chapter 3 symmetric encryption algorithms in data...

37

CHAPTER 3

SYMMETRIC ENCRYPTION ALGORITHMS IN DATA

SECURITY MODEL FOR GRID NETWORKS

3.1 INTRODUCTION

Internet and Grid computing applications are growing very fast, so there is a

need to protect such applications. Encryption algorithms play a main role in

information security systems. On the other side, those algorithms consume a

significant amount of computing resources such as Central Processing Unit (CPU)

memory, and battery power.

Security requirements such as authentication, authorization, and

confidentiality of communication between computers in the grid environment are

fundamental to the grid design (Marty Humphery et al. 2005). Without this

functionality, the integrity and confidentiality of the data processed within the grid

would be at risk (IBM Corporation 2003). To properly secure the grid environment,

there are many different tools and technologies available. The symmetric and

asymmetric encryption algorithms are commonly used in grid software to provide

necessary security. The use of symmetric encryption algorithm will significantly

affect the network communication performance.

Authentication: Authentication is the process of verifying the validity of a claimed

individual and identifying who he or she is. Authentication is not limited to human

beings; services, applications, and other entities may also be required to be

authenticated. Basic authentication is the simplest web-based authentication scheme

that works by sending the username and password within the request. Generally

authentication is achieved through the presentation of some token that cannot be stolen

(forged). This can be either peer-to-peer relationship (password for client and server)

or through a trusted third party (certification authority or Kerberos server). Biometrics

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

http://www.novapdf.com/


38

characteristics can also be used to a service for authentication purpose, since a unique

identification of human being can give more security for example a finger print

scanner can be used to log into a local machine. Trust can be defined as the assured

reliance on the character, ability, strength, or truth of someone or something (Atul

Kahate, 2008).

Access control : Assurance that each user or computer that uses the service is

permitted to do what he or she asks for. The process of authorization is often used as a

synonym for access control, but it also includes granting the access or rights to

perform some actions based on access rights. Once the system knows who the user is

through authentication, authorization is how the system decides what the user can do

(Heinz Johner et al., 2000).

Data integrity : Data integrity assures that the data is not altered or destroyed in an

unauthorized manner. Integrity checks are provided primarily via hash functions (or

“message digests”) (Heinz Johner et al., 2000).

Data confidentiality : Sensitive information must not be revealed to parties who are

not meant for. Data confidentiality is often also referred to as privacy. The standard

approach to ensure confidentiality is through encryption, which is the application of an

algorithm that transforms “plaintext” to “cipher text” whose meaning is hidden but can

be restored to the original plaintext by another algorithm (the invocation of which is

called decryption). Secret algorithms, which by definition are intended to be known

only by the parties involved, are not generally used in the commercial or scientific

sectors because they are not subject to public scrutiny and thus believed to be

inherently weaker. Public algorithms can be symmetric or asymmetric.

Key management : Key management deals with the secure generation, distribution,

authentication, and storage of keys used in cryptography.

Nonrepudiation : It refers to the inability of something that performed a particular

action such as a financial transaction to later deny that they were indeed responsible

for the event.




39

In this chapter, the impact of using different popular and commonly used

symmetric key cryptography algorithms for encrypting data in a typical grid

computing environment has been analyzed. It was observed that the use of encryption

and decryption at application layer would certainly have an impact in the application

layer performance. DES, Triple DES, AES, Blow Fish, RC2 and RC6 algorithms can

be used to evaluate the impact at network layer performance in a typical grid

computing environment. The performance was measured through simulation studies

with NS2 by simulating these algorithms on GARUDA grid network topology.

Security requires atleast three fundamental services: authentication,

authorization, and encryption. Before any check has been done as to whether or not

any requested access or operation is allowed within the grid, a grid resource must be

authenticated. The grid user would be granted certain rights to access a grid resource,

once the grid resource is authenticated within the grid. This, however, does not

prevent data in transit between grid resources from being captured, spoofed, or

altered. The security service is to ensure that this does not happen in encryption.

Obviously, the use of data encryption will certainly have its impact on application

layer performance. However, in this work, the researcher examined its impact on

total network performance. In this paper, we will study the impact of six symmetric

encryption algorithms in a typical grid network.

The use of cryptography will certainly have an impact on network

performance in one way or other. Therefore, it has been decided to model an

application layer encryption decryption scenario in a typical grid computing

environment and study its impact on network performance through network

simulations.

3.2 SECURITY METHODS USED IN GRID COMPUTING

Symmetric encryption: Both encryption and decryption of data use the same secret

key. Symmetric cryptography is also known as secret key cryptography.




40

Asymmetric encryption: Two different keys are used for encrypting and decrypting

the data. The public key encryption technique is the primary example of this using a

"public key" and a "private key" pair. Therefore, it is also referred as public key

cryptography.

Secure Socket Layer/Transport Layer Security (SSL/TLS): Both these layers have

essentially the same protocol, but referred to differently. The Internet Engineering

Task Force (IETF) has renamed TLS, but it is based on the same Request For

Comments (RFC). It is widely deployed for every web browser. Clients authenticate

identity of the server, send a session key from client to server to set up an encrypted

communication. Server has a certificate that contains its public key. If client has a

certificate, he can authenticate it to the server. Advantages are strong authentication,

message privacy, and integrity, interoperability, algorithm flexibility, and ease of

deployment and use. The disadvantages are increased processor load and

administrative overhead

Public Key Infrastructure (PKI): Different components, technologies, and protocols

make up a PKI environment. In a PKI, each entity (e.g. user, service) possesses a set

of credentials comprising a cryptographic key and a certificate.

Mutual Authentication: Instead of using, a Lightweight Distribution Access Protocol

(LDAP) repository to hold the PKI, two parties who want to communicate with one

another can use their public key stored in their digital certificate.

3.3 SYMMETRIC KEY ENCRYPTION ALGORITHMS

Even though there are different kinds of security requirement or model

necessary for grid computing systems, the roll of a symmetric key encryption

algorithm and its impact will be a significant one. If it is necessary to implement such

a symmetric key encryption algorithm in application layer, then it will definitely

affect the performance of the application in terms of time. This research work which

has simulated the workload of different encryption algorithms such as DES, Triple

DES, AES, Blow Fish, RC2 and RC6 at application layer in the proposed traffic




41

model. The functionality of all these algorithms has already been elaborately

discussed in the second chapter.

Authentication and authorization have been a basic and necessary Service

for internet transactions. Several new standards have merged which allow dynamic

access control based on exchanging user attributes. Unfortunately, providing highly

secure and flexible access mechanisms is a very demanding task. Authentication and

Authorization Infrastructures (AAIs) can provide such integrated federations of

security services that provide Attribute Based Access Control (ABAC) mechanisms

and mediate customer’s demand for privacy and vendor’s needs for information

(Christian Schlager et al., 2006).

The GSI is one of the most famous security architecture based on Public

Key Infrastructure (PKI), which performs mutual authentication via X.509

certificates. Zhun Cai (2008) describes that a Password Based Grid Security

Infrastructure (PBGSI) authenticates clients by authenticated key exchange (AuthA)

methods and used modified Chaffing and Winnowing protocol for secure data

transfer. By using password-based methods in authentication, authorization and

delegation, PBGSI provides convenient interface for the user. At the same time,

encryption less secure data transfer improves the performance and mechanisms used

in that scheme (time-stamp etc.).

A grid environment has been built to verify the feasibility and the efficiency of

the extended Online Certificate Status Protocol (OCSP). Shaomin Zang et al. (2008)

explained the running requirement and the data description of the client and each

extended OCSP responder in detail. Both theory and experiment proved that the

extended OCSP system had effectively increased the efficiency of certificate

verification.

Recently, Authentication protocol has been recognized as an important factor

for grid computing security. Microsoft network developers (2002) described a new

simple and efficient grid authentication system, which provides user anonymity, and it

is based on hash function. The mobile users do symmetric encryption and decryption

that take one round of messages exchange between the mobile user and the visited




42

network and one round of message exchange between the visited network and the

corresponding home network. There are a number of projects investigating attribute-

based authentication such as the VO Privilege Project, GridShib, and PERMIS.

However, there are quite a few decision dimensions when it comes to designing this

scheme in grid computing.

Authentication in the grid environment has been performed in two ways either

in the application layer part or in the communication part. Cryptography plays a major

role in implementing authentication. It is obvious that the use of encryption and

decryption at application layer will certainly have an impact in the application layer

performance in the grid environment. This work has simulated the encryption

algorithms in a typical grid network scenario using the results from D.S. Abdul.

Elminaam et al. (2009).

S. Corson and J. Macker (1999) have stated that the average number count can

be used to measure pure algorithmic efficiency instead of bit count to transmit data.

This research work used the NS2 traffic model proposed in EC-GIN project to

model the proposed symmetric key encryption based traffic model. Further, it has

used another NS2 traffic model called GridFTP as a cross traffic. To study the impact

of the encryption based traffic model, Indian grid network topology GARUDA was

used. This research work has simulated the encryption algorithms in a typical grid

network scenario based on the results provided by D.S.Abdul. Elminaam et al .(2009).

3.4 MODELING GRID AND GRID TRAFFIC IN NS2

The grid computing paradigm has been widely adopted within the research

community for scientific computing. Grid computing is used as a method by which

access is seamlessly given to a set of heterogeneous computational resources across a

dynamic set of physical organizations, supplying massive computing and storage

capabilities. Within a grid environment computational jobs are submitted to and run

on suitable resources and data is stored and transferred transparently without knowing

its geographic location. This will obviously show its impact on the underling




43

network infrastructure and the data generated within a grid environment may

substantially affect the network performance due to the volume involved.

NS2 is used to simulate the network, but it is well known that NS2

doesn't implement any security features. Till now, there is no option for simulating

security aspect in NS2. The reasons for the lack of security features in NS2 are:

Security is a subtle thing related to many aspects, which is much different

from other kinds of network protocols.

Generally, there will not be any real data or packet to encrypt or decrypt in

NS2 and support for sending real payload.

The scope of a simulation will be minimizing the overall simulation time.

However, if it does any real encryption or decryption in simulator, then it will

go beyond the concept of a simulator.

Lack of support for handling socket connection like real TCP/IP scenario.

NS2 simulator has limitation in simulating simultaneous threaded processes to

mimic real socket connections.

Generally, in a typical grid computing scenario, the security will be handled at

application layer itself. Therefore, the researcher has decided to simulate encryption

in NS2 at application layer, by modeling a new encrypted traffic generator.

NS2 is an object-oriented simulator, written in C++, with an OTCL interpreter

as a frontend (EC-GIN 2006). The simulator supports a class hierarchy in C++,

and a similar class hierarchy within the OTcl interpreter. The root of this

hierarchy is the class TclObject. Users create new simulator objects through the

interpreter. Applications sit on top of transport agents in NS2 and there are two basic

types of applications: traffic generators and simulated applications. Currently, there

are four C++ classes derived from the traffic generator class (Microsoft network

developers 2002) such as EXPOO_Traffic, POO_Traffic, CBR_Traffic and

TrafficTrace. However, none of these classes matches the traffic characteristics of

PPLive and GridFTP. NS2 simulation process is shown in the figure 3.1.




44

Figure 3.1 Simulation Process

Along with the rapid development of Peer-to-Peer (P2P) file sharing and

IPTV video services, P2P streaming services have become a core multi-user

video sharing application on the Internet. The focus of grid technology in the video

area is generally on the resource scheduling and replica management aspects,

while the service traffic characteristics are still similar to the traditional video

service. In depth, this work has already been carried out in the areas of monitoring

and modeling video traffic (EC-GIN 2006). Therefore, exploring the developing

trends of grid systems, video sharing, monitoring and the analysis of P2P, IPTV

traffic are interesting and promising topics of research.

The time interval between two packets and the size of each packet waiting for

being sent out is very important when modeling actual traffic. Therefore, if the model

can accurately match these two characteristics, it is said to generate traffic that is

similar to the actual data. The EC-GIN project built a new traffic generator to model

the actual traffic called Lognormal Traffic, which is primarily responsible for

controlling the packets time interval and the packet sizes.

This research work has extended the traffic model of PPLive (Lognormal

Traffic) to support a simulated encryption and decryption scenario. Based on traffic

Problem

Simulation model

Setup/run

simulation

Result

analysis Modify NS




45

model of EC-GIN, an algorithm has been put forward to control the packet generation

sequence. First, data initialization has been performed as follows:

Send a video packet when simulation begins.

Compute the next video packet sending time. Put it into a variable NextT.

Next, the time needed for sending the next packet is calculated. To account for

different packet sizes, different parameters have been used to calculate inter-video

packet time (variable NextT) and the inter-control packet time (array t_i). The values

of t_1 to t_n are summed to variable SmallT. As long as the value of SmallT is less

than NextT, t_i is used as the inter-packet time for sending small packets (control

packets). Otherwise, a large packet (video packet) is sent immediately with an

inter-packet time of NextT - (SmallT - t_i) (EC-GIN 2006).

Figure 3.2 The EC-GIN PPLive Packet Generator (EC-GIN 2006)




46

In addition to this process, add delayed packet transmission with respect to the

size of the packet to be sent and the selected encryption algorithm. Therefore, the new

Scheduled Transmission Time will be equal to the sum of inter-packet time and the

time taken for encrypting the packet by the selected algorithm.

Packet Generator Algorithm

• Send a video packet when simulation begins

• Compute the time for sending the next video packet

• The time needed to send the next packet is computed.

• To account for different packet size’s, different parameters are used to

calculate inter video packet time (NextT) and inter control packet time

(ti) then SmallT = ∑ ti .

• If SmallT < NextT then

Inter video packet time sending small packets.

else

Large packet is sent immediately and the

time interval = NextT – ( SmallT – ti )

• Packet transmission has been delayed with respect to the size of the

packet to be sent and the selected algorithm

New Scheduled Transmission Time = Inter Packet time + The

time taken for encrypting the

packet (selected algorithm)

To simulate Services and Bulk data transfer, GridFTP is used. It is a cross

traffic during the simulation.

In this implementation, the encryption algorithms were simulated in a typical

grid network scenario just by including the encryption delay at the traffic generator




47

using the results from the D.S. Abdul. Elminaam et al (2009). UDP has been used for

designing the traffic model of EC-GIN. So the researcher decided to use TCP in this

design, because, TCP is the most commonly used transport protocol in grid network

communication.

The GridFTP tool of Globus Toolkit is one of the most important components

provided by Globus for moving large amounts of data in bulk. GridFTP is based on

FTP, the highly- popular Internet file transfer protocol. Based on the characteristics

of grid traffic, a GridFTP simulation scenario differs from other traffic models. The

GridFTP simulator of EC-GEN has been developed with the OTCL language to

mimic this GridFTP traffic. The EC-GEN GridFTP is embedded in a gridftp.tcl file.

In this work, GridFTP was used as a background cross traffic during evaluation of the

impact of encrypted PPLive traffic. The three major parameters defined for the

GridFTP simulator are:

Bandwidth : This parameter is used to set the total bandwidth of the link. By

default, it is set to 1.0Mbps. To determine the "rate_" parameter for each FTP

instance. Ratio parameter was used along with this parameter.

Parallel : This parameter is used to set the parallel GridFTP streams. By

default, it is set to 4. Since each GridFTP stream was simulated by FTP, this

parameter will actually set the number of FTP instances for the GridFTP

simulator.

Ratio : This parameter is used to set the throughput ratio among the parallel

streams. By default, it is set to 1:1:1:1, which means that each stream will

transmit packets at an equal speed.

In this work, two methods viz. attach-agent and connect of basic simulator

class were overridden with which the GridFTP instance can be attached to the

network node and connected to the GridFTPSink instance. Here, if the input

parameters such as bandwidth, parallelism and ratio are valid, then total bandwidth

has been allocated for the connection. And then the specified number of parallel FTP

flow was created. In addition, it specified the ratio of data transferred by each stream.




48

The simulator run for specified time after establishment of all these functions. The

typical GridFTP connection flow is shown in the figure 3.3.

Figure 3.3 A typical GridFTP connection

3.5 SIMULATION OF GARUDA NETWORK IN NS2

The following NAM output (figure 3.4) shows the model of GARUDA

network simulated on NS2. The topology was derived from the information provided

by the ERNET and GARUDA projects.

The links shown in green are 8/34Mbps links

The links shown in red are 2/8 Mbps links

Nodes shown as red hexagon are backbones and POPs

Nodes shown as blue circles are the connected institutes




49

In a typical Grid computing scenario, the security has been generally handled

at the application layer. Hence, the study was taken to simulate encryption in NS2 at

application layer, with modeling a new encrypted traffic generator. A simple model of

GARUDA grid network has been simulated in NS2 and the impact of different

encryption schemes on network performance has been evaluated. A normal 2 GHz

Pentium IV computer with 1 GB RAM was used for this simulation.

Figure 3.4 Simulated GARUDA Topology

3.6 RESULTS AND DISCUSSION

The traffic model of PPLive (Lognormal Traffic) has been extended to support

a simulated encryption-decryption scenario. Based on the traffic model of EC-GIN

(2006), an algorithm was put forward to control the packet generation sequence. The

packet transmission has been delayed with respect to the size of packet to be sent and

the selected encryption algorithm. As a result, the New Scheduled Transmission Time




50

is calculated as sum of inter-packet time and the time taken for encrypting the packet

by the selected algorithm. In this work, the implementation of encryption algorithms

in a typical grid network scenario includes encryption delay at the traffic generator

using the results from D.S. Abdul. Elminaam et al.(2009).

For creating different traffic scenario files, this research work used different

grid traffics (GridFTP Traffic and PPLive Traffic) based on ECGIN project. The

following simulation parameters; Number of Backbone and POP nodes, Routing

Protocol, Backbone Link Capacity, Institution to Backbone Links and Queue Type

were used. In addition, an encrypted PPLive traffic from one node to another (in this

topology, from Madras to Delhi) was simulated, using some GridFTP cross traffic.

For creating different traffic scenario files, this research work used different

grid traffics (GridFTP Traffic and PPLive Traffic) based on ECGIN project. The

simulation parameters and their values used for this simulation are listed in the table

3.1.

Table 3.1 Simulation Parameters

Simulation Parameters Parameter Values

Number of Backbone and POP nodes 12

Number of Simulated Institution Nodes 36

Routing Protocol DV

Backbone Link Capacity 8/34 Mbps

Institution to Backbone Links 2/8 Mbps

Queue Type Drop Tail

The performance of the network with respect to different cryptography

algorithms used in the application layer was analyzed by comparing time and




51

throughput, average received packets, sent packets and end-to-end delay in different

schemes over time. The Backbone and POP nodes (12 nodes) used in simulated

GARUDA topology are Chennai (0), Delhi (1), Kanpur (2), Gorakhpur (3), Guwahat

(4), Indore (5), Kalkota (6), Mumbai (7), Pune (8), Bhubaneshwar (9), Hydrabad (10)

and Bangalore (11).

The graphs 3.5 to 3.14 show the performance of the network with respect to

different cryptography algorithms used in the application layer. The work also studies

the packet loss during the data transmission. When a packet arrives at the network

layer, the routing protocol forwards the packet if a valid route to the destination is

known. Otherwise, the packet is buffered until a route is available. A packet is

dropped in two cases: when the buffer is full when the packet needs to be buffered

and secondly at the time when the packet has been buffered beyond the limit.

Figure 3.5 Comparison of Sent Bytes for Various Encryption Method with Time

When the simulation starts, encrypted packets are sent one by one from the

node Madras to Delhi. For each run different encryption algorithm is selected. The

result shows that the data with no encryption method transferred all the data without




52

any security at the receiver side. The simulation runs for 20 seconds with the result

195.211, 166.313, 185,381, 517.952 and 245.67 packets were delivered within the

specified time with respect to the selected encryption algorithms such as DES,

3DES, AES, BLOWFISH, RC2 and RC6.

Figure 3.6 Comparison of Received Bytes with Time

Figure 3.7 Average Received Packets for Various Encryption Algorithms




53

In the other cases, numbers of received packets are varying based on the

encryption methods selected. In this work, average received packets for various

encryption algorithms are shown in figure 3.7. It is clear that the encryption with

blowfish gives higher receiving rate than the other methods.

Figure 3.8 Comparison of End to End Delay with Time

Figure 3.9 Comparison of Average End to End Delay with Time




54

The time taken for a encrypted packet to be transmitted across a network from

source node (Madras) to destination (Delhi) is shown in the figure 3.8 and the average

delay is shown in the figure 3.9. In this comparison, encryption with Blowfish shows

that the average delay is 26.6894 ms.

Figure 3.10 Comparison of Throughput with Time

The average rate of successful message delivery over a communication

channel in a given time for various encryption algorithms is compared in graph 3.10

and the average shown in the graph 3.11.

Figure 3.11 Average Throughputs for Various Encryption Algorithms




55

Figure 3.12 Comparisons of Dropped Packets with Time

Figure 3.13 Average Delay for Various Encryption Algorithms

The variation in the time between packet arriving, caused by network

congestion is measured and shows in the figure 3.14.




56

Figure 3.14 Average Jitter

Table 3.2 Comparison of Symmetric Encryption Algorithms

Results

Algorithm

The Average

Delay(ms)

The Average Received

Packets (kbps)

The Average

Throughput

(kbps)

NONE 58.4141 2259 915.767

DES 20.6135 441 195.211

3DES 17.2948 405 166.313

AES 20.7513 450 185.381

BLOWFISH 26.6894 1242 517.095

RC2 16.5053 387 158.952

RC6 23.2725 608 245.67




57

For evaluating the network parameters, network throughput, link utilization,

network average delay and loss rate of packets are needed. The average delay of TCP

network in terms of network performance simulated four strategies viz. Random Early

Detection (RED) based strategy, Adaptive RED, BLUE-RED, Stabilized RED. This

was compared analytically in terms of effects on the network delay.

From the above mentioned experiment, it is observed that the throughput in

the case of Blowfish based scheme is good. It has been found that the average delay

and average received packets are 26.6894 msec and 1242 kbps respectively in the case

of Blowfish. Also it was observed that the average throughput is 517.095 kbps.

Similarly, in the case of RC6, the average delay is found to be 23.2725 msec. Even

though all the transmitted packets were received successfully, the throughput and

delay were much affected by the retransmission of the packets, during the packet loss

or drop. This retransmission of packet has an impact on throughput. The total delivery

of the packets over time was very much dependent on the type of cryptography

algorithm used. The faster algorithm provided better throughput but caused a little bit

of delay in packet delivery. The reason for this delay may be due to the queuing delay

at the intermediate nodes.

3.7 CONCLUSION

The security is a very important issue in grid network design. Apart from

authentication and authorization, the use of symmetric encryption algorithm for grid

data security is also having significant impact on the design and performance of grid

networks. A model for grid security infrastructure has been implemented on network

simulator NS2 and the impact of the use of encryption algorithms in network

performance has been measured. We have simulated a simplified model of GARUDA

grid network in NS2 and some of the basic traffic types of grid network (proposed in

EC-GIN). As shown in the graphs in previous section, the use of cryptography at the

application layer has obvious impact on the network performance. Depending on the

cryptographic algorithms, the delay in delivery of packet is proportional with respect

to time. Due to queuing delay at the intermediate node, the faster algorithm provides

better throughput with a little bit of delay in packet delivery.




chapter 3 symmetric encryption algorithms in data...

Documents