Authentication Layer

Transcription

1 Authentication Layer In order to provide the authenticated perfect links abstraction an auxiliary authentication layer can be used on the top of a perfect point to point layer. The authentication layer is implemented by the SignatureLayer/SignatureSession classes. Each process must provide in the layer configuration properties a security alias that identifies the process certificate, a private key to sign outgoing messages, and a list of trusted certificates to verify incoming messages. Outgoing Messages Messages going down the stack have the security alias attached to it and are signed using the provided private key, as shown in Listing 1. The signature is encoded as a base64 string and attached to the message. Current implementation uses the SHA1withRSA algorithm to generate the signature. private void attachsignatureandgo(event e, Message message) message.pushstring(myalias); String signature = enc.encode(signdata(message.tobytearray(), privkey)); message.pushstring(signature); e.go(); catch(exception ex) System.err.println("Error on signing outgoing message."); ex.printstacktrace(); Incoming Messages Listing 1 - SignatureSession handling outgoing message Listing 2 shows the snippet where the incoming messages are handled. In order to accept incoming messages the authentication layer pops the sending process alias and the signature from the message, and tries to verify it with the certificate associated with the other process alias. Additionally, the push_signature flag in the SignatureLayer may be set to true if the upper layer wants the signature to remain attached to the message. private void verifysignatureandgo(event e, Message message) String signature = message.popstring(); String useralias = message.popstring();

2 try if(verifysignature(message, useralias, signature, trustedstore)) if(pushsignature) message.pushstring(signature); e.go(); catch(exception ex) System.err.println("Error on verifying signature of ingoing message."); Listing 2 - SignatureSession handling incoming message The auxiliary static method verifysignature, presented in Listing 3, checks if a signature is valid for a given message. Three situations may occur: The message is accepted if the signature is verified for the sending process. The message is rejected if the signature cannot be verified for the sending process. The message is rejected if the sending process is not a trusted entity. public static boolean verifysignature(message message, String useralias, String signature, KeyStore trustedstore) throws Exception boolean verified = false; BASE64Decoder dec = new BASE64Decoder(); if(trustedstore.containsalias(useralias)) Certificate usercert = trustedstore.getcertificate(useralias); message.pushstring(useralias); if(verifysig(message.tobytearray(), usercert.getpublickey(), dec.decodebuffer(signature))) verified = true; else System.err.println("Failure on verifying signature of user " + useralias + "."); message.popstring(); else System.err.println("Message from untrusted user: " + useralias); return verified; Listing 3 - auxiliary verifysignature method

3 Byzantine Consistent Broadcast The communication stack used to implement the Byzantine Consistent Broadcast is the following: Application Byzantine Consistent Broadcast (Implemented by EchoBroadcastSession) Authentication Layer (implemented by SignatureSession) Perfect Point to Point Links (Implented by TcpComplete) The stack provided by EchoBroadcastSession and SignatureSession together implement the Signed Echo Broadcast protocol (algorithm 3.17) specified in the book. The SignatureSession layer signs packets going down the stack and verifies packets going back up the stack from below. Furthermore, it exposes a static method to verify signatures which can be used by the EchoBroadcastSession in the final step of the algorithm. In accordance with the algorithm specified in 3.17, an instance of this implementation can be used for one broadcast only. We add a public reset() method to the EchoBroadcastSession which can be invoked before using the same instance for another broadcast, if required. Our implementation is shown in listings 4 to 7. Listing 4 shows the handling of a echo broadcast event. Our implementation uses a sequence number for each broadcast for safety in addition to the protocol specified in the algorithm itself. protected void echobroadcast(echobroadcastevent echoevent) int nextsequencenumber = ++sequencenumber; ); replyqueue.put(nextsequencenumber, new ArrayList<EchoBroadcastEvent>() echoevent.setchannel(channel); echoevent.setdir(direction.down); echoevent.setsourcesession(this); echoevent.setecho(false); echoevent.setfinal(false); echoevent.setsequencenumber(nextsequencenumber);

4 // This pushes all the required values to the message stack. echoevent.pushvaluestomessage(); /* * Algorithm: * * upon event < bcb, Broadcast m > do * for all processes do * trigger < al, Send q, [Send m]>; */ echoevent.dest = new AppiaMulticast (null, processes.getallsockets()); echoevent.init(); echoevent.go(); catch (AppiaEventException eventerror) eventerror.printstacktrace(); Listing 4 - Echo Broadcast The method that respond to echo messages is presented in Listing 5. protected void sendechoreply(echobroadcastevent echoevent) if (alreadyreplied(echoevent)) return; sentecho = true; EchoBroadcastEvent reply = new EchoBroadcastEvent(); // Need to sign the below. This is done by the signature // layer below us. reply.setecho(true); reply.setsequencenumber(echoevent.getsequencenumber()); reply.dest = echoevent.source; reply.setsourcesession(this); reply.setchannel(channel); reply.setdir(direction.down); reply.settext(echoevent.gettext()); reply.pushvaluestomessage();

5 // try sending reply to source reply.init(); reply.go(); // if successful, mark as sent echo replybuffer.add(echoevent); catch (AppiaEventException appiaerror) appiaerror.printstacktrace(); Listing 5 - Echo Reply Listing 6 shows the collect of responses from the cohorts. Collected echo responses are indexed by the sequence number. protected void collectechoreply(echobroadcastevent echoevent, String signature) SocketAddress sa = (SocketAddress) echoevent.source; sigmas[processes.getrank(sa)] = signature; // Add to reply queue. replyqueue.get(echoevent.getsequencenumber()).add(echoevent); // From algo: When #echos > (N + F)/2, and the echos are verified, then continue // Note: The verification is done by the signature layer below. Msgs who's verification has // failed won't make it till here. if (replyqueue.get(echoevent.getsequencenumber()).size() > Math.floor((N + F)/2.0) && sentfinal == false) boolean done = false; List<String> alreadycovered = new ArrayList<String> (); /* See if we have more than (N + F)/2 occurrences for the same message. */ for (EchoBroadcastEvent ebe1 : replyqueue.get (echoevent.getsequencenumber())) int num = 0; if (alreadycovered.contains(ebe1.gettext())) continue; else

6 alreadycovered.add(ebe1.gettext()); // Verify if we have > (N + F)/2 identical msgs. for (EchoBroadcastEvent ebe2 : replyqueue.get (echoevent.getsequencenumber())) if (ebe1.gettext().equals(ebe2.gettext())) num++; if (num > Math.floor((N + F)/2.0)) done = true; break; if (done == true) sendfinal(echoevent); break; Listing 6 - Collecting echo replies Finally, in Listing 7 the echo broadcast is delivered if the signatures are valid for n+f/2 processes. private void deliverfinal(echobroadcastevent echoevent) String sigma; int verified = 0; // Unpack signatures. for (int i = processes.getallprocesses().length-1; i >= 0; i--) sigmas[i] = echoevent.getmessage().popstring(); // Verify all the signatures and maintain a count of them. Message echomessage = getechomessage(echoevent); for (int i = 0; i < processes.getallprocesses().length; i++) sigma = sigmas[i]; if (!sigma.equals(bottom)) if(signaturesession.verifysignature(echomessage, EBConstants.PROCESS_ALIAS_PREFIX + i, sigma, trustedstore)) verified++;

7 catch (Exception e) e.printstacktrace(); // If we have at least (N + F)/2 verified messages of content 'm', then deliver m. if (delivered == false && verified > Math.floor((N+F)/2.0)) delivered = true; echoevent.go(); catch (AppiaEventException e) e.printstacktrace(); Listing 7 - Delivering broadcast Try it: To test the effectiveness of the algorithm a Byzantine node implementation is provided. Thus, you can start processes that behaves correctly and processes that models a specific byzantine behaviour. There are three byzantine behaviours provided in the sample code. Note: EchoBroadcastSession assumes that the certificate of each process is stored in the trusted certificates file with the alias: user<process_rank>. Moreover, certificates and private key stores are assumed to use the password for testing purposes. Test-1: The byzantine node is one of the nodes that receive a broadcast from the original sender. It then responds with a corrupted message and signature in the ECHO step. Test-2: The byzantine node is the initiator of the broadcast. It attempts to modify the reply sent by one of the other nodes and replies with modified messages to the third node, who detects the tampering. Test-3: The byzantine node sends different messages to each cohort in the first step. This is ultimately detected during the FINAL phase by the cohorts. To run any of these tests you need to start at least four processes, of which one may execute the byzantine behaviour. Try running the following scenario: 1. Launch three shells.

8 2. In each shell, go to the directory where you ve placed the supplied code. 3. In each shell launch the test application giving a different value (0, 1 or 2), and providing the list of certificates for the processes. A sample set of certificates are provided in the etc/folder. In shell 0, execute:./run.sh -f etc/processes.conf -n 0 -qos bcb etc/user0.jks etc/usercerts.jks In shell 1, execute:./run.sh -f etc/processes.conf -n 1 -qos bcb etc/user1.jks etc/usercerts.jks In shell 2, execute:./run.sh -f etc/processes.conf -n 2 -qos bcb etc/user2.jks etc/usercerts.jks In shell 3, execute:./run.sh -f etc/processes.conf -n 3 -qos bcb etc/user3.jks etc/usercerts.jks 4. Type anything into the terminal from any of the nodes, you ll notice that the delivery happens correctly. Now we ll test with some byzantine behaviour. 5. In three of the shells, restart the processes with the command above. In the fourth shell, instead of starting a correct process, start a byzantine process with:./run.sh -f etc/processes.conf -n 3 -qos byzantine_bcb etc/ user3.jks etc/usercerts.jks test1 6. This should also work, although processes 0-2 will note that the signature is not verified for process Now try removing one correct process from the scenario and notice that it will not work as intended since a majority cannot be reached (3f + 1 nodes are required). 8. In the next run, repeat the procedure in step 5, but use test2 as an argument. 9. Sending out a message from shell 4 (byzantine node) fails to deliver. This is because the algorithm protects against the delivering of messages that fails the signature verification. 10. In the next run, repeat the procedure in step 5, but use test3 as an argument. 11. Sending out a message from shell 4 (byzantine node) fails to deliver. This is because the algorithm protects against the delivering of messages that do not have a byzantine quorum among the nodes.

9 Byzantine Consistent Channel The communication stack used to implement the Byzantine Consistent Channel is the following: Application Byzantine Consistent Channel (Implemented by ByzantineConsistentChannelSession) Byzantine Consistent Broadcast - multiple instances (Implemented by EchoBroadcastSession) Authentication Layer (implemented by SignatureSession) Perfect Point to Point Links (Implemented by TcpComplete) As per the algorithm, the ByzantineConsistentChannel session instantiates as many instances of Byzantine Consistent Broadcast as there are processes in the system. At the end of each broadcast, a reset() method of the ByzantineConsistentBroadcast session is invoked to represent the re-instantiation of such an instance, as specified in the algorithm. The delivery of a label (in this case, a sequence number), is done by appending a label: tag at the end of the text member of the EchoBroadcastEvent. This is delivered to the ApplicationSession and displayed on the terminal output. Listing 8 shows the sending of the broadcast using a Byzantine Consistent Broadcast. To protect against a message being dropped when the channel is in the not ready state, we enter a busy loop with a small pause in between. The loop only breaks when the message can be sent. public void echobroadcast(echobroadcastevent echoevent) while(true) if (ready == true) ready = false;

10 /* * Set appropriate child channel before transmitting */ echoevent.setchannel(childchannels[processes.getselfrank()]); bcbs[processes.getselfrank()].reset (); echoevent.init (); echoevent.go (); catch (AppiaEventException e) e.printstacktrace(); break; /* * If the session is already in the middle of a broadcast (ready == false) * then wait a little before re-trying to transmit. */ Thread.sleep(500); catch (InterruptedException e) e.printstacktrace(); Listing 8 - Sending echo broadcast Listing 9 shows the final phase of the channel wherein the sequence number for the broadcast instance corresponding to the source of the message is incremented. The label has been implemented as a label:<num> tag appended to the text field of the EchoBroadcastEvent instance. This is displayed in the application shell. Since this field is locally incremented by each node, it maintains the no duplication property of the channel. private void pp2pdeliver(echobroadcastevent echoevent) /* * Re-initialise another instance for the pth bcb instance, * where p is the process ID of the process that initiated * this broadcast. */ SocketAddress sa = (SocketAddress) echoevent.source; sequencenumbers[processes.getrank(sa)]++;

11 bcbs[processes.getrank(sa)].reset(); /* * If we initiated the broadcast, and its done, we're now ready again. */ if (processes.getrank(sa) == processes.getselfprocess().getprocessnumber()) ready = true; echoevent.settext(echoevent.gettext() + " label:"+ (sequencenumbers[processes.getrank(sa)] - 1)); echoevent.go (); catch (AppiaEventException e) e.printstacktrace(); Listing 9 - Creating Broadcast channel Try it: All the same tests from the previous example can be run to verify correct working of the system. Furthermore, the non duplication property is achieved by means of sequence numbers. Note: Similarly ByzantineConsistentChannel assumes that the certificate of each process is stored in the trusted certificates file with the alias: user<process_rank>. Moreover, certificates and private key stores are assumed to use the password for testing purposes. To experiment with these details, try running the following scenarios: 1. Launch four shells. 2. In each directory, go to the place where you ve placed the supplied code. 3. Run using similar commands as above but using a different QoS:./run.sh -f etc/processes.conf -n 0 -qos bcc etc/user0.jks etc/ usercerts.jks 4. If you want to run the tests, start a byzantine node using:./run.sh -f etc/processes -n 3 -qos byzantine_bcc etc/user3.jks

12 etc/usercerts.jks test<1-3>