Abstract
Content services such as content filtering and transcoding adapt contents to meet system requirements, display capacities,or user preferences. Data security in such a framework is an important problem and crucial for many Web applications. In this paper,we propose an approach that addresses data integrity and confidentiality in content adaptation and caching by intermediaries. Ourapproach permits multiple intermediaries to simultaneously perform content services on different portions of the data. Our protocolsupports decentralized proxy and key management and flexible delegation of services. Our experimental results show that ourapproach is efficient and minimizes the amount of data transmitted across the network.Index Terms—Data sharing, distributed systems, integrity, security.
1 INTRODUCTION
IN order to enhance the performance of content distributionnetworks (CDNs), several approaches have beendeveloped based on the use of content management servicesprovided by intermediary proxies. In most of these approaches,content caching is the main service provided byproxies [1], [3], [15], [18]. That is, instead of asking a contentserver for contents upon each client request, a proxy firstchecks if these contents are locally cached. Only when therequested contents are not cached or out of date are thecontents transferred from the content server to the clients. Ifthere is a cache hit, the network bandwidth consumptioncan be reduced. A cache hit also reduces access latency forthe clients. System performance thus improves, especiallywhen a large amount of data is involved. Besides theseimprovements, caching makes the system robust by lettingcaching proxies provide content distribution services whenthe server is not available.With the emergence of various network appliances andheterogeneous client environments, there are other relevantnew requirements for content services by intermediaries [2],[10]. For example, content may be transformed to satisfy therequirements of a client’s security policy, device capabilities,preferences, and so forth. Therefore, several content serviceshave been identified that include but are not limited tocontent transcoding [2], [5], [10], [13], in which data istransformed from one format into another, data filtering, andvalue-added services such as watermarking [7]. Otherrelevant services are related to personalization, according towhich special-purpose proxies can tailor the contents basedon user preferences, current activities, and past accesshistory.Many studies have been carried out on intermediarycontent services [2], [5], [10], [13]; however, the problem ofdata security in these settings has not caught muchattention. Confidentiality and integrity are two mainsecurity properties that must be ensured for data in severaldistributed cooperative application domains such as collaborativee-commerce [20], distance learning, telemedicine,and e-government. Confidentiality means that data can onlybe accessed under the proper authorizations. Integritymeans that data can only be modified by authorizedsubjects. The approaches developed for securely transferringdata from a server to clients are not suitable when datais to be transformed by intermediaries. When a proxymediates data transmission, if the data is enciphered duringtransmission, security is ensured; however, it is impossiblefor intermediaries to modify the data. On the other hand,when intermediaries are allowed to modify the data, it isdifficult to enforce security.Much previous work has been done on data adaptationand content delivery. The work by Lum and Lau discussedthe trade-off between the transcoding overhead and spatialconsumption in content adaptation [16]. CoralCDN, a peerto-peer CDN, was recently presented; it combines peer-topeersystems and Web-based content delivery [11]. Chi andWu [8] proposed a Data Integrity Service Model (DISM) toenforce the integrity of data transformed by intermediaries.In such a model, integrity is enforced by using metadataexpressing modification policies specified by content owners.However, in DISM, every subject can access the data.Thus, confidentiality is not enforced. Another problem withDISM is the lack of efficiency. It does not exploit thepossible parallelism that is inherent in data relationshipsand in the access control policies. In several applicationssuch as multimedia content adaptation [2] efficiency iscrucial. In the partial and preliminary version of this paper[14], a protocol was proposed to ensure confidentiality andintegrity for XML document updates in distributed andcooperative systems. In this paper, we present a general andimproved protocol to meet the high availability requirementfor large-scale network services.
1.We describe the security and content transformationinvolved with cache proxies. We present a parallelsecure content service (PSCS) protocol for a cacheproxy and analyze the properties of intermediarieswith caching capacity.
2. We formalize the key management mechanism incooperative intermediaries. We introduce the intermediaryprofile table for the data server to storepublic keys of peer proxies (P-proxies), which areproxies authorized to perform the same type of datatransformation. Our key management does notrequire any preexisting public key infrastructure.This is possible because the public keys of proxiesare endorsed by the data server in the controlinformation. Therefore, public-key certificates arenot required in our protocol, even though theproxies do not need to know each other a priori.
3. We implement our protocol and report the experimentresults on data size, integrity check time, andservicing time, including the effect of recovery. Wealso compare and analyze the performance of ourprotocol with a centralized implementation.
4. We describe and analyze the delegation of authorizationamong cooperative intermediaries. When anintermediary is overloaded, our approach makes itpossible for the intermediary to delegate the executionof content services to another proxy withoutviolating security requirements. Our delegationmechanism is simple to implement, yet it largelyimproves the availability of proxies.In our model (see Fig. 1), we distinguish three types ofentities:1. Data Server. This is an entity that originally stores thedata requested by a client.2. Client. This is any entity that requests data from adata server. When a client submits a request, besidesthe data it requests, it may also include some contentservice requirements, arising from device limitationsand data format limitations [4]. If the client does notspecify any service requirements, a proxy thatrepresents the client may add these requirements.Such a proxy may be an edge proxy [5].3. Intermediary. This is any entity that is allowed by adata server to provide content services in response torequests by clients. Intermediaries include cachingproxies and transforming proxies.Our solution uses standard cryptographic primitives,including a collision-resistant hash function and digitalsignatures. We also design a data structure, called controlinformation, for the data server to manage proxies andauthorizations. Each participant (intermediary or client)uses control information for integrity checking and securecommunications. We present an algorithm for generatingcontrol information.The remainder of this paper is organized as follows:Section 2 introduces preliminary notions that are neededthroughout the paper. Section 3 describes the PSCSProtocol, and Section 4 presents the PSCScp protocol for acache proxy. The complexity and security analysis is givenin Section 5, and experimental results are presented inSection 6. We conclude the paper in Section 7.
2 PRELIMINARIES
In this section, we introduce the notions and terminologyused in our paper.
2.1 Content Service Functions and Privileges
Each content service belongs to a service function. Themapping from a content service to a service function is amany-to-one mapping. For example, a content service maycompress images with less precision in order to reduce theirsize, or a content service may perform media conversionsuch as from text to audio or a format change such as fromPDF to HTML. All these services belong to a transcodingfunction that changes the data from one format intoanother. We summarize the basic content service functionsthat intermediaries can perform in Fig. 2, which is anextension of [17]. We include some important classes offunctions that are related to security services, such as thefunction of virus scanning.To ensure data security, an intermediary must havecertain privileges in order to access the data. Based on aclient request, the data server decides the privileges for eachparticipating proxy. For example, if a proxy needs totranscode the data from text to audio, then it needs to havecertain privileges from the data server that authorizes thisproxy to perform this transcoding function. Based onwhether a service function needs to modify the requesteddata or not, we identify two types of privileges that allowintermediaries to perform content service functions: readand update. The read privilege allows a proxy to read andstore the data. The update privilege allows a proxy to readand modify the data, as, for example, a proxy needs to have616 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 19, NO. 5, MAY 2008Fig. 1. System architecture.Fig. 2. Functions and corresponding privileges.this privilege in order to execute a content filtering function.It subsumes the read privilege. For each content servicefunction, the corresponding privilege types are listed inFig.
2.2.2 Data Representation
We cast our approach in the framework of XML [9], [22]because of its widespread use in Web services. XML can beused to manage data, documents, graphics, and evenmultimedia data. Also, XML organizes data according tohierarchical nested structures, thus facilitating the parallelization.It organizes data into tagged elements. We definean atomic element (AE) as either an attribute or an elementincluding its starting and ending tags. A data segment is aset of elements to which the same access control policyapplies. That is, if a proxy has a read (or write) privilegeover a segment, the proxy has a read (or write) privilegeover all the elements in the segment. We enforce confidentialityby allowing a proxy to access only the segmentsthat are permitted by access control policies. We assumethat each segment is uniquely identified.Based on the above concepts, we introduce our approachto data representation as follows:Let D ¼ fae1; ae2; . . . ; aemg be the data to be transferred,consisting of a set of AEs. Each AE is identified by anidentifier. Data D are partitioned into a set of segmentsfSeg1; Seg2; . . . ; SegKg such that1. 8i 2 f1; . . .;Kg, Segi ¼ ði; faei1; aei2 ; . . . ; aeirgÞ, eachsegment consists of a segment identifier ðiÞ and of aset of AEs.2. 8i 2 f1; . . .;Kg and 8j 2 f1; . . . ; rg, ij 2 f1; 2; . . .;mg,each AE in a segment belongs to D.3. 8i 2 f1; . . .;Kg, 8k; z 2 f1; . . . ; rg, if k 6¼ z, thenik 6¼ iz, AEs within the same segment are distinct.4. 8i, k 2 f1; . . .;Kg and i 6¼ k, Segi \ Segk ¼ ;, AEswithin disjoint segments are distinct.5. For any aei 2 D, 9j 2 f1; . . .;Kg such that aei 2 Segj,if an AE aei belongs to D, then aei must belong in asegment.Properties 1, 2, and 4 ensure that there are a limited numberof segments for the data. Property 3 ensures that the size ofeach segment is minimal. Property 5 ensures that the data isincluded in the segments. These properties ensure that thedata is correctly represented by the set of segments.To enforce authenticity and integrity, we rely onstandard cryptographic primitives such as RSA public keysfor digitally signing the data. Each segment has anencrypted hash value associated with it. If a proxy has anupdate privilege over a segment, when the proxy completesupdating the segment, it generates a hash value by applyingto the segment text, which also includes the segmentidentifier, a one-way hash function and then encrypts thevalue with its private key. Fig. 3 shows an example of datasegments, which includes the result for virus scan and thedata that is scanned. Attributes delegateKey and delegateHashare defined in Section
2.3.2.3 Data Provider (DP) and P-ProxyA
DP is any entity that can provide the data requested by aclient. Thus, a DP may be either a data server or a cacheproxy caching the data requested by clients. In order toprovide content services to clients, a DP has a group ofcooperative intermediaries that can perform differentcontent services.AP-proxy is a list (size_ 1) of proxies that perform certaincontent services on the data on behalf of the DP. That is, for aDP, there may exist more than one cooperative proxy that canperform certain content services for it. Each DP maintains theinformation about the services provided by each cooperativeproxy in an intermediary profile table. The intermediaryprofile table stores the public keys and the authorizations ofproxies. Fig. 4 shows an example of such a table.Because a proxy may provide several content services, itmay appear in several different P-proxies maintained by aDP. In Fig. 4, proxy1 appears in both P-proxy1 and P-proxy4.Even though a P-proxy may group several proxies, onlyone proxy in such group performs the content serviceassociated with the P-proxy on each requested data. Forexample, suppose that proxy1 is a virus scan proxy in Pproxy1and that P-proxy1 also includes proxy2. If proxy1 isoverloaded, it can delegate to proxy2 the execution of theservice. We refer to the proxy that is initially assigned toexecute the operation on the data as the primary proxy (prim) ofthis P-proxy for the requested data. In the previous example,even though proxy2 executes the virus scan, the primaryproxy is proxy1. The purpose of P-proxies is therefore toenhance both the availability and the efficiency of the system.When a primary proxy p delegates the execution of thecontent services to another proxy q, where p and q belong tothe same P-proxy, attributes delegateKey and delegateHashare required, where delegateKey is q’s public key, anddelegateHash is the digital signature of q signed with itsprivate key on the digest of processed content. Note thatq’s public key is endorsed by p in p’s signature.2.4 Access Control SystemEach DP has its own security policy related to its data. Theaccess control system of each DP (Fig. 5) enforces whichproxies and clients can access which data.The inputs to the access control system include a client’srequest, the security policy and the intermediary profiletable by the DP, and the data store. The access controlsystem can return three possible access decisions:
1. Deny. This indicates that the DP does not have thedata requested by the client, the client is not allowedto access the data according to the DP’s policy, or nointermediaries in the DP’s intermediary profile
.2. Empty path. This indicates that the client’s request canbe satisfied without any intermediary’s involvement.
3. Path with ACIS. This indicates that the client’srequest can be satisfied with the involvement ofthe P-proxies listed in the returned path. ACISdenotes access control information structure, whichspecifies the privileges over the data for each Pproxyin the path.We now provide details concerning paths and ACIS.A path denotes a content service path and explicitlydefines the order according to which each P-proxy has toreceive the data. That is, a path is a list of P-proxies. LetP ¼ hP-proxy0; P-proxy1; P-proxy2; . . . ; P-proxyðNþ1Þi be apath such that1. P-proxy0 is the DP and P-proxyðNþ1Þ is the client.2. P-proxyi ði 2 f1; . . .;NgÞ corresponds to a contentservice requested by the client.3. If proxy p 2 P-proxyi ði 2 f1; . . .;NgÞ, then p 2 PT,where PT is the P-proxy in the DP’s intermediaryprofile table that performs the same content serviceas P-proxyi. This requirement ensures that onlyproxies in the intermediary profile table are allowedto perform content services on the requested data.4. If proxy p 2 PT and p is allowed by the DP’s securitypolicy to perform that content service on the data,then p 2 P-proxyi.This requirement ensures that each P-proxy in Pathincludes all proxies that can perform that content serviceand also satisfy the security policy over the requested data.Example 1. Suppose the following operations are to beperformed on the requested data: virus scanning, logoadding, and audio-to-text conversion. The DP has anintermediary profile table asin Fig. 4,andits security policyallows these intermediaries to perform content services.The following content service path can be derived:hP-proxy0; P-proxy3; P-proxy2; P-proxy1, P-proxy4i whichis illustrated in Fig. 6.Aswill be described in Section 3.1.2, aproxy (or client) is responsible for the integrity checking ofthe proceeding data transformation. Therefore, in Fig. 6, acheating Proxy4 or Proxy5 will be detected and correctedby Proxy3. Note that for audio-to-text conversion, amalicious proxy may insert arbitrary text into the data.Because of the nature of the operation, it is very difficult forthe next proxy (or the client) to determine whether theconversion is done honestly orsomearbitrary text has beenattached. Thedefense against such attack is out of the scopeof this paper and remains an interesting open question.The requirements for the content service path are that thepath should obey the same segment update-update orderand update-read order. That is, if a segment is updated bycontent services i and j, the order of i and j is important.For example, in the previous example (Fig. 6), if segmentseg is updated by both logo adding and audio-to-textconversion, then only after audio-to-text conversion can thelogo be added to the segment. Thus, the content servicedealing with text conversion must be placed before logoadding. Also, as the virus scan needs to read this segment,the virus scan must be placed after the logo-adding service.Any content service path that satisfies the security policyand these order requirements can be used in our approach.The presence of more than one content service path for arequest will not affect the control information (Section 2.5)generated for each P-proxy and the client.Next, we explain the properties of ACIS. Let K be thetotal number of segments in the requested data. Let ACIS ¼har0; . . . ; arN; arðNþ1Þi be the access control informationstructure such that1. ari ¼ ðreadSet; updateSetÞ, where i 2 ½1;N_; accesssegments for P-proxyi in Path are split into read andupdate segment sets.2. readSet _ f1; . . .;Kg, updateSet _ f1; . . .;Kg; thereadSet (or updateSet) is a subset of the entiresegments.3. readSet \ updateSet ¼ ;; if a segment is only readablefor a P-proxy, then it cannot be in the updateSetof this P-proxy. If a segment is updatable for a Pproxy,then readability is implied, and there is noneed to include the segment in the readSet.4. updateSet [ readSet _ f1; . . .;Kg; the union of thesets is a subset of the entire segments.For example, ar0 is the access information for the DP.Thus, ar0:readSet ¼ ;, and ar0:updateSet ¼ f1; . . .;Kg.arðNþ1Þ is the access information for the client. Thus,
Download full report
http://people.cs.vt.edu/danfeng/papers/TPDS-08-Yao.pdf
qlserver
