Presentation Transcript

1. Service Computing

   Prof. Dr. Ramin YahyapourIT & Medien Centrum1. Dezember2009
2. Centralized IndexesNapster
3. Selective ForwardingClip2 Gnutella
4. Selective ForwardingGnutella (2)
5. Routing: Structured Approaches Goal: make sure that an item (file) identified is always found in a reasonable # of steps Abstraction: a distributed hash-table (DHT) data structure insert(id, item); item = query(id); Note: item can be anything: a data object, document, file, pointer to a file… Proposals CAN (ICIR/Berkeley) Chord (MIT/Berkeley) Pastry (Rice) Tapestry (Berkeley) Source: Dave Eckhardt, CMU
6. Routing: Chord Associate to each node and item a unique id in an uni-dimensional space Properties Routing table size O(log(N)) , where N is the total number of nodes Guarantees that a file is found in O(log(N)) steps Source: Dave Eckhardt, CMU
7. Aside: Consistent Hashing [Karger 97] Key 5 K5 Node 105 N105 K20 Circular 7-bit ID space N32 N90 K80 A key is stored at its successor: node with next higher ID Source: Dave Eckhardt, CMU
8. Routing: Chord Basic Lookup N120 N10 “Where is key 80?” N105 N32 “N90 has K80” N90 K80 N60 Source: Dave Eckhardt, CMU
9. Routing: “Finger table” - Faster Lookups ½ ¼ 1/8 1/16 1/32 1/64 1/128 N80 Source: Dave Eckhardt, CMU
10. What is JXTA ? 6 protocols: Peer Discovery Protocol Peer Resolver Protocol Peer Information Protocol Pipe Binding Protocol Endpoint Routing Protocol Rendezvous Protocol JXTA is a set of open, generalized P2P protocolsthat allow any connected device on the network to communicate and collaborate JXTA is middleware– designed as a set of building blocks to allow developers to rapidly develop P2P applications JXTA is designed to have a peer-to-peer, decentralized model (although JXTA supports traditional client/centralized server and brokered) As in Gnutella, every JXTA peer can be botha client and a server Source: I.J.Taylor
11. JXTA Terms Peer Peer Peer Peer Peer: A JXTA node. JXTA Group: a group is a set of JXTA nodes who share a common interest Peer A Rendezvous Peer: a meeting place e.g. gateway for JXTA groups Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Source: I.J.Taylor
12. JXTA Overview Project JXTA defines a set of six protocols , which allow peers to: Discover each other Self-organize into peer groups Advertise and discover network services Communicate with each other Monitor each other …and the protocols do not require the use of any particular: programming language operating system network transport Topology authentication Security encryption model. The JXTA protocols therefore allow heterogeneous devices with completely different software stacks to interoperate. Source: I.J.Taylor
13. JXTA Architecture JXTA Shell Peer Commands JXTA Community Applications SUN JXTA Applications JXTA Applications JXTA Community Services SUN JXTA Services Indexing Searching File Sharing JXTA Services Peer Groups Peer Pipes Peer Monitoring JXTA Core Security (authentication, authorization and on the wire) Any Peer on the extended Web Source: I.J.Taylor
14. Devices in JXTA Network Firewall NAT Bluetooth TCP NAT Firewall Http NAT Firewall a distributed decentralized set of heterogeneous devices Source: I.J.Taylor
15. JXTA Terms and Concepts Peer: any networked device that implements one or more of the JXTA protocols Advertisements: XML structured document that names, describes, and publishes the existence of a resource e.g. peer, peer group, pipe, or service. Messages: sent between peers can be XML or binary Pipes: messages are send through virtual pipes – see next section … Identifiers: each JXTA entity e.g. peer, advert etc has a UUID identifier Rendezvous Nodes: a caching nodes for advertisements – similar to the super/ reflector nodes in lecture 4. Relay Nodes: JXTA routers – help to route messages via firewalls, NAT systems etc – i.e. they relay the message on Source: I.J.Taylor
16. JXTA Virtual Mapping Peer Peer JXTA Virtual Network Peer Peer Peer Peer Peer Peer Virtual Mapping Firewall NAT Bluetooth TCP/IP NAT Physical Network Firewall Http NAT Source: I.J.Taylor
17. JXTA Groups virtual entity - speak a set of peer group protocols collection of cooperating peers providing a common set of services e.g. file sharing peer group, a CPU sharing peer group. Peer group boundaries define search scope can be used to create a monitoring environment can be password protected and implement local security policies one special group, called the World Peer Group (the default peer group a peer joins) that includes all JXTA peers. At least one rendezvous for a group – groups are the scoping environment for a rendezvous FS Frank Peer Peer Peer Peer FS Fred Peer Peer Peer Peer Source: I.J.Taylor
18. JXTA Pipes Output Pipe Input Pipe Peer 1 Peer 2 A JXTA Pipe Actual Route Peer 3 Peer 4 Firewall Virtual Communication Channels Switchable e.g. TCP/IP, HTTP, Bluetooth NOT point to point Pipe endpoints -> input pipe (the receiving end) and the output pipe (the sending end). Asynchronous and unidirectional Messages flow from the output pipe into the input pipes. Support the transfer of any object, including binary code, data strings, and Java technology-based objects Two Types: (End) Point to (End) Point Propagate - multicast Peer Peer Peer Peer Peer Peer Point to Point Propagate Source: I.J.Taylor
19. JXTA Scenario 2 1 3 1. RV 4 2. New Node 3. 4. . 5 7 5. . 6 Rendezvous node (RV) accepts connection for nodes 1-7 and stores advertisements locally New node contacts Rendezvous using a discovery mechanism e.g. Unicast/multicast (PDP) RV authenticates New Node and adds the New Node to the group (RVP) New Nodes performs a file search query by contacting the RV find a match locally or propagates this query to all other members in the group. The file is found on node 6 (PDP) New Node and node 6 communicate directly through a JXTA pipe. This connection is virtual and may actually traverse (route) through the RV node and node 7. Source: I.J.Taylor
20. Peer Discovery Protocol Peer Discovery Protocol Via Peer Resolver Protocol Peer Information Protocol Peer Information Protocol Via Peer Resolver Protocol Pipe Binding Protocol Pipe Binding Protocol Via Peer Resolver Protocol Peer Resolver Protocol Peer Resolver Protocol Via Enpoint Routing Protocol Rendezvous Protocol Rendezvous Protocol Via Enpoint Routing Protocol Peer Endpoint Protocol Peer Endpoint Protocol Via installed Network Transports Network Transport Via Installed Network Transports Network Transport Source: I.J.Taylor
21. Peer Discovery Peer Discovery Protocol A peer uses the PDP to discover a JXTA resource resources are described by advertisements e.g. can be services, pipes, peers, peer groups, or any other advertisements Note, that the first word, peer, is the subject and not necessarily the object Using this protocol, peers can advertise their own resources, and discover the resources from other peers Peer resources are published using XML-based advertisements Peer Information Protocol Pipe Binding Protocol Two levels of discovery: Joining a JXTA network Multicast Unicast discovering JXTA resource within a JXTA network. Source: I.J.Taylor
22. Finding Information about Peers allows peers to learn about the capabilities and status of other peers e.g. uptime, traffic load, capabilities, state etc e.g. one can send a ping message to see if a peer is alive. also query a peer’s properties where each property as a name and a value string useful for implementing monitoring Peer Discovery Protocol Peer Information Protocol Pipe Binding Protocol Source: I.J.Taylor
23. Binding Pipes Output Pipe Input Pipe Peer 1 Peer 2 A JXTA Pipe Actual Route Peer 3 Peer 4 Firewall allows a peer to establish a virtual communication channel (i.e. a pipe) between peers allows the binding of the two or more ends of the pipe endpoints forming the connection a peer binds a pipe advertisement to a pipe endpoint thus indicating here messages actually go over the pipe Bind occurs during the open operation, whereas unbind occurs during the close operation. Peer Discovery Protocol Peer Information Protocol Pipe Binding Protocol Source: I.J.Taylor
24. ‘The’ Resolver enables a peer to implement high-level search capabilities allows a peer to send and receive generic queries to find or search for peers, peer groups, pipes, and other information Peer Resolver Protocol Rendezvous Protocol Peer Endpoint Protocol Source: I.J.Taylor
25. Rendezvous allows a Peer to send messages to all the listeners of the service The rendezvous protocol defines how a peer can subscribe or be a subscriber to a propagation service allowing larger communities to form A rendezvous nodes’ scope is a peer group e.g. the rendezvous protocol is used by the peer resolver protocol and by the pipe binding protocol in order to propagate messages. Peer Resolver Protocol Rendezvous Protocol Peer Endpoint Protocol Source: I.J.Taylor
26. Routing Those Messages Peer Resolver Protocol allows a peer to find information about the available routes for sending a message to destination peer i.e. pipes are often not directly connected to each other allows the implementation of routing algorithms into JXTA Peers implementing the endpoint routing protocol respond to queries with available route information giving a list of gateways along the route. Rendezvous Protocol Peer Endpoint Protocol Source: I.J.Taylor
27. acquire key K acquire key K receive cipher text C decrypt C f -1 (K, C) M encrypt message M f (K, M) C send cipher text C Secret-key Encryption
28. Data Encryption Standard DES DES is the most commonly used secret key encryption technique. 64 bit plain text + 56 bit secret key generates 64 bit encrypted output. DES can be easily implemented in VLSI. Goal of DES: Calculation of the key is infeasible, even if the attacker knows the plain text and the cipher text of a message. The only known way to break DES is to exhaustively search all possible 256 keys.
29. Round 1 Round 2 Round 16 DES Procedure Initial permutation 56 bit key Final permutation
30. Cipher Block Chaining plain text block i XOR encrypted block I-1 XOR 2 applications produce same value identical blocks produce different encrypted blocks problem at the beginning of the message use of an initialization vector e.g. time stamp Problem: Unreliable connection loss of blocks
31. Stream Ciphers Stream ciphers: incremental encryption one bit at a time Keystream: arbitrary-length sequence of bitsXOR with plain text E(k,m) Numbergenerator n+3 n+1 n+2 buffer ciphertextstream XOR plaintextstream
32. Diffusion & Confusion Diffusion: Regular patterns in the plaintext are dissipated by transposing portions of each plaintext block With CBC redundancy is distributed throughout a longer text (cannot be used with stream ciphers as there are no blocks) Confusion: Using non-destructive operations (XOR, circular shift)to combine each block of plaintext with the key relationship between M and {M}k is disguised otherwise use of statistical analysis (Enigma)
33. Cipher Block Chaining CBC Large messages are broken into 64 bit blocks. The cipher text for block i is XORed with the plain text for block i+1 before DES is applied to the result. An initialization vector (IV) is used as the cipher text of block O. Deciphering is started with the last block. Block 1 Block 2 Block 3 Block 4 IV + + + + DES DES DES DES Cipher 1 Cipher 2 Cipher 3 Cipher 4
34. Asymmetric Encryption Better Known as Public/Private Key user X has a pair of keys one public and one private To encrypt a message to X use X’s public key X will decrypt encrypted message using X’s private key that “matches” X’s public key Most common algorithm is the RSA (Rivest Shamir Adelman) algorithm with key lengths from 512 to 1024 bits Uses modular arithmetic & elementary number theory based on the fact that it is extremely difficult to find the prime factors of large numbers. Pretty Good Privacy (PGP), the Secure Sockets Layer (SSL), S/MIME, Secure Electronic Transactions (SET), Secure Shell (SSH). X. 509 V.3 certificates as used in JXTA, Globus/OGSA included in WWW browsers e.g. Netscape and Microsoft Internet Explorer
35. Public-key Encryption Each participant in a public key encrypted communication has a private key and a public key. private key: known only to the participant public key: known to everyone Assumption of frequently used public-key encryption: Factorization of the product of two large prime numbers is an infeasible problem.
36. Hash Functions One-Way Functions non-reversible “quick” encryption produces a fixed length value called a hash or message digest used to authenticate contents of a message Common message digest functions MD4 and MD5 produces 128 bit hashes SHA produces 160 bit hashes
37. Public key database acquire Ke of intended receiver encrypt plain text M E (M, Ke) C transmit cipher text C receive cipher text C decrypt C D (C, Kd) M Public-key Communication Sender Receiver compute private key Kd and public key Ke publish Ke
38. Rivest, Shamir and Adelman (RSA) Method Most commonly the RSA method is used to construct pairs of private and public keys. Chose two large prime numbers p and q. n = p • q and z = (p-1) • (q-1) The private key d is relatively prime with z. The public key e is the smallest number to solve e • d = 1 mod z. The plain text is divided into blocks of length k < ld n. Construct cipher text c from plain text m by c = me mod n. Decipher c by m = cd mod n.
39. Example of RSA p = 13 , q = 17 n = 221, z = 192 select d = 5 e • d is the smallest element in 1, z + 1 = 193, 2z + 1 = 385, 3z + 1 = 577 to be divisible by d : e = 385/5 = 77 k = 7 < ld 221 c = m77 mod 221 m = c5 mod 221
40. Breaking RSA Given e and n, the prime numbers p and q are required to determine d. So far there is no fast algorithm to factorize a large number n. The security can further be enhanced by using larger prime numbers. However, RSA code can be easily broken, if the pattern of generating large prime numbers is highly predictable.
41. Secret versus Public Key Encryption Security: Both methods are secure for normal purposes, if they are carefully implemented. Convenience: Public key encryption is more convenient as no secret channel is required to distribute the keys. Performance: DES is significantly faster than RSA, if software implementation is used. DES can be efficiently implemented in hardware which is currently not possible for the decryption of RSA codes.
42. Public Key Weakness Availability of the public key exhaustively encrypting arbitrary sequences until target sequence is met. chosen plaintext attack Solution: All messages are longer than the key Attach is less feasible than a direct attack on the key Concept: trap door: easy to open from one side but not from the other side
43. Digital Signature authentic: the signer has signed the document and it has not been altered by anyone unforgeable: the signature cannot be copied and used somewhere else non repudiable: the signer cannot deny that he has signed the document
44. Signing Hash Function Message To Verifier Signing Function Digital Signature Private Key
45. Verifying Hash Function Message Valid Yes/No? From Signer Verify Function Digital Signature Public Key
46. Digital Signature encoding the whole text with a private key using a digest function (secure hash function) Properties Given M, it is easy to compute h Given h, it is hard to compute M Given M, it is hard to find another message M’ such that H(M) = H(M’) MD5: 512 bit > 128 bit digest SHA: 160 bit digest (Secure Hash Algorithm)
47. Digital Signature Verification Verification indicates that: the digital signature was created by the signer (i.e. s/he is the only person with access to the private key) that the message was not altered since it was signed (because has collisions are considered mathematically improbably). There exists a number of different mathematical formulas and procedures, but all share this overall operational pattern Note: Signing does not encrypt a message – it is merely a method of verifying identity But encrypting a message with a private key also verifies a message – but much less efficient if this is its only purpose
48. Uses of Secure Channels Secure Socket Layer (SSL): helps improve the safety of Internet communications standard for encrypted client/server communication protocol that runs on top of TCP/IP utilizes several security techniques e.g. public keys, symmetric keys, and certificates. web sites commonly use SSL to guard private information such as credit card numbers. Transport Layer Security (TLS): protocol - ensures privacy between users successor to the SSL.
49. Symmetric: Shared Secret Keys generated once and secretly passed to the individuals This can be done in a number of ways: other methods e.g. by using public-keys telephone each other post it to each other. Example system that uses this is Kerberos.
50. Secure Socket Layers (SSL) Establish: protocol version, session ID, cipher suites, compression method, exchange of random values Optionally send server certificate, request client certificate Send client certificate response if requested Change cipher suite and finish handshake premaster secret 2 session keys
51. Net Specific Encryption Machine A Machine B Application Application Telnet Telnet TCP/UDP TCP/UDP IP IP De/Encryption De/Encryption Network Layer Network Layer