A Collaborative Trust Enhanced Security Model for Distributed System Services Aruna Kumari, Shakti Mishra, D.S. Kushwaha CSED, MNNIT Allahabad U.P., India {
[email protected],
[email protected],
[email protected]} Abstract— When the absolute aim is to achieve secure cooperative working, trust is the basic requirement. It convinces the observers that the system is correct and secure in terms of its users, data and invoking the information. The focus of trust should be at various levels like at authentication and authorization along with some trust policies to be considered. Apart from this, for the smooth functioning of a system, the record and access to the resources of the distributed system must be maintained and controlled. Issues like unlimited life time of users in distributed system is also an issue that must be controlled somehow. In order to address these issues, we propose a trustworthy distributed system where all nodes are trustworthy that considers trust for joining the network, for authentication and authorization. Trust for authentication and authorization further includes trust for accessing the resources of the network. Keywords—Service level agreement, Agent System, Kerberos, trust level
I.
INTRODUCTION AND RELATED WORK
In distributed system, trust is required in convincing observers that a system is correct and secure. Several researchers have worked in the area of trust for distributed system each with different perceptions like the authors in the paper [3] describes trust as the security of utility. The malicious manipulations in distributed system include all the unauthorized activities of the user. It has been observed that mostly the new nodes joining the distributed system are insecure. Here, trust helps in establishing a secure distributed system with all trustworthy users as part. The term trustworthiness is defined by the authors in [6] as a holistic property, encompassing security. To establish a secure and trustworthy distributed system, certain authentication and authorization semantics must be considered. It has been noticed that trusted users that have been authenticated in distributed network are often authorized to limitless access to resources. Here, the question of how and where to engross the trust in a distributed system such that only the trustworthy users of the distributed system can access the resources of distributed network, becomes an important concern. To solve this problem, stronger authentication methods based on cryptography are required. Kerberos is the
978-1-4244-xxxx-x/09/$25.00 ©2009 IEEE
most commonly used technique for this type of authentication methodology [10]. Kerberos [2, 3, 5] is a network authentication protocol that allows a user to authenticate once and then connect to application servers within the Kerberos realm without authenticating again for a period of time. The authors in [7] give a definition to the trusted intermediaries as the systems which authenticate clients and servers. A model to establish trust relationship across heterogeneous domains has been proposed in [1], which adopts PKI and Kerberos; the authentication and authorization protocols for maintaining security. A survey of work carried out by different researchers, it is found that some issues still need to be resolved like handling the users with their dynamic nature of joining and leaving the distributed system; minimizing the overhead of maintaining a large database at various trusted intermediaries to store the information of clients and their certificates and keys; and the basic requirements for a client to join a distributed network. We have made an effort to handle these issues in distributed system using a collaborative trust approach that also focuses on building a system where all users are trustworthy under the realm of some trustworthy systems. The rest of this paper is organized as follows. Section 2 gives an overview of the proposed approach. Section 3 introduces the components of the proposed model and describes the design of proposed model. The results and conclusion are given in section 4 and 5, respectively. II.
PROPOSED APPROACH
In our proposed approach, to build a trustworthy distributed system, the centralized entities are assumed to be trustworthy. To be a part of the distributed network, every new user (client/server) has to initially register itself. The successful registration of a user ensures that the client can further request for the services which are provided by servers of the same distributed network. For accessing any resource, client has to authenticate its identity and authorize itself as a valid user. To authenticate and authorize users, Key Distribution Center (KDC) of Kerberos is used in the proposed approach. The server creates a service and publishes its interface and access information to the service registry maintained by a system which is known to clients. The reference of the respective server is provided to clients on request. These
10
ACT09
services are provided to client after making some payment to server. So, client has to provide sufficient information for payment like the mode of payment. III.
for authenticating and authorizing the client when it requires a service. 3) Client: Client is every new node registered with Superhost to access the services and resources of distributed system and for which the trust measurements are focused. Each client has a unique client id.
PROPOSED MODEL
A. Components of proposed model The proposed model contains mainly four components as referred in figure 1: •
Coordinators
•
KDC
•
Server
•
Client
4) Server: Every server of the system is also a client with some additional features like the ability to provide the services and resources to the clients of the distributed system. To be a server, client has to go through the server registration phase and obtain server id from Superhost. Server can also behave like other clients of the distributed system on requirement. B. Implementation of proposed approach During the registration process every client requests Superhost to join the network. It performs the task of registration using capability list and service level agreement, of clients and servers, respectively.
The coordinator system and KDC (Key-DistributionCenter) are necessarily trustworthy systems that work as the nerve of the distributed system. Both are considered as the reliable controller systems around which all the activities are scattered.
In our proposed model, Service Level Agreement (SLA) includes the basic services and resources that server can provide, the duration for which services would be available, the number of clients that can be served simultaneously by the server, specific performance benchmarks to which actual performance will be periodically compared, and the response time. The right to access the services of distributed network is provided to the clients using the capability list.
Fig. 1 describes the connection among different components of the proposed model. There is mutual communication between the coordinators and KDC, indicated using dotted line. A description of these components with their role in the collaborative trust model is given below:
During the registration phase, trust is maintained by recommendation in terms of history of the user and the initial trust level provided by Superhost for the new user is also considered. Three trust levels are considered – initial, intermediate and higher. Before accessing the reference of the servers for some services, the client needs to authenticate and authorize itself through AS and TGS. The result of this process - TGT and SGT deliver a proof of client’s authentication and authorization, respectively. Both show that the client is authorized to access the service for some prescribed time period that is mentioned in SGT. This SGT is further transferred by the client to Agent. The mutual communication between these entities involves some secret keys and tickets with some adequate encryption-decryption algorithms. During the process of providing the list of services and addresses of servers for the requested services to the client, Agent verifies the client identity and existence from Superhost.
Figure 1. Components of proposed model
1) Coordinators: The role of the coordinators is to keep the information about all the nodes, resources and services of distributed system as per the requirement. The coordinators further include two sub-components – Superhost and Agent. Superhost is the only system, which has list of all the clients and servers of distributed system. It acts as the central controller system. It investigates the clients about their trustworthiness, maintains records of the clients and servers, monitors the life time of the clients and servers, and provides the reference of other components to users, whenever required.
In order to identify malicious client, Superhost keeps the track of each client’s location and regulates its uncontrolled behavior. For this, the location of the user in the distributed network is traced using IP (Internet Protocol) address and subnet id. The users knows about the location of controllers (Coordinators and KDC) whenever required. The workflow involving different entities is elaborated in next subsection.
In order to gather information about the system an agent interacts with the users according to their requirements and major responsibilities include managing the registry of services provided by servers and Agent itself in the distributed system, monitoring client’s behaviour, and handling client requests for the server’s reference for some particular services.
1) Registration of new user: Fig. 2 describes the work flow when a request comes to Superhost. This request may be for new registration or from an existing user.
2) KDC: KDC (Key Distribution Center) is a part of Kerberos, a network authentication protocol. It is a collective name that includes two systems– Authentication Server (AS) and Ticket-Granting-Server (TGS). The KDC is responsible
11
As shown in the fig. 2, the Client contacts Superhost either as a new user (before joining the distributed network) or as an existing user. On receiving the request from client, Superhost determines the identity of the user and behaves accordingly. According to different types of requests, we have described the above workflow into different cases.
and it wants to publish them. Registration of new service involves three entities - Superhost, Agent and Server.
a) Case 1: Request from new User (Client) If Superhost finds that the user is new and the request is for registration, it calls the New_Registration procedure to register this new user. During this process, Superhost checks the presence of IP address of new user in its record and if it finds an existing record with the same IP address, it simply discards the request with suitable messages, otherwise it continues. It presents the registration agreement to client and obtains the capability list. Here, the capability list includes resources that client provides, speed of processor, time of availability and services available at client. All the data accepted from the client and the generated client ID is recorded in the database for further retrieval. After this successful registration process, Superhost displays a list of services to client as a result.
Figure 3. Workflow for service registration
3) Obtaining TGT from Authentication Server: To authenticate the identity of client and to authorize the client, two steps are considered. First is to obtain TGT from AS (Authentication Server) and second is of getting SGT from TGS. The workflow as shown in fig. 4 is used to get TGT from AS.
b) Case 2: Request from an Existing User The existing user may be either a client or a server. Request from an Existing Client If Superhost identifies that the request is from the existing client, then it supplies a list of services to the client, which primarily includes all the services as for a new client; request to upgrade the client level as a server by filling the service level agreement; an explicit request for deregistration of client in this distributed system; query to retrieve password, IDs; and request for Authentication Server. Request from an Existing Server The request from an existing server to Superhost includes request for Agent Reference; request to leave the network; and degradation of server level to client level, an indication that now this server can behave like a client only.
Figure 4. Workflow for obtaining TGT
On receiving request from client, Authentication Server contacts Superhost to verify the existence of the client in the distributed network. Superhost supplies the client’s password, registered Internet Protocol (IP) address and the value of trust level, which are stored in the database of Superhost at the time of registration. AS compares the given IP address with the extracted IP address of client for authentication and if both match, AS generates two unique keys Kc and Kc,tgs. Kc is the key generated using the client password, which is used to encrypt the messages transmitted by AS to client. Kc,tgs is the shared key of the client and TGS. AS also generates a unique ticket, known as TGT for TGS and encrypts it with Kc,tgs. This ticket is delivered by the client to TGS as a proof that it is an authentic client and is now authorized to get the SGT. All these information [Kc,tgs, TGT, etc.] are encrypted using Kc and transmitted to client. At client, this message is decrypted after generating the key Kc. The Kc,tgs and ticket are stored in a file so that during the lifetime of ticket, client can contact TGS later.
Figure 2. Workflow for registration of new user
Continuous involvement of client and server at Superhost makes an implicit request to increase their lifetime. This consideration of lifetime of users is performed periodically. 2) Registration of New Service: The following workflow as shown in fig. 3 is used whenever server has some services
There is a mutual communication between AS and TGS. When AS generates ticket, it encrypts it using Ktgs, a key shared
12
between AS and TGS. This key is transmitted to TGS only when it is updated; using previous Ktgs for encryption and decryption.
5) List of servers from Agent: The fig. 6 describes the workflow of obtaining a list of servers by client from Agent. The process of accessing service includes two steps producing the list of services that the client is authorized to access and producing the references of the servers for the corresponding service. A detailed description of this workflow is given below.
4) Obtaining SGT from TGS: While authorizing the client for providing access to service, client contacts TGS to obtain service-grant-ticket (SGT), as mentioned in fig. 5. The request of client for SGT to TGS includes two parts: •
TicketTGT which has been obtained from TGS and
•
An “authenticator” message generated by client and encrypted using Kc,tgs.
Step 1: Producing list of services for client After getting SGT, client requests Agent with the authenticator and SGT as part of the request message, where Agent decrypts it using Kc,a and Ka, respectively. Step 2: Producing list of servers for client
The “authenticator” message contains client_ID, IP address of client and a timestamp. It is used to validate TicketTGT. On receiving this request, TGS decrypts the “authenticator” message and the ticket using Kc,tgs and Ktgs, respectively.
The same server can service many clients’ request. Accordingly, it provides references of the corresponding servers in encrypted form to client. Client can contact the server, as per the references provided by the Agent, to make final request for the corresponding service.
After decrypting TGT, TGS obtains the Kc,tgs and decrypts “authenticator” message. It verifies the client with the help of “authenticator” and generates a unique SGT encrypted using Ka; generates a unique key Kc,a to be shared between Agent and Client during their communication to encrypt/decrypt the messages. Finally, TGS transmits SGT and Kc,a to client. Ka is the key of Agent, shared by TGS also.
In case, Agent does not find any server, it may assume the role of server if it has that service. The messages exchanged in the communication between Agent and client are encrypted using the key Kc,a.
Figure 5. Workflow for obtaining SGT
Figure 7. Workflow for accessing service
During this process, Agent maintains a client log to record the behaviour of client when it requests for the services. IV.
RESULTS
We have used the principles of Kerberos that is a network authentication protocol that includes Authentication Server (AS), Ticket-Granting-Server (TGS) as the part of Key Distribution Center (KDC). The complete Kerberos authentication protocol also covers the client and server.
Figure 6. Workflow for obtaining a list of servers from Agent
At client, the message is decrypted with Kc,tgs. The retrieved SGT and Kc,a are stored in a file. This SGT indicates that the client is authorized to get services during the lifetime of SGT. To obtain a list of services and a list of servers for some particular service, client creates another authenticator for Agent, encrypts the SGT and authenticator using Kc,a and delivers to Agent.
13
we have established 3-level trust hierarchy for securing services and reduced the Kerberos authentication database with comparable message exchange. The proposed approach is properly implemented on a small LAN and we are looking forward to implement the same model on LAN of heterogeneous systems. REFERENCES [1] Figure 8. Messages used in Proposed Model [2]
In our model, the messages involved for authentication and authorization are developed using the same functionality as of Kerberos. As described in fig. 8, the complete client authentication process involves 4 messages (m1, m2, m3 and m4). In its first message, client requests AS for authentication where AS (using m2) contacts Superhost to verify the client and to obtain password, IP address and trust level of client (using m3) and the result of this process is TGT assigned by AS to client (m4). To obtain SGT and to authorize the client, 2 messages are used in our model, message m5 and m6. For this, client makes a new request to TGS with TGT (obtained in message m4) and an additional message, known as authenticator. In our architecture, after obtaining SGT (using message m6), client requests Agent instead of Server to get the list of services for which client is authorized, and the list of servers for a service, using messages m7, m8, m9 and m10. Messages m11 and m12 are used by the client to access the service from server.
[3]
[4] [5]
[6]
[7]
[8]
[9]
Although, our model uses 6 additional messages than Kerberos, it works efficiently and provides goods strength to our architecture. The tickets used in Kerberos prove identity and authorize actions or access but how many resources are available for a client, is not decided. This issue is handled in the proposed system using Superhost (SH) and Agent. The proposed system uses the unique IDs for various purposes to make it better than other systems like for client, for server and for services. This is achieved by considering IP address of users. V.
[10]
[11]
[12]
[13]
CONCLUSION AND FUTURE WORK
[14]
In this paper, we have made an attempt to implement the trust policies for securing services through collaborative trust enhanced security model for distributed system. We have also implemented mutual authentication and authorization semantics for handling churn in distributed systems using Kerberos protocol.
[15]
Our system uses different modules to distribute the workload that helps in improving the overall performance of distributed system. Superhost maintains a registry of all the users of the network with the help of service level agreement and capability list, and regulates the life time of the users, that reduces the burden of KDC (keeping track of nodes) significantly. Agent performs the role of maintaining service registries, analyzing the behavior of client using a trust level, and keeping information about the load status of the servers. We have proved that use of these modules dramatically helps in achieving the scalability feature of the distributed system. The comparison result of our system with Kerberos proves that
14
Ping Liu, Rui Zong and Sizuo Liu, “A new model for Authentication and Authorization across Heterogeneous Trust-Domain” in International Conference on Computer and Software Engineering, 2008. Phillip L. Hellewell, Timothy W. van der Horst and Kent E. Seamons, “Extensible Pre-authentication in Kerberos”, in Annual Computer Security Applications Conference, 2007. Ching Lin and Vijay Varadharajan, “Trust based risk management for distributed system security- a new approach”, in Proceedings of the First International Conference on Availability, Reliability and Security, 2006. C.Neuman, T. Yu, S.Hartman, and K. Raeburn. RFC 4120: The Kerberos Network Authentication Service (V5), Jul 2005. Wen Tei-hua, Gu Shi-wem, “An improved method of enhancing Kerberos protocol security”, Journal of China Institute of Communications, Vol 25 No. 6. June 2004, pp. 76-79. Fred B. Schneider, Steven M. Bellovin and Alan S. Inouye, “Building trustworthy systems: Lessons from the PTN and Internet”, IEEE Internet Computing, November- December 1999. Marvin A.Sirbu and John Chung-I Chuang, “ Distributed authentication in Kerberos using public key cryptography”, in sndss, pp.134, 1997 Symposium on Network and Distributed System Security, 1997. B.Clifford Neuman and Theodore Ts’o, “Kerberos: an authentication service for computer networks”, in IEEE Communications Magazine, 1994. Neuman C. RFC 1510, “The Kerberos network authentication service (V5)”, [S]. 1993. Aruna Kumari, Shakti Mishra, D.S.Kushwaha, “A New Collaborative Trust Enhanced Security Model for Distributed System”, in International Journal of Computer Applications, vol. 1(26), 2010. Peter C. Chapin, Christian Skalka and X. Sean Wang, “Authorization in trust management: features and foundations”, in ACM Computing Surveys, August 2008. Tomoya Enokido and Makoto Takizawa, “Role based access control in Distributed Object Systems”, in International Conference on Distributed Computing Systems Workshps, 2008. Serhiy Skakun and Nataliya Kussul, “An Agent approach for providing security in distributed systems”, TCSET’ 2006. Wen Tei-hua, Gu Shi-wem, “An improved method of enhancing Kerberos protocol security”, Journal of China Institute of Communications, Vol 25 No. 6. June 2004, pp. 76-79. Matt Blaze, Joan Feigenbaum, John Ioannidis and Angelos D. Keromytis, “ The role of trust management in distributed systems security”, in Secure internet Programming: Security Issues For Mobile and Distributed Objects, J. Vitek and C. D. Jensen, Eds. Lecture Notes In Computer Science. Springer-Verlag, London, 185-21, 2001.