• Open Access

A formal separation method of protocols to eliminate parallel attacks in virtual organization

Authors


Abstract

The purpose of this paper is to introduce a technique to eliminate parallel attacks to protocol in virtual organization (VO) through enforcing dynamic authorization policies. Grid realizes coordinated resource sharing across multiple management domains. VO is defined as a key concept for operation and management of grid services. Due to the fact that VO focuses on dynamic, cross-organizational sharing relationships, one of the central challenges in the construction of scalable VO is that protocol specified by VO may have process of parallel running. To solve this problem, we present a formal definition of non-honest participants' malicious coordination operations which are necessary for parallel attack counterexample in VO. Based on that, we present the two-level dynamic authorization policy deploying scheme in VO for eliminating parallel attacks. Copyright © 2011 John Wiley & Sons, Ltd.

INTRODUCTION

Grid realizes coordinated resource sharing and provides quality of service by using standard, open, and general protocols and interfaces. Virtual organization (VO) is defined as a key concept for operation and management of grid services 1. VO creates its own context to associate users, resources, policies, and agreements and bridge trust relations and identities across the VO when making and processing requests for services related to a particular VO. Thus, VO can be presented as a federation of member organizations, resources, and services.

In defining grid architecture, we start from the perspective that effective VO operation requires that we should be able to establish sharing relationships among any potential participants. Interoperability is thus the central issue to be addressed. Hence, grid architecture is first and foremost a protocol architecture, with protocols defining the basic mechanisms by which VO users and resources negotiate, establish, manage, and exploit sharing relationships. These protocols include security solutions that support management of credentials and policies, resource management protocols and services that support secure access to computing and data resources, and the co-allocation of multiple resources. In practice, VO complement rather than replace existing institutions, sharing mechanisms cannot require substantial changes to local policies and must allow individual institutions to maintain ultimate control over their own resources. Since protocols govern the interaction between components, and not the implementation of the components, local control is preserved. Beyond this, individual institutions can join multiple VOs at the same time.

Due to the fact that VO focuses on dynamic, cross-organizational sharing relationships, which means, sharing relationships can be initiated among arbitrary parties, accommodating new participants dynamically, across different platforms, one of the central challenges in the construction of scalable VO is that protocol specified by VO may have process of parallel running. Significantly, although many of these protocols may seem relatively simple in local policies, non-honest participants may use information acquired in one session to compromise the security of another when an arbitrary number of multiple sessions are executed concurrently in VO.

The traditional way to solve this problem is to devise protocol which can achieve certain goal in scalable VO. While in VO, we can delegate authority for participants in controlled ways through dynamic authorization (access control), such that participants' malicious coordinated operations across multiple resources in VO can be avoided 2–4. On the one hand, the state of participant can be shared across all the assigned interactions; On the other hand, the assignment for participant can be controlled through dynamic authorization. This force us to investigate in detail how to enforce dynamic authorization policy based on attack counterexamples of non-honest participants 21 to eliminate parallel attacks in VO. Intuitively, we can devise protocol according to following steps:

  • 1Devising protocol which can achieve security goal in the process of running independently.
  • 2Enforcing dynamic authorization policy based on attack counterexamples of non-honest participants to eliminate parallel attacks in VO.

Thus, the cost to devise protocol in VO is reduced. This is the purpose of this paper.

We formalize this intuition by establishing arithmetic for protocol with strand spaces model that ensures that non-honest participants' malicious coordination operations which are necessary for parallel attack counterexample in VO can be defined. Based on that, we present one method to specify dynamic authorization policies in VO for avoiding non-honest participants' malicious coordinated operations which are necessary for attack counterexample. Further, we present two-level dynamic authorization policy deploying scheme in VO for eliminating parallel attacks.

Firstly, in our work, we express protocol in strand spaces 5–7 which has emerged as a popular framework for the security analysis of protocols. Roughly speaking, the strand spaces corresponding to a protocol is the set of traces of the various interactions between the principals under consideration. Often, as in the current protocol analysis methods based on type-checking like csp, ccs, and pi calculus 8–18, the intention is that sufficient conditions for protocol to be safe be evaluated. In contrast, in the protocol analysis methods based on model-checking like strand spaces, the attack counterexample of protocol is constructed to prove that the protocol is unsafe. In particular, the definition of trace of interactions between the principals in strand spaces model allowed us to specify dynamic authorization policies based on roles easily. Hence, we extend the strand spaces model to formalize the participants' information pool actions and define non-honest participants' malicious coordination operations which are necessary for parallel attack counterexample in VO.

Then, we present one method to separate protocol based on attack counterexample, such that non-honest participants' malicious coordinated operations can be included in specified roles. Further, we can specify dynamic authorization policies to control assignments for non-honest participants to these roles. Thus, non-honest participants' malicious coordinated operations which are necessary for attack counterexample can be avoided. Due to the fact that individual institutions can join multiple VOs at the same time, there may exist role conflict among dynamic authorization policies mentioned above, which means, protocol roles need to be separated in different ways for multiple VOs. We solve this problem through two-level dynamic authorization policy deploying scheme which realize dynamic authorization policies merging among multiple VOs.

Finally, we exemplify the applicability of our theory to real-world protocols by eliminating the parallel attacks to Diffie–Hellman mutual authentication protocol 19, 20.

The rest of this paper is structured as follows. In Section 2, we review strand spaces and authentication and authorization infrastructure (AAI) of grid. In Section 3, we present a formal definition of non-honest participants' malicious coordination operations which are necessary for parallel attack counterexample in VO. In Section 4, we present a method to enforce dynamic authorization policies in VO for eliminating parallel attacks. In Section 5, we interpret our result in Section 4.

BACKGROUND

Strand spaces

Let M be the set of possible messages that can be exchanged by the principals in a protocol. The set of atomic terms for M is the union of a set of text terms T and a set of key terms K, where T contain several different types of terms, such as principal names, nonces, and K contains a set of keys disjoint from T. In an asymmetric crypto system, k−1 (for k ∈ K) represents k's opposite member in a public–private key pair. In symmetric key systems, k−1 = k.

The set of all terms in M is defined inductively as follows:

  • 1If m is a text term or a key term, then m is a term.
  • 2If m is term and k is a key term, then enc(m, k) is a term. This represents encryption.
  • 3If m1 and m2 are terms, then m1m2 is a term. This represents concatenation.

A signed term is a pair <σ,µ> with σ ∈ {+, −} and equation image. A signed term equation image represents the sending of message and is typically written equation image, and a signed term equation image represents the reception of message and is typically written equation image.

A strand spaces over M consists of a set Σ, whose elements are called strand, together with a trace mapping equation image, associating each strand in Σ with a sequence of signed terms. We typically represent a strand spaces by the underlying set Σ, leaving the trace mapping implicit.

Strand spaces is aimed at reasoning about the security of systems in the presence of a hostile penetrator with various capabilities. In order to model such a penetrator, a notion of an infiltrated strand spaces is defined by THG 6; the infiltrated strand spaces for a protocol contains both regular strands that represent the actions available to principals and penetrator strands that represent the actions available to a penetrator.

A penetrator strand is one of the following, where g, h, k are terms, init-info(P) stands for penetrator's initial knowledge in protocol P:

  • 1M[g]: <+g>, where g ∈ init-info(P).
  • 2F[g]: <−g>.
  • 3T[g]: <−g,+g,+g>.
  • 4V[g, h]: equation image.
  • 5R[g, h]: equation image.
  • 6E[h, k]: equation image.
  • 7D[h, k]: equation image.

In a strand spaces Σ, a node is a pair equation image, with equation image and an integer i with equation image. The set of nodes of Σ is represented by equation image. We say the node equation image belongs to the strand s, and sometimes abuse notation by writing equation image. Given a node equation image, where equation image, equation image, …, equation image, define equation image. If n1 and n2 are nodes, we write equation image if equation image and equation image; we write equation image if both n1 and n2 occur on the same strand s and equation image and equation image. Note that the set equation image of nodes together with both sets of edges equation image and equation image forms a directed graph equation image.

In a strand spaces Σ, equation imageequation image represent a path of equation image, in which equation image, equation image,… equation image and equation image.

A bundle represents a snapshot of a possible protocol execution. Further, the bundle in which there exists attacks defines the attack counterexample of the protocol. For a given strand spaces Σ, let equation image be a subgraph of equation image. The graph B is a bundle if

  • 1B is finite.
  • 2If equation image and equation image is negative, then there is a unique n1 such that equation image.
  • 3If equation image and equation image, then equation image.
  • 4B is acyclic.

We say a node n is in the bundle B if it is in equation image.

Authentication and authorization infrastructure of grid virtual organization

Grid computing is particularly sensitive to authentication and authorization due to its decentralized nature. An AAI is a vital yet highly complex component of every grid infrastructure. The AAI is the framework over which grid resources, users and VO can authenticate one another by means of their policies.

Secure solution for authentication in VO is based on a Public Key Infrastructure (PKI). Each grid user (and grid service) is in possession of an X509 format certificate which is issued by a network of Certification Authorities (CA). In general, each CA serves a single national community through a network of institute-based Registration Authorities. Resources are configured to only accept credentials issued by one of the approved authorities. Since, in general, all resources install the trusted root certificates of all CAs, the user befits from an effective single sign-on across the deployed grid infrastructure.

Secure solution for authorization in VO is based on a user's membership of VO. The VO management service (VOMS) framework provides a trusted VO service which generates attribute certificates to attests the users' sub-group, role, and capabilities as registered by the VO manager in the VOMS database. Several key grid-services can process attribute certificates. VOMS provides a flexible way of expressing the VO policy, but this policy must still be provisioned to the distributed resources and then generally must still be mapped onto the resource's local user account structures.

Moreover, resources are configured to periodically download the identities of the members of the VOs and they support and map these certificate identities to local accounts for access to the resource. Mechanisms are provided in the middleware to allow resource administrators to enforce local authorization policies.

FORMAL DEFINITION OF NON-HONEST PARTICIPANTS' MALICIOUS COORDINATION OPERATIONS IN VO

In this section, we extend strand spaces model and introduce a formal definition of non-honest participants' malicious coordination operations which are necessary for parallel attack counterexample in VO. Some definitions should be given:

Firstly, we specify a set Agt of agents and a particular agent assignment A: equation image, which intuitively associates each strand equation image with the agent A(s) executing s. The motivation behind this approach is that if the same agent in reality gets authorization to execute many strands, then it should share its knowledge across all the strands it is executing. For node equation image, we abuse notion by writing A(n) as agent A(s) executing s.

We also define a partial order set equation image to represent constraints to dynamic authorization. If two strands s1 and equation image are such that equation image, then for each agent a, a can not get authorization to execute equation image and equation image concurrently. Furthermore, once equation image get authorization to execute equation image, equation image should wait for enough time (this can make sure that equation image's authorization to execute equation image and all the messages a obtains in the executing of equation image both get expired) to get authorization to execute equation image. The intuition is that a cannot share any messages obtained from equation image with equation image. The set Auth of constraints to dynamic authorization can be realized though AAI in grid.

Hence, an extended strand spaces can be defined as a tuple equation image consisting of a strand spaces equation image, a set equation image of agents, an agent assignment equation image from strands to agents and a set equation image of constraints to dynamic authorization.

A equation image represents non-honest participants' malicious coordination operations which are necessary for parallel attack counterexample in VO. Given extended strand spaces equation image, let equation imageequation imageequation imageequation imageequation imageequation imageequation imageequation imageequation image be a path of equation image, the path equation image is a full attack path if

  • 1equation image, equation image, …, equation image are in penetrator strands assigned to same agent equation image, and equation image, equation image are in strands assigned to agents different from equation image.
  • 2There exist equation image, equation image, where equation image, equation image, equation image, equation image are in regular strands and equation image = equation image, equation image, equation image, equation image = equation image, equation image.

Further, we define equation image = equation image, equation image = equation image, equation image = equation image. The intuition is that non-honest participant equation image implement attacks in equation image through forwarding in messages at equation image, operating on messages and forward out messages at equation image. Clearly, we can get proposition as follow:

Proposition

For each bundle B in extended strand spaces, if B represents a parallel attack counterexample to protocol, then there must exist full attack path in B.

ENFORCING DYNAMIC AUTHORIZATION POLICIES IN VO FOR ELIMINATING PARALLEL ATTACKS

In this section, we present a method to enforce dynamic authorization policies in VO for eliminating parallel attacks. Firstly, we introduce the separation method of extended strand spaces.

Given strand spaces equation image, for equation image, equation image, equation image, equation image = equation image + equation image if

  • 1equation image = equation image + equation image.
  • 2equation image = equation image, equation image.
  • 3equation image = equation image, equation imageequation image.

This above relationship between equation image, equation image, equation image can be shown as Figure 1.

Figure 1.

Illustration to equation image = equation image + equation image

Given original strand spaces equation image, for each regular strand equation image, which satisfies that equation image = equation image + equation image + … + equation image, we can construct new strand spaces equation image as follows:

  • iequation image; equation image; equation image;
  • iiFor each strand equation image, if equation image = equation image, then
    • aequation image;
    • bequation image.else
      • aequation image;
      • bequation image;
  • iiiFor each equation image, if equation image, then
    • aequation image;else if equation image, then
      • aequation image;else
        • aequation image

This process is called a separation of extended strand spaces equation image. The relationship between equation image and equation image can be defined as equation image, where equation image.

Then, we introduce a method to specify dynamic authorization policies for avoiding non-honest participant' malicious coordinated operations which are necessary for attack counterexample.

Clearly, if protocol can match security goal when running independently, on the other hand, protocol can be attacked when running parallel with other protocols, there must exist full attack path equation image in attack counterexample of protocol. For full attack path equation image, which satisfies that equation image, equation image, equation image, we can use the following separation process to eliminate the parallel attack corresponding to equation image.

  • 1Realize equation imageequation imageequation image, where equation imageequation image, and equation image; equation image, equation image; equation imageequation image, equation image.
  • 2Realize equation image, where equation imageequation image, and equation image; equation image, equation image; equation image = equation image, equation image.
  • 3equation image.

Above separation process to eliminate the parallel attack corresponding to full attack path equation image in attack counterexample can be noted as equation image. The relationship between equation image and equation image can be expressed as equation image.

We thus get theorem as follow.

Theorem

For protocol equation image in VO, if there exists full attack path equation image in extended strand spaces of equation image, we can eliminate the parallel attack corresponding to equation image through the separation process equation image.

We finally consider how to deploy authorization policy across multiple VOs to eliminate parallel attacks.

Due to the fact that individual institutions can join multiple VOs at the same time, there may exist role conflict among dynamic authorization policies mentioned above, which means, protocol roles need to be separated in different ways for multiple VOs. For example, VO equation image needs to join equation image and equation image concurrently. Accordingly, protocol equation image for equation image need to be done separation process in equation image according to equation image; at the same time, equation image also needs to be done separation process in equation image according to equation image. Thus, there exists role conflict between dynamic authorization policies specified through separation process equation image and equation image.

We can solve problems mentioned above through two-level dynamic authorization policy deploying scheme across multiple VOs. Firstly, the following definition is given.

Definition

equation image is a unifier of equation image, equation image, equation image …, equation image, if there exist equation image, equation imageequation imageequation imageequation image …,equation imageequation imageequation image, equation image, equation image, equation image, and equation image, …, equation imageequation imageequation image.

Definition

equation image is a most unifier of equation image, equation image …, equation image if equation image is a unifier of equation image, equation image …, equation image, and for any other unifier equation image of equation image, equation image …, equation image, there exist equation image, equation imageequation image and equation image.

The following theorem states that we can deploy two-level dynamic authorization policies across multiple VOs to eliminate parallel attacks.

Theorem

For protocol equation image in virtual organization VO, if there exist equation image, equation image, equation image, …, equation image, in higher level virtual organization VO1, VO2, …, VOn, respectively, we can deploy two level dynamic authorization policies across VO1, VO2, …, VOn to eliminate parallel attacks as follows:

  • iRealize equation imageequation image, equation image in VO, where equation image is the most unifier of equation image, equation image, …, equation image;
  • iiRealize equation image, equation imageequation imageequation image, equation imageequation image, equation imageequation imageequation image, equation imageequation image in VO1, VO2, …, VOn, respectively, and equation image, …, equation image.

The proofs of theorems above are given in Appendix. Through two-level dynamic authorization policy deploying scheme mentioned above, we can deploy authorization policies across multiple VOs to eliminate parallel attacks.

FORMAL ANALYSIS OF DIFFIE–HELLMAN MUTUAL AUTHENTICATION PROTOCOL

We then analyze and verify Diffie–Hellman mutual authentication protocol 20 in VO with extended strand spaces. On the basis of that, we eliminate parallel attack to Diffie–Hellman mutual authentication protocol through enforcing dynamic authorization policy in VO.

Diffie–Hellman mutual authentication protocol

Diffie–Hellman mutual authentication protocol allows for mutual authentication based on Gap Diffie–Hellman problem.

Firstly, we review Gap Diffie–Hellman problem 19, where all the elements belong in a group of prime order equation image: given a triple equation image, equation image, equation image, find the element equation image with the help of a Decision Diffie–Hellman Oracle (which answers whether a given quadruple is a Diffie–Hellman quadruple or not). It is currently assumed that, Gap Diffie–Hellman problem is hard to solve. Gap Diffie–Hellman problem is already believed to be yield to many secure and efficient schemes.

Then, application of Diffie–Hellman mutual authentication protocol in VO can be defined as follows:

  • iInitialization. Given group of prime order equation image, and hash function equation image. CA issues certificate for user equation image, which has public–private key pair equation image as well as a publicly known identity equation image. CA also issues certificate for user equation image, which has public–private key pair equation image as well as a publicly known identity equation image.
  • iiMutual Authentication.
    • aI, R exchange certificates.equation image select x, t at random from equation image, compute equation image, equation image. Then, equation image compute equation image with equation image's public key equation image. Further, equation image compute session key equation image, equation image. equation image sends equation image, equation image, equation image to equation image.
    • bR receives B, X, r. Then, equation image compute equation image, equation image and session key equation image. Further, equation image select equation image at random from equation image and send equation image, equation image to equation image.
    • cI receive equation image, equation image. Then, equation image decides whether equation image. If equation image, equation image compute equation image and send equation image, equation image to equation image.
    • dR receive equation image, equation image. R decides whether equation image. If equation image, equation image, then authentication succeeds.

Modeling the protocol

Firstly, we define Gap Diffie–Hellman problem as follows: equation image represents equation image, equation image represents equation image. We also define function equation image, equation image. Based on that, we define new penetrator strands as follows, where equation image, equation image, equation image, equation image are message terms:

  • iequation image.
  • iiequation image.
  • iiiequation image.
  • ivequation image.
  • vequation image.
  • viequation image.
  • viiequation image.
  • viiiequation image.
  • ixequation image.
  • xequation image.
  • xiequation image.

There are two roles in this protocol: initiator and responder. The bundle which represents a run of the protocol can be shown as Figure 2, where equation image; equation image; equation image; equation image; and equation image; equation image, equation image; equation image.

Figure 2.

Strand spaces for Diffie–Hellman mutual authentication protocol.

Moreover, for honest entity equation image, equation image and non-honest entity equation image, the bundle which represents a parallel attack can be shown as Figure 3, where equation image; equation image; equation image, equation image, equation image, equation image, equation image; equation image; and

  • equation image;

  • equation image;

  • equation image;

  • equation image;

  • equation image;

  • equation image;

  • equation image.

Figure 3.

Parallel attack counterexample for Diffie–Hellman mutual authentication protocol.

There exist full attack path equation image, equation image, equation image in attack counterexample above. For simplicity, we neglect penetrator strands in the definition of equation image, equation image, equation image. Parallel attack implemented by non-honest entity equation image is defined as follows:

  • iFirstly, equation image compute equation image with equation image's public key equation image. Then, equation image applies for certificate which has public key equation image from CA.
  • iiCA issues certificate which has public key equation image to equation image.
  • iiiequation image use equation image's identity to initiate session with equation image. Then, equation image receives equation image from equation image.
  • ivequation image use its real identity to initiate session with equation image. Then, equation image forward equation image to equation image (which is defined by equation image).
  • vequation image generates equation image and sends equation image to equation image.
  • viequation image generates equation image through replacing equation image in equation image with equation image and sends equation image to equation image (which is defined by equation image).
  • viiequation image compute equation image and sends equation image to equation image.
  • viiiequation image generates equation image through replacing equation image in equation image with equation image and sends equation image to equation image (which is defined by equation image).
  • ixequation image receives equation image. As equation image, equation image decides that for equation image, equation image = equation image, then authentication succeeds.

Hence, equation image use equation image's identity to implement authentication with equation image.

Eliminating parallel attack to protocol

As discussed above, there exists full attack path equation image in attack counterexample of Diffie–Hellman mutual authentication protocol, which satisfies that equation image, equation image, equation image. We can enforce dynamic authorization policy in VO to eliminate attack as follows:

  • iequation imageequation imageequation image, where equation image = equation imageequation image, equation image = equation image, equation image = equation image, equation image = equation image;
  • iiequation imageequation imageequation image, where equation image = equation imageequation image, equation image = equation image, equation image = equation image, equation image = equation image;
  • iiiequation image.
  • iInitialization: CA issues certificate for user equation image, which has public–private key pair equation image as well as a publicly known identity equation image. CA also issues certificate for user equation image, which has public–private key pair equation image as well as a publicly known identity equation image. Then, VOMS generate attribute certificates which attests equation image's equation image role and equation image's equation image role respectively.
  • iiMutual authentication:
    • aI, R exchange certificates.
    • bI select equation image, equation image at random from equation image, compute equation image, equation image. Then, equation image compute equation image with equation image's public key equation image. Further, equation image compute session key equation image, equation image. equation image sends equation image, equation image, equation image to equation image.
    • cR receives equation image, equation image, equation image. Then, equation image compute equation image, equation image and session key equation image. Further, equation image select equation image at random from equation image and send equation image, equation image to equation image.
    • dI receive equation image, equation image. Then, equation image decides whether equation image. If equation image, equation image compute equation image.
    • eI, equation image apply for attribute certificates to VOMS which attests equation image's equation image role and equation image's equation image role respectively. and send equation image, equation image to equation image.
    • fVOMS generates attribute certificates which attests equation image's equation image role and equation image's equation image role respectively.
    • gI, equation image exchange attribute certificate.
    • hI sends equation image, equation image to equation image.
    • iR receive equation image, equation image. R decides whether equation image. If equation image, equation image, then authentication succeeds.

VOMS specify, for each agent equation image, equation image can not get authorization to execute equation image and equation image concurrently; Further, once equation image get authorization to execute equation image, equation image should wait for enough time (this can make sure that equation image's authorization to execute equation image and all the messages equation image obtains in the executing of equation image both get expired) to get authorization to execute equation image.

For attack counterexample above, since non-honest entity equation image's authorization to execute equation image and message equation image both get expired, it is impossible for equation image to transform equation image to equation image and send equation image to equation image. Hence, parallel attack to Diffie–Hellman mutual authentication protocol can be avoided.

Performance evaluation

Figures 4 and 5 report simulation results computed with a number of origin server objects equal to 20 which are all deployed with Globus Toolkit 4.0. We have conducted two experiments, in which 51 jobs with Diffie–Hellman mutual authentication protocol are created. In the first experiment, Diffie–Hellman mutual authentication protocol is original. While in the second experiment, Diffie–Hellman mutual authentication protocol is separated to eliminate parallel attack.

Figure 4.

Number of jobs in execution on different Grid resources.

Figure 5.

Number of jobs processed on different Grid resources

The obtained results show that two experiments take almost the same time to finish the processing of all jobs using resources available at that time. Of course, the second experiments with separated Diffie–Hellman mutual authentication protocol take 3 minutes more that the first experiment during the processing of all jobs.

CONCLUSION

In this paper, we present a technique to eliminate the parallel attack to protocol in multiple VOs through enforcing dynamic authorization policies. It is based on our extension to the strand spaces model. We establish arithmetic for protocol that ensures that non-honest participants' malicious coordination operations which are necessary for parallel attack counterexample in VO can be defined. Based on that, we present one method to specify dynamic authorization policies in VO for avoiding non-honest participants' malicious coordinated operations which are necessary for attack counterexample. Further, we present two-level dynamic authorization policy deploying scheme in VO for eliminating parallel attacks.

We regard the Diffie–Hellman mutual authentication protocol as the case study, because this protocol packages many ideas that appear in the field of parallel attacks. Furthermore, this case study contributes to the results for eliminating parallel attacks through enforcing dynamic authorization policies in VO that should be useful beyond the analysis of the Diffie–Hellman mutual authentication protocol.

Ancillary