Authors:
(1) Moritz Jasper, Barkhausen Institut gGmbH, Wurzburger Straße 46, Dresden, Germany (moritz.jasperl@barkhauseninstitut.org);
(2) Stefan Kopsell, Barkhausen Institut gGmbH, Wurzburger Straße 46, Dresden, Germany (stefan.koepsell@barkhauseninstitut.org).
Attacker Model and Security Goals
A. Publish/Subscribe Systems
Typically, a distinction is made between topic-based and content-based Publish/Subscribe systems [1]. In a topic-based system, subscribers can subscribe to one or multiple topics. Messages in such a system are associated with a specific topic, and receivers will only receive messages on topics they are interested in. In a content-based system, subscribers can instead express constraints on the contents of messages directly.
Furthermore, Publish/Subscribe systems usually adopt either a brokered or brokerless architecture. Brokered systems like the widely used Message Queue Telemetry Transport (MQTT) [4] use a central message broker to transmit messages between the publishers and subscribers. This allows fine-grained control over message distribution since brokers can route messages based on the constraints of the subscribers (whether they are content- or topic-based).
Brokerless Publish/Subscribe systems distribute messages directly from publishers to subscribers in a peer-to-peer fashion, which can improve latency and throughput characteristics while reducing the amount of configuration that is required to deploy entities. Additionally, the decentralised nature of such systems does not depend on a single point of failure. Examples for such systems include the Data Distribution Service (DDS) [5] and LCM, both of which can use UDP over IP multicast [6] for message delivery to achieve high-throughput and lowlatency in scalable systems.
B. Security in Publish/Subscribe Systems
Most work that proposes security solutions for Publish/Subscribe systems focuses on brokered Publish/Subscribe architectures. For instance, Onica et al. [7] stated a list of requirements for privacy-preserving Publish/Subscribe systems, but consider only systems which use a broker. Bernard et al. [8] proposed a general, conceptual framework for peer-to-peer data exchange that can also be used with existing Publish/Subscribe systems, although brokers are used in this scenario. Malina et al. [9] proposed a security framework for MQTT which uses brokers. Ion et al. [10] and Hamad et al. [11] described systems in which brokers are employed but not trusted. Similarly, Dahlmanns et al. propose ENTRUST [12], achieving endto-end security over any existing brokered Publish/Subscribe system without trusting those brokers.
ZeroMQ [13] can be used to implement brokerless Publish/Subscribe messaging, however, there are no security extensions for it with support for this use-case. CurveZMQ [14], while similar in name, is quite different and does not actually provide security for Publish/Subscribe systems, but end-to-end security between client and server. While CurveZMQ can be used to secure Publish/Subscribe by being embedded in the transport layer, this is only possible when client and server are only one hop apart.
The Data Distribution Service (DDS), however, is quite comparable to LCM with regard to their respective use-cases. DDS supports the brokerless Publish/Subscribe paradigm in a peer-to-peer fashion, that is without using a message broker, however, it works slightly differently to LCM. Instead of simply broadcasting messages to a preconfigured multicast group, DDS features a discovery protocol that allows publishers to discover the set of appropriate subscribers. Subsequently, messages are routed only to these subscribers.
DDS also features a security extension [15] that provides authenticated encryption on a per-message basis. However, a handshake and key agreement is performed separately between each publisher and subscriber to a topic (as discovered by the discovery protocol) [16]. This may lead to scalability issues during the discovery phase in the case of large numbers of publishers or subscribers to the same topic. A high amount of flexibility and many ways to configure the DDS middleware can lead to misconfiguration, a problem which is also mentioned in [16]. Additionally, there are scalability issues at runtime. Authentication of messages is achieved by using a separate Message Authentication Code for each receiver [15] which, in the case of many subscribers, leads either to large overhead for each message or separate messages for each receiver, moving away from the multicast paradigm.
These scalability issues are quite inherent to the problem of authenticating messages in a multicast setting in which digital signatures are not desired due to their poor performance characteristics. While a number of theoretical solutions are discussed in literature [3], we bypass this problem entirely. By defining a trusted group of legitimate publishers and subscribers that share a common symmetric, ephemeral key, we propose a protocol in which an authentic message is understood to be a message originating from any member of this group, not necessarily a specific one. In order to generate this shared key while avoiding a scenario in which a total of N ·M expensive key agreements need to be carried out (in the case of N publishers and M subscribers), we use the DuttaBarua group key agreement (DBGKA) [17], an authenticated group key agreement protocol that supports dynamic joining and leaving of users. Furthermore, we implement a discovery protocol, inspired by the Raft consensus algorithm [18], that forms consensus about the state of the trusted group in order to drive the DBGKA protocol.
This paper is available on arxiv under CC BY 4.0 DEED license.