mechanisms for handling the failure of publisher nodes

  21. Thanks!

  22. Authentication of Aggregated MAC Routing node Subscribers Publishers Security manager

  23. Future work • Formal safety proof of our algorithm • Incorporate a fault tolerant mechanism using threshold sharing scheme • Disclose the sum with m publishers out of n publishers if m is great than threshold k • Experiments with a prototype system • Performance overhead of our scheme • Support other aggregate functions such as MAX/MIN

More Related