Embed Size (px)
Citation preview
Decentralized Enforcementof Artifact Lifecycles
Sylvain Hallé, Raphaël Khoury,Yliès Falcone and Antoine El-Hokayem
Université du Québec à Chicoutimi, CanadaUniversité Grenoble Alpes, France
September 9th, 2016
BESTPAPE
R
$
$
DOCTOR
PATIENT
INSURANCECOMPANY
PHARMACIST
NURSE
$
DOCTOR
PATIENT
INSURANCECOMPANY
PHARMACIST
NURSE
DOCUMENT
$
The doctor fills inthe results of atest
1
$
Based on the results,the doctor adds aprescrip�on for a drug
2
$
The pharmacist writesthe cost of the drug3 =
$$
$
The insurance companyapproves the expense4
$
The pa�entacknowledges5
$
The nurse writes themoment she gave the drug6
$$
Patient'saddress
Insurancepolicy #
Test results
Prescription
Cost
Insuranceapproval
Timestamps
Observa�ons
The document follows a lifecycle
A test result cannot be changed once wri�en
X
An expensive drug must be approved bythe insurance company
$$
"Lifecycleconstraints"
Observa�ons
The document has condi�ons on its integrity
The pharmacologistcannot write test results
The nurse cannotprescribe drugs
X
X "Writepermissions"
Observa�ons
The document is subject to privacy concerns
The insurance company shouldnot access test results
The doctor should not know the pa�ent'spolicy number
X
X "Readpermissions"
How can I be sure that theserules are being followed?
$
Solu�on A
Centralized access to the document
All accesses and modifica�onsare filtered and verified
$
Solu�on A
Centralized access to the document
Single point of failureMust be trusted
Solu�on B
A�ach metadata to the document...
+
Use it to ensure confiden�ality and integrity
of its contentsand its history
Ingredients
Set of peersP { , , , , }G Set of groups
M : P × G → {⊤,⊥} Membership func�on
A Set of ac�ons. Each ac�on is a func�on
a : D → D
D Set of documents
𝔹 Set of binary strings (e.g. hash values)
A document lifecycle specifies what ac�ons peers are allowed to make on a document andin which order
δ Lifecycle func�on for group g ∈ Ggδ : S* → {⊤,⊥} g
For a peer-ac�on sequence s ∈ S*,
δ (s) = ⊤ g⇔
s complies with the lifecycle constraints
To ensure confiden�ality, ac�ons in the sequencewill be encrypted.
ħ Hash func�on
Public-key encryp�on/decryp�on func�onsD,E
Each group and each peer has a pair of
public-private keys.
KU, KV, KU, KV,
, ...,,,
To ensure confiden�ality, ac�ons in the sequencewill be encrypted.
An ac�on a ∈ A will actually be recorded as:
⟨E[K , a],p,g,b⟩U,g
All peers can see that some ac�on wasexecutedOnly members of g can know exactly which one (by decryp�ng with K )
The set S is actually 𝔹 × P × G × 𝔹
V,g
⇒
?
The contents of a peer-ac�on are protectedby a digest
⟨a,p,g,b⟩ ∈ 𝔹 × P × G × 𝔹
Encryptedac�on Who is doing it
On behalf of which group
Digest
How is it computed?
⟨a',p',g',b'⟩.Suppose that the last peer ac�on is
Peer p now wants to perform ac�on aon behalf of group g.
The peer ac�on to append to the sequence is:
where
⟨E[K , a],p,g,b⟩U,g
b = E[K , ħ(b' ⋅ E[K , a] ⋅ g)]V,p U,g
When receiving a peer-ac�on sequence, eachpeer can check its validity, star�ng from the end.
... , ⟨a',p',g',b'⟩, ⟨a,p,g,b⟩
Step 1. Check that M(p,g) = ⊤.
Step 2. Check that D[K , b] = ħ(b' ⋅ a ⋅ g)U,p
This makes sure that:
p has done the last ac�onon behalf of group g (to which he belongs)
the last digest was indeed b'
Once the sequence is deemed valid, a peer cancheck the lifecycle func�on of a group g thathe belongs to.
Step 1. For every peer ac�on ⟨a',p',g',b'⟩ whereg = g', compute a = D[K , a'].
This yields a peer-ac�on sequence s where theac�ons of group g appear in clear.
Step 2. Check that δ (s) = ⊤.
V,g
g
?
X
Tampering with the sequence can be detected by any peer
Replacing an ac�on/peer by anotherDele�ng/inser�ng an ac�onEven without knowing the ac�on
Compliance with the lifecyclecan be checked by any peer (of the same group)
Can choose to reject a document that violates the spec
The amount of work on each new ac�on isconstant
Two encryp�ons, one hashApplied on a string of constant lengthChecking the sequence is linear
The lifecycle func�on is arbitrary
Considered as a "black box" throughoutCan use LTL, FSM, BPMN, ...
What about read/write permissions?
Suppose the exchange starts with an emptydocument. Replaying the sequence of ac�onsreconstructs the document up to its current state.
But you can only replay the ac�ons of the groupsyou belong to!
$$$$$$
Groups control the parts of the document thatpeers can read and writeThe "document" is not necessary; the peer-ac�on sequence is sufficient
ARTICHOKE
Implementa�on of these concepts in PHP forPDF formsUses hidden form fields to store peer-ac�onsequence (encoded as base-64)MD5 for hashing, RSA for encryp�on
ARTICHOKE
$ artichoke Form.pdf fill -k private_key_Alice.pem -p Alice -o Form-filled.pdf F1 foo
ARTICHOKE
$ artichoke Form.pdf dump
Form fields-----------F1 fooF2 bar
Peer-action sequence--------------------Alice W|F1|foo Rm/MRSzK...Bob W|F2|for kEvrkC+e...
ARTICHOKE
$ artichoke Form.pdf check *.pem
The lifecycle func�on can be any user-definedPHP code
50000
100000
150000
200000
250000
300000
350000
400000
450000
500000
100 150 200 250 300 350 400 450 500
Tim
e (
ms)
Operations
200
250
300
350
400
450
500
550
600
650
100 150 200 250 300 350 400 450 500
Tim
e (
ms)
Operations
14000
16000
18000
20000
22000
24000
26000
28000
30000
100 150 200 250 300 350 400 450 500
File
siz
e (
B)
Operations
...wri�ng the sequence ...checking the sequence
Sequence size
Running �me for...
The complete trace must be kept foreverCould we trim a prefix a�er some �me?
Can detect viola�ons, but not prevent themA peer can choose to accept a tampered document
Documents can be copiedDivergent histories can be createdInvent sufficient condi�ons to prevent this?
Ac�ons can be guessedTry them all un�l you find the one that works
Mi�gated by the size of A
Thank you!
Ques�ons?
http://slideshare.net/sylvainhallehttp://leduotang.ca/sylvainhttp://liflab.ca
