Policywww.javlibrary.com

JournalofInternetServicesandApplicationsFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19DOI10.
1186/s13174-017-0070-3RESEARCHOpenAccessProvidingprivacyonthetuplespacemodelEdsonFloriano1,EduardoAlchieri1*,DiegoF.
Aranha2andPriscilaSolis1AbstractConceptually,tuplespacesaresharedmemoryobjectsthatprovideoperationstostoreandretrieveorderedsetsofdata,calledtuples.
Tuplesstoredinatuplespaceareaccessedbythecontentsoftheirfields,workingasanassociativememory.
Althoughtherearesomeproposalsforsecuretuplespaces,accessingtuplesthroughfieldcontentsmakesthesesystemssusceptibletoattacksthatcouldimpairuseranddataprivacy,sinceserversmustaccesstupledata.
Inordertodealwiththeselimitationsandprovideprivacyinthetuplespacemodel,thispaperproposessomeextensionstoDEPSPACE,atuplespacesystemthatimplementsdependabilityandsecuritypropertiesthroughasetofmechanismsthatarenotenoughtoensureprivacy.
Theresultingsystemprovidesprivacyand,atthesametime,allowstupleselection/matchessimilartothetraditionalinsecuremodel,i.
e.
,itdoesnotconstraintthematchingpossibilities.
Themainproblemtobeaddressedisthatserversmustselecttuplesbasedontheircontentswithoutknowingthem.
Theproposedsolutionusesrobustcryptographicschemes,asorder-preservingencryptionandhomomorphicencryption,toprovidethisfunctionalitywithoutrevealingthetuplecontents.
AnanalysisconcerningsecurityaspectsofDEPSPACEispresented,aswellasthebenefitsoftheproposedsolutions.
Asetofexperiments,executedwithanimplementationoftheproposedprotocols,showsthefeasibilityoftheproposedsolutionsandshedsomelightonboththebehaviorofthesystemandthecoststoprovideprivacyinthetuplespacesmodel.
Keywords:Tuplespace,Privacy,Searchableencryption,Homomorphicencryption1IntroductionThedistributedcomputingcommunityhasgivenalotofattentiontothesecurityissuesonthedesignanddevel-opmentofdistributedapplications.
Asystemissecureifitsatisfiestheconfidentiality,availabilityandintegrityproperties[1].
Furthermore,onecanintuitivelyunder-standprivacy,undertheperspectiveofsomeentity,astheconfidentialityofitssensitiveinformation(dataandmeta-data)[2].
Thisentitymaybeaperson,anorganization,anation,etc.
Therefore,privacyiscloselyconnectedtotheconfidentialityofinformation.
Currently,therearemanyfactorsthatincreasetheriskrelatedtothesecurityofapplications[2]:(i)theworldisbecomingahugeinfrastructure,interconnectedandinter-dependent;(ii)therearemassiveamountsofcorrelateddataavailable;(iii)theentitiesareexposingthemselves*Correspondence:alchieri@unb.
br1DepartmentofComputerScience,UniversityofBrasilia,UnB,Brasília,DF,BrazilFulllistofauthorinformationisavailableattheendofthearticlemuchmore;and(iv)thenumberofsoftwarevulnerabili-tiesisincreasing.
Infaceofthisscenario,manysystemsaimtopro-videinformationconfidentialitybyprotectingonlythesecretdataitself,withoutanycareofthecorrelatednon-confidentialdata.
However,statisticalinferenceattacks[3]oftenareabletorecoversecretinformationfromtheanalysesandcorrelationofpublicavailabledata.
Con-sequently,itbecomesinteresting,ifnotmandatory,todevelopsolutionsandprovidemeanstoprotectallinfor-mationhandledbysecureapplications.
Theseaspectsareparticularlyrelevantwhenwecon-siderdatasharedthroughatuplespace[4,5],sinceinthismodeltheaccessesaredonebythetuplecontents,work-ingasanassociativememory.
Asexamplesofdistributedsystemsthatcouldbenefitfromasecuretuplespace,itispossibletomentioneitherhigh-levelapplicationssuchassecurebiddings[6],andapplicationsthatneedadis-tributedsharedmemory[6,7]orsynchronizationbuildingblocksassharedcountersanddistributedlists[8].
TheAuthor(s).
2017OpenAccessThisarticleisdistributedunderthetermsoftheCreativeCommonsAttribution4.
0InternationalLicense(http://creativecommons.
org/licenses/by/4.
0/),whichpermitsunrestricteduse,distribution,andreproductioninanymedium,providedyougiveappropriatecredittotheoriginalauthor(s)andthesource,providealinktotheCreativeCommonslicense,andindicateifchangesweremade.
Florianoetal.
JournalofInternetServicesandApplications(2017)8:19Page2of16Althoughtherearesomeproposalstosecuretuplespaces[5,8–11],thefactthatthetuplesareaccessedbytheircontentsmakesthesesystemssusceptibletoattacksthatcouldimpairtheprivacyofthedataand,conse-quently,oftheirusers.
Themainproblemtobeaddressedinordertoprovideprivacyinthismodelisthatserversmustselecttuplesbasedontheircontentswithoutknow-ingthem.
Amongtheexistentproposals,DEPSPACE[5]isthesys-temthatprovidesthehighersecuritylevel,employingbothaccesscontrolandcryptographicmechanisms.
Thissystemsuggeststheclassificationofthetuplefieldsasfol-lows:public–thedataispublicandallparties/processescanaccessit;comparable–ahashofthefieldcontentisavailable,consequently,iftherangeofvaluesthatafieldcantakeisknownandlimited,thenapreimageattackcandiscloseitscontents;andprivate–noinformationisavailable.
Giventhisclassification,atleastonefieldofeachtupleneedstobepublicorcomparabletoallowtupleaccesses,i.
e.
,toallowserverstoexecutematchesamongtuplesandtemplates(Section2).
Thisapproach,althoughadequatesinceitprovidessomelevelofconfi-dentiality,bringsabigchallengetothedevelopmentofapplications:ifalotofpublicand/orcomparablefieldsareused,thenthesystembecomesvulnerabletocorrela-tion,preimageandcollisionattacks;otherwise,asserversarenotabletoexecutesearches/matchesinprivatefields,thetuplesearches/matchespossibilitiesaresignificantlyreduced,limitingitsuseinthedevelopmentofdistributedapplications.
Inordertocircumventtheseproblems,thispaperpro-posesextensionstotheDEPSPACEfieldclassificationtopreventthattheprivacyofdataandusersarebreachedbyattackers.
Throughtheuseofrobustandmoderncryp-tographicmechanisms,theproposedextensionspreservethesecuritypropertiesand,atthesametime,allowsmoreflexibilityintheexecutionoftuplessearches/matches.
Moreover,thispaperpresentsananalysisaboutthesecu-rityprovidedbyDEPSPACE,aswellasabouttheresultingsystemaftertheinclusionoftheproposedsolutions.
Insummary,thispapermakesthefollowingcontributions:ItincreasesthesecurityprovidedbyDEPSPACE,mainlyprivacy,byproposingnewfieldclassificationthatusesrobustcryptographicschemesand,consequently,reduces(andeveneliminates)theneedforpublicorcomparablefields.
Additionally,theproposednewfieldsbringmoreflexibilityintheexecutionoftuplessearches/matchessincetheyusesearchableencryptionschemes.
ItpresentsananalysisofthesecurityprovidedbyDEPSPACEpriorandaftertheinclusionoftheproposedsolutions.
Itanalyzes,throughasetofexperiments,theimpactonthesystemperformancecausedbythesuggestedextensions.
Itdiscussessomerelevantaspectsaroundsuchextensions,likeotherimplementationpossibilitiesandcurrentlimitations.
Theremainderofthispaperisorganizedasfollows.
Section2detailstheconceptoftuplespaceandintroducesDEPSPACE,analyzingthesecuritypropertiesprovidedbythissystem.
Section3discussesrobustcryptographicschemesthatareusedintheproposedextensions,whicharepresentedatSection4.
Section5discussestheinte-grationoftheproposedsolutionswithinDEPSPACE.
AnexperimentalevaluationabouttheproposedsolutionsispresentedatSection6.
Section7bringssomeimpor-tantdiscussionsabouttheproposedsolutions.
TherelatedworksarediscussedatSection8.
Finally,conclusionsandfutureworkaregiveninSection9.
2TuplespaceConceptually,atuplespacecanbeseenasasharedmem-oryobjectthatprovidesoperationstostoreandtoretrieveordereddatasets,calledtuples.
Processesinadistributedsystemcantheninteractthroughthissharedmemoryabstraction.
Atupleisanorderedsequenceoffields,whereafieldthatcontainsavalueissaidtobedefined.
Atupletwhereallthefieldsaredefinediscalledentry(ortuple).
Atupletiscalledtemplateifanyofitsfieldsdoesnothaveadefinedvalue.
Atupletandatemplatetcom-bine(ormatch)if,andonlyif,bothhasthesamenumbersoffieldsandallthevaluesandtypesofthedefinedfieldsintareidenticaltothevaluesandtypesofthecorrespondingfieldsint.
Forexample,atupleJISA,2017,SBCcom-bines/matcheswiththetemplateJISA,denotesaundefinedfield,calledwildcard).
Processcoordinationthroughtuplespaces,introducedbytheprogramminglanguageLINDAforparallelsystems[4],supportsdecoupledcommunicationsinspace(pro-cessesdonotneedtoknoweachotherlocations)andintime(processesdonotneedtobeactiveatthesametime).
Besidesthat,thismodelofcoordinationprovidessomesynchronizationpower.
Manipulationsperformedintuplespacesconsistininvocationsofthreebasicoperations[4]:out(t)thatstoresthetupletinthespace;in(t),thatremovesfromthespaceatuplethatmatchesthetemplatet;rd(t),usedtoreadfromthespaceatuplethatmatchesthetemplatet,with-outremovingit.
Operationsinandrdareblocking,i.
e.
,ifthereisnotuplethatmatchesthetemplateinthespace,theprocessgetsblockeduntiloneisavailable.
Acommonextensiontothismodelistheinclusionofnon-blockingvariantsoftheseoperations,denominatedinpnandrdp.
Theseoperationsworkexactlylikethepreviously,exceptFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page3of16bythefactthattheyreturnevenifthereisnotatuplethatmatchesthetemplate(indicatingitsnonexistence).
Anotheroperationimplementedinsometuplespaces(e.
g.
,DEPSPACE[5])isthecas(t)t(conditionalatomicswap)[12,13].
Thisoperationworkslikeanatomicexe-cutionofthecode:ifrdp(t)thenout(t)(tisatemplateandtanentry/tuple).
Theoperationinsertstinthespaceiffrdp(t)doesnotreturnanytuple,i.
e.
,ifthereisnotupleinthespacethatmatchest;otherwiseitreturnsatuplethatmatchest.
Noticethataccordingtothepreviousdefinitions,tuplespacesworkasanassociativememory:tuples/dataareaccessedbytheircontents,notbytheiraddresses.
Figure1illustratestheout(t),rdp(t)andinp(t)operations,show-ingtheoperationsentbytheclient,theserversrepliesandthefinalstateofthetuplespace.
2.
1DEPSPACE:ABFTcoordinationsystemTheDEPSPACE[5]systemprovidesaByzantineFault-Tolerant(BFT)[14]coordinationservicebasedonthetuplespacemodel.
Thefollowingsecurityanddependabil-ityattributes(orproperties)arenecessaryforthismodel[1]:(1)reliability–theoperationsexecutedinthetuplespacechangeitsstateaccordingtotheirspecification;(2)availability–thetuplespaceisalwaysreadytoexecutetheoperationsrequiredbyauthorizedparties;(3)integrity–noimproperalterationofthetuplespacecanoccur;(4)confidentiality–thecontentoftuplefieldscannotbedis-closedtounauthorizedparties.
Withthegoalofensuretheseproperties,DEPSPACEisbuiltoverasetoflay-ers,eachoneresponsiblefortheexecutionofadifferentfunctionality.
2.
1.
1DEPSPACElayersThissectionintroducestheDEPSPACElayersemphasiz-ingtheconfidentialitylayer,whichisresponsiblefortheaspectsrelatedtothiswork.
Figure2showsthelayersandtheirlocationinthestackatbothclientsandservers.
Replication.
Tomaintainconsistencyinthetuplespace,DEPSPACEutilizesStateMachineReplication[15,16]asthebottomlayer.
Thismechanismisrelatedmainlywiththepropertiesofavailability,integrityandconfidentiality.
Consideringasystemwithnreplicas/servers,itensuresthatoperationsareexecutedaccordingtotheirspecifica-tionevenifuptof=(n1)/3replicasaremalicious(thecorrectreplicasmaskthebehaviorofthemaliciousones).
Throughtheseprotocols,thecorrectreplicasexecutethesamesequenceofoperationsandreturnsthesamevalues,evolvinginasynchronizedway.
Confidentiality.
Sincetuplesaremaintainedreplicatedinasetofservers,theprovisionofconfidentiality(andpri-vacy)mustnotbeattributedtoasingleserverbecauseuptofofthemcouldfailandexposethetuplecontentstounauthorizedparties.
Consequently,DEPSPACEimplementsconfidentialitythroughtheuseofa(n,f+1)-PubliclyVerifiableSecretSharing(PVSS)[15]scheme.
Theclients,whichrepresentthedealersinthescheme,generateasecretthattheyusetoencryptthetuples.
Later,theygenerateasetofnsharesofthissecretandonedifferentshareissenttoeachserver.
Thesecretcanberecoveredonlywithacombinationoff+1shares,whatmakesitimpossibleforacollusionofuptofmaliciousserverstoexposethetuplecontents.
Asserverscannotaccessthetuplecontents(sincetheyareencryptedbytheclient),theprotocolemploysafinger-printforthetuple,makingitpossibletoimplementandcomputethematchesbetweentuplesandtemplatesattheservers.
Thefingerprintiscomputedaccordingtothetypeofeachtuplefields,whichcanbeclassifiedasfollows:Public(PU):thefieldcontentitselfisusedasitsfingerprint,i.
e,nocryptographicmethodisappliedtothefieldcontentanditremainsexposed.
Comparable(CO):ahashofthefieldcontentisusedasitsfingerprint(usingacollisionresistanthashfunction),allowingserverstoexecuteabcFig.
1Tuplespacebasicoperations.
aout(t):serversreceiveatupletfromtheclient,storetinthetuplespaceandreturn"ok".
brdp(t):serversreceiveatemplatet,findatupletthatmatchestandreturntkeepingitonthetuplespace.
Ifnotupleisfound,serversreturnnull.
cinp(t):serversreceiveatemplatet,findatupletthatmatchestandreturntremovingitfromthetuplespace.
Ifnotupleisfound,serversreturnnullFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page4of16Fig.
2DEPSPACElayerssearches/matchesinthesetypeoffieldswhile,atthesametime,providingsomelevelofsecurity.
Private(PR):aspecialsymbol(PR)isusedasfingerprintofthesefields.
AlthoughitprovidesalevelofsecurityhigherthantheCOclassification,noinformationinthisfieldisavailableattheserverstoverifyifatuplematchesatemplate.
Onceitisnotpossibletosenddifferentversionsofarequestfordifferentserversinthestatemachinerepli-cationapproach(containingonlyitsshareofthesecretusedtoencryptthetuple),theclientencryptseachsharewithasecretkeysharedwiththeserverthatwillstoreit.
Consequently,eachserverwillaccessonlyitsshareand,asamaliciousserverdoesnothaveaccesstoallshares,itcannotrestoreandexposethetuplescontents.
Inanutshell,ainsertionoperation(out)worksasfollows:Theclientgeneratesasecretsandencryptsthetupleusingthissecret.
TheclientusesthePVSSschemetogeneratensharesofs.
Theclientencryptseachsharewithasecretkeysharedwitheachserver(oneshareperserver).
Theclientcomputesthefingerprintaccordingtothefieldsclassification.
Theclientusesthestatemachinereplicationprotocoltosendarequesttotheservers(inthisprotocolitmustwaitforf+1repliestofinishtherequestexecution).
Therequestcontainstheencryptedtuple,theencryptedshares,theproofthatthesesharesarevalidandthetuplefingerprint.
Whenaserverexecutesthisrequest,itonlystoresallreceiveddataandsendsanacknowledgetotheclientasareply.
Ontheotherhand,theprotocoltoread/removeatupleworksasfollows:Theclientcomputesthefingerprintforthetemplateaccordingtothefieldclassification.
Thefingerprintofaundefinedfieldisthewildcarditself.
Theclientusesthestatemachinereplicationprotocoltosendaread/removeoperationtotheserverscontainingthegeneratedfingerprint.
Whenaserverexecutesthisrequest,itchoosesatupledeterministicallysuchthatitsfingerprintmatchesthereceivedfingerprint(ifitisaremovaloperation,thistupleisremovedfromthespace).
Incaseitssharewasnotyetverified,itextractsitsshareandverifyifthisshareisvalidusingtheproofsreceivedduringtheoutoperation.
Afterward,theserverrepliestotheclientwiththeencryptedtuple,itsencryptedshare(toavoideavesdroppingonthereplies),thetuplefingerprintandproofsthattheshareisvalid.
Theclientwaitsforf+1replies,decryptstheshares,verifiestheirvalidityandcombinesthemtorecoverthesecrets.
Finally,theclientdecryptsthetupleusings.
Theclientverifiesifthefingerprintitusedisvalidfortherecoveredtuple.
Ifthefingerprintisvalid,theoperationisfinished.
Otherwise,arepairprocedureisexecutedtoremoveinvaliddatafromthespaceandtheoperationisrepeated.
Noticethat,accordingtothefingerprintdefinitions,searchesarepossibleonlyinpublicandcomparablefields,i.
e.
,privatefieldscannotbeusedtoverifyifatupleFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page5of16matchesatemplateandarealwaysusedasundefinedfieldsonthetemplate.
Thislimitationbringsatleasttwoconsequences.
Ontheonehand,atuplewithmanyprivatefieldsmakesthesearchveryrestricted,losingtheflexibil-ityinthedevelopmentofapplicationsbecauseatemplatewithmanyundefinedfieldsdoesnotallowafine-grainedmatchattheservers.
Ontheotherhand,atuplewithmanypublicand/orcomparablefieldsissusceptibletomanyattacks,likecorrelationandpreimageattacks.
Policyenforcement.
Thislayerallowsafine-grainedaccesspolicyexecution[7]thattakesintoaccountthreeparameters(identifieroftheinvoker,operationandargu-ments,andthecurrenttuplesstoredinthespace)todecideifanoperationisapprovedordenied.
Thesepoli-ciesaredefinedbytheusersandareloadedattheserversduringthesystemsetup.
Accesscontrol.
Accesscontrolisafundamentalmech-anismtokeeptheintegrityandconfidentialityofinfor-mation(tuples)storedintheDEPSPACEsinceitpreventsunauthorizedclientsfromgettingaccesstothetuples.
Moreover,thismechanismpreventsmaliciousclientsfromsaturatingthetuplespacebysendingalotoftuples.
Currently,theDEPSPACEimplementstheaccesscon-trolbasedoncredentials:foreachtupleinsertedintheDEPSPACE,asetofcredentialsarenecessarytoaccessit,bothtoreadandtoremoveitfromthespace(accesscon-trolattuplelevel).
Thesecredentialsaredefinedbytheprocessthatinsertsthetuple.
Moreover,itispossibletodefinewhichcredentialsarenecessarytoinsertatupleintothespace(accesscontrolatspacelevel)duringitssetup.
Theimplementationofthisfunctionalityisrealizedthroughtheassociationofaccesscontrolliststoeachtupleandspace.
2.
1.
2SecurityanalysisBelowwebrieflysummarizesomesecuritydefinitions.
Accordingto[17],theattacksagainstthecryptographicschemesaimtoobtaintheplaintextorthedecryptionkeythroughthefollowingmethods:Ciphertext-onlyattack(COA):Inthiskindofattack,anadversarytriestoobtainthedecryptionkeyortheplaintextonlyhavingtheciphertextatitsdisposal.
Thisistheweakertypeofattackand,therefore,asystemvulnerabletothisattackisconsideredinsecure.
Known-plaintextattack(KPA):Inthisattack,theadversaryhasatitsdisposalasignificantamountofplaintextsandtheircorrespondingciphertexts.
Throughthecomparisonofplaintextsandtheircorrespondingciphertexts,theadversarytriestodiscoverthedecryptionkeyortodecryptanotherciphertext.
Chosen-plaintextattack(CPA):theadversarychoosesaplaintextandreceivesthecorrespondingciphertextforanalysis,whichmayallowhim/herodiscovertheplaintextcorrespondingtoanotherciphertext.
Adaptivechosen-plaintextattack(CPA2):ThisattackissimilartoCPA,howevertheattackercanchoosenewplaintextsdependingonthereceivedanswer.
Chosen-ciphertextattack(CCA)Inthiskindofattack,theadversarychoosesaciphertextandreceives(withoutaccesstothedecryptionkey)thecorrespondingplaintext.
Theadversaryusestheanalysisofthiscorrelationtodiscovertheplaintextcorrespondingtoanotherciphertext.
Adaptivechosen-ciphertextattack(CCA2):ThisattackissimilartotheCCA,howevertheattackercanchoosenewciphertextsdependingonthereceivedanswer.
Thisattackisconsideredverystrongandmuchhardertoimplement.
Theattacksabovearepresentedinorderofincreas-ingcomplexity.
Asystemvulnerabletoaweakattackwillbeclassifiedatalowersecuritylevel,evenifitresistsastrongerattack.
Althoughthesearethemainattacksconsideredintheliterature,manyotherattackscouldbepossibledependingonthesystemcharacteristics.
Forexample,in[3]theauthorsshowthatitispossibletoperforminferenceattacksbymeansofcorrelationoftheciphertextswithadditionalpublicinformation.
Inthiscase,ifthereisastrongcorrelationbetweentheencryptedandthepublicdata,theplaintextscouldberecoveredwithhighaccuracy.
Consideringencrypteddatabasesofhos-pitals,[3]presentedastudyinwhichmorethan60%ofthedatadeterministically(Section3.
1)encrypted(e.
g.
:sex,raceandmortalityrisk)couldbediscoveredin60%ofthehospitals,whilemorethan80%ofdataencryptedwithorderpreserving(Section3.
2)encryption(e.
g.
:ageanddiseaseseveritylevel)wererecoveredin95%ofthehospitals.
Asinpracticeitisimpossibletoachievetotalsecurityagainsttheseattacksforallthemathematicallypossi-bleadversaries,aweakersecuritydefinitionisnecessary,takingintoaccountonlythecomputationallypossibleadversaries.
Inthiscontext,asystemisdefinedinfor-mallyassemanticallysecureifitisabletoresist,withhighprobability,toattacksperformedbyanyadver-sarycomputationallyefficient[18].
Basedontheformaldefinitionsof[19],wedefineinformallythatforanyeffi-cientadversaryA,acipherE=(E,D)definedover(K,M,C)offers:Indistinguishabilityagainstchosen-plaintextattacks(IND-CPA):thecipheroffersIND-CPAifforallattemptsi=1,2,.
.
.
q,giventwomessagesFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page6of16mi0,mi1∈Mofthesamesize,chosenbyAandsubmittedtoanoraclethatanswerswiththeciphertextci=E(k,mib)∈CforsomekeykselectedrandomlyinKandb∈{0,1},theprobabilitythatAcandistinguishbetweenci=E(k,mi0)orci=E(k,mi1)isnegligible.
Indistinguishabilityagainstchosen-ciphertextattacks(IND-CCA):thecipheroffersIND-CCAif,forthesameconditionsoftheIND-CPA,theadversaryAalsocangetaccesstoaoraclethatgivenaciphertextci/∈{c1,.
.
.
,ci1}answerswiththecorrespondingplaintextmi=D(k,ci)and,inthesameway,theprobabilitythatAcandistinguishbetweenci=E(k,mi0)orci=E(k,mi1)isnegligible.
Inthiscase,Acanmakeasmanyrequestsasitwantstothedecryptionoracle,howeveronlyuntilithasreceivedthechallengeciphertextfromtheencryptionoracle.
Indistinguishabilityagainstadaptivechosen-cipher-textattacks(IND-CCA2):thecipheroffersIND-CCA2if,besidestheconditionsestablishedtotheIND-CCA,theadversarycancontinueusingthedecryptionoracleevenafterithadreceivedthechallengecryptogram.
Theonlyrestrictionisthatitisnotallowedtosubmitthiscryptogramfordecryption.
Additionally,wehavethefollowingIND-CPArelax-ationsforbothdeterministic(Section3.
1)andorder-preserving(Section3.
2)ciphers,respectively:Indistinguishabilityagainstdistinctchosen-plaintextattacks(IND-DCPA):thecipherEoffersIND-DCPAifitisdeterministicandforallattemptsi=1,2,.
.
.
,q,giventwomessagesmi0,mi1∈MofthesamesizechosenbyA,distinctforeachattempt(i,j∈{1,2,.
.
.
,q},mi0=mj0andmi1=mj1),submittedtotheoraclethatanswerswiththeciphertextci=E(k,mib)∈CforsomekeykselectedrandomlyinKandb∈{0,1},theprobabilitythatAcandistinguishbetweenci=E(k,mi0)orci=E(k,mi1)isnegligible[19].
Indistinguishabilityagainstorderedchosen-plaintextattacks(IND-OCPA):thecipherEoffersIND-OCPAifitpreservestheorderbetweentheplaintextsandforallattemptsi=1,2,.
.
.
,q,giventwomessagesmi0,mi1∈Mofthesamesize,chosenbyAandsubmittedalwaysinthesameorder(i.
e.
,mi0Usingthesedefinitions,itispossibletohighlightsomevulnerabilitiesofDEPSPACE.
Themainfocusfortheinvestigationisthewaythefingerprintisgenerated.
Inthefollowingwediscussthevulnerabilitiesrelatedwithcomparableandpublicfieldsclassifications:Comparablefieldsallowtupleselection/matcheswithoutserversknowingthefieldcontents,buttheuseofhashfunctionsmakesthesystemvulnerabletocollisionandpreimageattacks.
Infact,anadversaryisabletogetadesiredamountofinputsandtheirrespectiveoutputsbycalculatingtheirhashes.
Consequently,ifthesetofvaluesthatacomparablefieldcouldassumeissmallandknown,thentheattackercancalculatethehashesforallpossiblevalues,learningthecorrespondencebetweenplaintextsandciphertexts.
Thisattackissimilartotheknown-plaintextattack,exceptforthefactthatinthiscasethereisnoencryptionanddecryptionfunctions.
Publicfieldsarenotsubjecttoadisclosureattacksincetheircontentsarealreadypublic.
However,thesefieldscouldprovideusefulinformationtoanattacker,whichcouldcorrelatetheencryptedtuplecontentswithapublicdatabaseandexecuteaninferenceattack.
Comparablefieldsalsocouldbeusedfortheseattackssincetheircontentscouldbeinferred.
3RobustcryptographicschemesInordertocircumventtheaforementionedlimitationsandvulnerabilities,thissectionintroducessomerobustcryptographicschemesthatallowsearchesandcompu-tationsoverencrypteddata.
TheseschemeswereusedtoimproveDEPSPACEsecurity.
Basedonitscharacter-istics,mainlythewayfingerprintswork,welookedforcryptographyschemesthatbestfitthissystem.
3.
1DeterministicandprobabilisticciphersAcipherE=(E,D)definedover(K,M,C)iscalledprob-abilisticif,forafixedkeyk∈Kandmessagesm∈MthatareusedasinputsoftheencryptfunctionE:K*M→C,theoutputc=E(k,m)mayassumedifferentvalues.
Otherwise,thecipherissaidtobedeterministic[18].
Naturally,aninherentcharacteristicofdeterministicciphersistheleakageofequalityoftextsencryptedunderthesamekey,thatis,m0=m1E(k,m0)=E(k,m1).
Thisfactcouldbeusedtoperformequalitysearchesoverencrypteddata[21,22].
Clearly,thiskindofcipherdoesnotachievesecurityagainsttheChosen-PlaintextAttack(CPA)sinceanadversarymaysubmitinthebeginningtwocopiesofthesamemessagem0totheoracleandreceivetwoidenticalciphertextsc0=E(k,m0).
Afterwards,theattackercouldsendthemessagesm0andm1totheoracle,receivingcb=E(k,mb),whereb∈{0,1}.
Now,itisenoughtocomparecb(b∈{0,1})withc0toknowifitisE(k,m0)orE(k,m1).
Florianoetal.
JournalofInternetServicesandApplications(2017)8:19Page7of16Probabilisticcipherscanresiststrongerattacks,achiev-ingtheIND-CCA2securitylevelwhencombinedwithauthenticationprimitives.
3.
2Order-preservingencryption-OPEAsymmetricorder-preservingcryptographyschemepre-servestheorderrelationamongtheencryptedvalues[20]:foralliandjandforallkeysk,E(k,i)Thiskindofcipherleakstheorderamongplaintextsthroughtheciphertexts,thereforenotachievingtheIND-CPAsecuritylevel.
Observingthatthissecuritylevelisnotachievablebyadeterministicalgorithmwithsuchprop-erty,evenconsideringaweaksecuritylevel(IND-OCPA),applyingpseudo-randomgeneratorsandfunctions(PRF'sandPRG's)wasproposed[20].
Thisapproachprovidesaflexible(butstrong)levelofsecuritycalledpseudorandomorder-preservingfunctionunderchosen-ciphertextattack(POPF-CCA).
However,thissecuritydefinitiondoesnotdeterminewhatkindofdatacouldleak,besidestheorder.
In[23],OrderRevealingEncryption(ORE)isproposed,acon-structionthatminimizestheamountofleakeddata.
Althoughthisapproachpresentsahigherlevelofsecu-rity,itisimpracticalsincetheinitialproposalpresentspoorperformance.
Tryingtocircumventthislimitation,apracticalOREalgorithm[24]wasproposed.
Thisalgo-rithmachievestheIND-OCPAsecuritylevelsinceitcouldleakonlythefirstbitthatdiffersinthecomparedvalues.
Finally,anOREalgorithmthatresistsinferenceattacks[25]wasproposedandpresentsagoodperformanceforencrypteddatabaseapplications[22].
3.
3HomomorphicencryptionHomomorphicencryption[26]allowscomputationsoverencrypteddatawithoutdecryptingthemandwithouttheknowledgeofthesecretkeys.
Givenanytwomessages,m1andm2,ahomomorphicencryptionfunctionEandakeyk,wehavethatE(k,m1)cE(k,m2)=E(k,m1mm2),wheremdenotesanarithmeticoperationonthemes-sagedomainandcdenotesanarithmeticoperationontheciphertextdomain.
Fullyhomomorphicsystemsgenerallypresentpoorper-formanceandarenotpracticalinthedevelopmentofapplications.
However,itispossibletoavoidtheper-formanceissuesoffullyhomomorphicschemeswhilepreservingsomeoftheirfunctionality,sincemanyappli-cationsneedonlysomekindofoperations,whatcanbedonebya"somewhat"homomorphicscheme[27].
Theseschemespresentabetterperformanceandarepractical.
Paillier[28]andexponentialElGamal[29]areexam-plesofefficient"somewhat"homomorphicciphers.
Theseschemesarealsoprobabilistic,achievingtheIND-CPAsecuritylevel.
4ProvidingprivacyonDEPSPACEThissectionpresentsourproposaltoincreasesecurityoftheDEPSPACEsystem.
Inanutshell,newtypesforfieldclassificationsareintroduced,whichusethepreviouslydiscussedrobustcryptographicschemestoprovidethesamefunctionalityastheoriginallyproposedDEPSPACE(orevenbringingmoreflexibilitytothedevelopmentofapplicationssincethesefieldsallowtheimplementationofpreviouslyimpossiblesecuresearches),however,withstrongersecurityproperties.
Beforepresentingthenewfieldclassifications,letusintroduceanotherveryimportantcharacteristicofDEPSPACE.
Thissystemusesa(n,f+1)-PVSSscheme[15]tosplitasecretkey,thatisusedtoencryptsometuple(Section2.
1),amongnservers,requiringf+1ofthemtorecoverthesecretkey.
Thisapproachworksfinesinceatmostfmaliciousserversaresupposedinthesystem.
However,toavoidsuchcompromise,thesekeysmustbeknownonlytotheclients,thatmustpreviouslyshareitutilizingapublic-keycryptographicalgorithmwithamechanismthatprovidespublickeyverificationandprotectionagainst"man-in-the-middle"attacks[30].
Independentgroupsofprocessesthatmustcommunicatethroughthespacecanhaveadifferentsharedkey.
ThisprotocolisorthogonaltothewayfingerprintsworkinDEPSPACE,whichisthefocusofthispaper.
4.
1ImprovingfingerprintsecurityTheanalysispresentedinSection2.
1.
2showedthatDEPSPACEissubjecttomanysimpleattacks.
Tocircum-ventthisproblem,weproposethereduction(andevenelimination)intheuseofpublicand/orcomparablefieldsandtheadoptionofthefollowingonestocreatethefingerprints:Comparabledeterministic(CD):thefieldcontentfisencryptedthroughadeterministicsymmetricencryptionalgorithmbyusingafunctionencryptCD(keyshared,f).
Theresultingciphertextisusedasfingerprintand,asthealgorithmisdeterministic,itallowsserverstoexecutesearches/matchesinthesefields.
Noticethesamekeyisusedtodecryptthesefields.
Operable(OP):thefieldcontentfisencryptedthroughahomomorphicor"somewhat"homomorphicasymmetricencryptionalgorithmbyusingafunctionencryptOP(keypublic,f).
Theresultingciphertextisusedasfingerprintandallowscomputationsattheservers.
Noticethatthisschemeisasymmetric:thepublickeyisusedforencryptionandcomputationsoverf;theprivatekeyisusedtodecrypttheresult.
Orderly(OR):thefieldcontentfisencryptedthroughanorder-preservingsymmetricencryptionFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page8of16algorithm,asOPE,byusingafunctionencryptOR(keyshared,f).
Theresultingciphertextisusedasfingerprint,allowingtheexecutionofmatchesandtheorderingamongthesefields.
Noticethesamekeyisusedtodecryptthesefields.
Thefingerprintfunctionensuresthatifatupletmatchesatemplatet,thefingerprintthoftmatchesthefingerprintthoftifbotharegeneratedusingthesameprotectiontype(fieldclassification)foreachfield[5].
Thefingerprintth=h1,.
.
.
,hmofatuplet=f1,.
.
.
,fmisgeneratedaccordingtotheformulapresentedatFig.
3.
ThenewfieldclassificationbringsakeymanagementissuesinceitisnecessarytoshareasecretkeyforCDandORfieldsorakeypair(publicandprivate)forOPfields.
Thesekeysmustbesharedamongtheprocessesthatarecommunicatingthroughthetuplespace.
ForOPfields,thepublickeyalsoisavailabletotheserversallowingtheytoexecutecomputationsoverthesefields.
Fortunately,keymanagementisnotaprobleminourmodelsincethetuplespaceitselfcouldbeusedforthiscoordination(Section7.
3).
CDfields.
WestronglyrecommendthepreferenceofCDfieldsoverCO.
Byusingadeterministicsymmetriccipherinsteadofahashvalue,anattackerwouldneedtoaccessthesecretkeytoencryptafield,makingitimpossibletomountapreimageattack(Section2.
1.
2).
However,theCDclassificationmustbeemployedcarefullysincethiscipherrevealsifplaintextsareequal.
Consequently,ifthefieldcontentbelongstoasmalldomain,usingfewexternalinformationisenoughtodiscloseit.
Forinstance,considertheencryptionofafieldthatcontainsthesexinadatabasethatisknowntohavemorementhanwomen.
Anattackercouldobservethatthereareonlytwopossibleciphertextsandconcludethattheonewithmoreoccurrencesreferstothemalesex.
Therefore,thisciphershouldbeusedforfieldsthatstoreindexes,withahighamountofpossiblevalues,andfornon-sensitivedatalikeidentifiers,e-mailaddress,nameofprocessnodes,amongothers.
Somecryptographicalgorithmsuseoperationmodeswithrandomizedinitializationvectors(IV),intheformc=E(k,m,IV),asawaytoprovideprobabilisticFig.
3Fingerprintgenerationencryption.
Toprovidedeterministicencryption,thesealgorithmsusuallyfixtheIV(e.
g.
inzero).
Inthesecases,werecommendtheuseofaPRF(pseudorandomfunc-tion)overthemessagembyusingakeyk1,producingapseudo-randomoutputr=F(k1,m).
TheencryptionfunctionthenusesrasIVandanotherkeyk2topro-ducetheencryptedoutputc=E(k2,m;r).
SincethePRFgeneratesthesameoutputforthesamemessageandkey,thealgorithmremainsdeterministic.
Moreover,thePRFgeneratesdifferentoutputsfordifferentmessagesinputs(evenunderthesamekey)and,therefore,differentIV'sareobtainedfordifferentmessages,achievingtheIND-DCPAsecuritylevel[18].
OPfields.
OPfieldsallowthecomputationoverencrypteddata.
Forthesefields,ahomomorphicora"somewhat"homomorphiccipher(Section3.
3)shouldbeused,suchasPaillier[28],accordingtotheapplicationrequirements.
Thesefieldsincreasethefunctionalitypro-videdinDEPSPACE.
Forinstance,itispossibletoupdatevaluesusedtosynchronizedecoupledprocesswithoutrevealingprocessstatus.
Ifthefieldneedsonlyonekindofarithmeticoperations(e.
g.
:addition/subtractionormultiplication/division),a"somewhat"homomorphicciphercanbeusedtoofferbetterperformancethanafullyhomomorphicalternative.
Noticethatallfingerprintfieldsareusedonlytoselecttuples,exceptforOPfields.
Inthesecases,theupdatedvaluetobereadisinthefingerprint,notinthedecryptedtuple,andtheclientmustconsiderthisvalueduringareading/removaloperation.
ORfields.
Thisclassificationbringsalotoffunction-alitiesforthetuplespacesallowingserverstoexecutesomeoperations,as(1)tuplesorderingbasedonafield,(2)executionofqueriesforafieldbelongingtosomerangeand(3)selectatuplewithafieldstoringthemaxi-mum/minimumvalue.
ToexecutetheseoperationsintheoriginalDEPSPACEsystem,fieldsshouldbeclassifiedasPU,losingsecurity.
IftheyareclassifiedasPR,clientsneedtoreadanddecryptalltuplespriortoperformtheseoperations.
Allowingserverstoexecutesuchprocessingimprovesthesystemperformancesincefewerdataaretransferredthroughthenetwork[8].
TheORfieldsmustbechosencarefullysincethesefieldsarevulnerabletoinferenceattacksifallpossiblevaluesofadomainarepresentinthedatacollection[3].
Forinstance,ifatuplefieldreferstotheageofpatientsinahospitalthatisknowntohavepatientsofallagesfromzeroto100yearsold,thendatacouldberevealedduetothisassociation.
Toovercomethisvulnerability,wesuggesttheuseofacompositionofalgorithms.
First,encryptthedatawithanOPEalgorithm[20]andlaterusetheoutputasinputofanOREalgorithm[24].
BythisapproachthesystemFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page9of16achievestheIND-OCPAsecuritylevel,withtheleakageofthefirstbitthatdiffersinthecomparedvalues.
Thedis-tancebetweenOPEencryptednumbersisarandomvalueanditdoesnothaveanyconnectionwiththedistanceoftheoriginalnumbers.
ThisisthereasonforthefirststepsinceinthiscasetheleakedbitisfromtheOPEencryptednumberinsteadoftheoriginalnumber.
Securityanalysis.
Table1showstheintrinsicsecuritylevelfortheciphersusedineachfieldtype,orderedbythelowertothehighersecuritylevel.
ItisimportanttorememberthatbothIND-OCPAandIND-DCPArep-resentweakernotionsofsecuritybasedonIND-CPA.
AlthoughtheORfieldsrevealmorethanequality(theorderamongtheciphertextisalsorevealed),theIND-OCPAlevelisconsideredmoresecurethanIND-DCPAbythefactthatitisnotachievedbydeterministicalgorithms.
Finally,thesecurityofasystemdependsonthecorrectuseofeachcipher,consideringthecharacteristicsofthedatastoredineachfield.
Keepingalldataencrypted,itispossibletoavoidinferenceattacksthatcouldcauseabigdamagetoapplicationsusinglowercomputationaleffort.
5ImplementationWeusedtheoriginalDEPSPACEimplementation[5]andintroducedsomemodificationstoapplythepreviouslydiscussedrobustcryptographyprimitives.
Basically,thetuplespaceoperationsstillworkasintheoriginalsystem(e.
g.
,thePVSSschemewasunchanged),butweextendedthesystembyprovidingnewpossibilitiesinthefinger-printgeneration.
Inthefollowingwediscusshowthefingerprintisprocessedaccordingtoeachfieldclassifica-tion.
Public(PU):nocryptographyisusedinthesefieldssincetheiroriginalcontentsareusedinthefingerprint(plaintext).
Comparable(CO):toprocessthesefieldsweusedtheSHA-1algorithm,whichgeneratesahashoutputof20bytes.
Private(PR):nooriginalfieldinformationisusedinthefingerprint,onlyaspecialsymbolPRindicatingitsclassification.
ComparableDeterministic(CD):forthesefieldsweusedaHMAC-SHA256(Hash-basedMessageAuthenticationCodewithSHA-256)algorithmandasecretkeyof256bitstogenerateanencryptedoutputof32bytes.
Table1SecuritylevelforeachfieldtypePUCOCDOROPPRInsecurePreimage/collisionIND-DCPAIND-OCPAaIND-CPAIND-CCA2aLevelachievedifanOREmethodisappliedOperable(OP):forthesefieldsweusedthejavallierlibrary[31],aJavaimplementationofthePaillieralgorithm[28].
This"somewhat"homomorphicencryptionlibraryimplementstheadditionoperationbetweentwoencryptednumbers,fromwhichthesubtractioncanalsobederived.
Additionally,anencryptednumbercouldbemultipliedbyasmallplaintextnumberusingrepeatedadditionoperations.
Fortheasymmetricalgorithmweusedakeypair(publicandprivate)of512bits.
Orderly(OR):forthesefieldsweusedthejopelibrary[32],aJavaimplementationofanOPEalgorithm[20].
WeemployedthislibrarywithoutthecompositionwithaOREalgorithm(seeSection3.
2).
ThislibraryoutputsadeterministicBigIntegerthatpreservesexactlythesameorderthanthenonencryptednumber,withpseudo-randomdistancesbetweenanytwoencryptednumbers.
Toperforminequalityqueries(e.
g.
:lessthanorgreaterthan),weimplementedattheproxylayeroftheclientsideadetectortoidentifythepresenceofthesequeriesandhandletheminawaythatthetuplespacelayerattheserverssidecanunderstand,i.
e,thetuplespacelayerwasmodifiedtoperformmatchesusingthesequeries.
Forinstance,atuplefieldcontainingthenumber10matchesatemplatefieldcontainingaquery"lessthan11".
Thecurrentsupportedqueriesare:lt(lessthan),le(lessthanorequalto),eq(equalto),gt(greaterthan),andge(greaterthanorequalto).
Consideringthepreviouslyexample,theORtuplefieldcontainstheencryptednumber10whiletheORtemplatefieldcontainsaquerylt(11)(lessthan11).
Sincethesesolutionsallowcomputationsattheservers,itispossibletoimplementsecureextensibledistributedcoordinationservices[8],likesharedcounters,distributedqueuesanddistributedbarriers.
Figure4showsarep-resentationofDEPSPACElayerswithanadditionallayer,calledExtensionManager,todealwithoperationsinOPandORfieldsaccordingtoapplicationsneed.
Thefigureshowsalsothatthereisaquerydetectorintheproxylayerattheclientside(thislayerreceivesthetuplespaceopera-tionscalledfromtheapplications),whichisresponsiblebythealreadymentionedidentificationoffunctionalqueries.
Forexample,toimplementanextendedsharedcounter,serversmustaccessandupdatethecountervaluestoredintoatuplefield[8],whichcouldbedoneusinganOPfield.
Moreover,toimplementadistributedqueue,serversmustdefinetheorderamongthetuplesavailableinthespace[8](tuplesrepresentlistentries),whichcouldbedoneusingORfields.
Noticethattheseextendedcoor-dinationservicescannotbeimplementedwithsecuritypropertieswithouttheextensionsproposedinthispapersincetheyallowthesecomputationsattheservers.
Florianoetal.
JournalofInternetServicesandApplications(2017)8:19Page10of16Fig.
4DEPSPACElayerswiththeextensionmanager6ExperimentalevaluationInordertoassesstheperformanceoftheproposedsolu-tionsandbetterunderstandthecoststoprovideprivacyinthetuplespacemodel,weconductedsomeexperi-mentswiththepreviouslydescribedimplementationinEmulab[33].
6.
1ExperimentalsetupTheEmulabenvironmentwasconfiguredwith5d710machines(2.
4GHz64-bitIntelQuadCoreXeonE5530with2CPUthreadspercore,12GBofRAMand1Gbpsnetworkcards)anda1Gbpsswitchednetwork.
Thesoft-wareinstalledonthemachineswasUbuntu1464-bitanda64-bitJavavirtualmachineversion1.
8.
0_121.
Forallexperiments,thesystemwasconfiguredwithfourreplicashostedinseparatemachinestotolerateuptoonereplicafailure,whiletheclientswereexecutedintheremainingmachine.
WeemployedthislibrarywithoutthecompositionwithaOREalgorithm(seeSection3.
2).
ThislibraryoutputsadeterministicBigIntegerthatpreservesexactlythesameorderthanthenonencryptednumber,withpseudo-randomdistancesbetweenanytwoencryptednumbers.
Toperforminequalityqueries(e.
g.
:lessthanorgreaterthan),weimplementedattheproxylayeroftheclientsideadetectortoidentifythepresenceofthesequeriesandhandletheminawaythatthetuplespacelayerattheserverssidecanunderstand,i.
e,thetuplespacelayerwasmodifiedtoperformmatchesusingthesequeries.
Forinstance,atuplefieldcontainingthenumber10matchesatemplatefieldcontainingaquery"lessthan11".
Thecur-rentsupportedqueriesare:lt(lessthan),le(lessthanorequalto),eq(equalto),gt(greaterthan),andge(greaterthanorequalto).
Forexecutingoutoperations,weusedtupleswithonlydefinedfieldsforeachconfigurationdescribedabove(e.
g.
:1,2,3,1,2,3,4,5and1,2,3,4,5,6).
Noticethesefieldswereprotectedaccordingtotheirconfiguration(PU,CO,PR,CD,OPorOR).
Ontheotherhand,thetemplatesusedforrdpandinpoperationswereconfiguredwithonedefinedfieldwhiletheremainingoneswereconfiguredaswildcards(e.
g.
:1,1,and1,exceptfortheconfigurationsPRandOPinwhichallfieldswereconfiguredaswildcardssinceitisnotpossibletoexecutematchesinthesefields(Section7).
Weevaluatedtherawthroughputofthesystemattheserversandthelatencyperceivedattheclientsinallconfigurations.
Toevaluatelatency,weusedoneclienttoexecuteeachoperation1000timesandobtainedthe90thpercentileandtheaveragetimediscardingthe10%valueswithgreatervariance.
Ontheotherhand,toexe-cutethroughputexperiments,wevariatedthenumberofclients(fromonetoten)andmeasuredthemaximumthroughputobtainedineachconfiguration.
Inordertostresstheservers,eachclientpreprocessed1000requests(mostofthecryptographiccostsareattheclientside)beforesendingthemtotheservers,thatmeasuredthethroughputperiodicallyateach100executedrequests.
AlthoughtheDepSpacedoestoleratesfaults,allperfor-mancevalueswereobtainedinfault-freeexecutions.
6.
2ResultsThissectionreportstheresultsobtainedintheexper-iments.
First,Fig.
5aandbpresentthe90thpercentileFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page11of16abFig.
5Tupleinsertion(out)latency.
aLatency-90thPercentile.
bLatency-Averageandtheaveragelatencyfortheoutoperation,respectively.
Thecryptographiccostsfortheseoperationsarerelatedto:(1)theexecutionofthePVSSscheme[5],thatisthesamecostforallconfigurations;and(2)thegenerationofthefingerprint,thatisdifferentforeachapproach(seeTable2).
AconfigurationwithfieldsPUorPRpresentedthebestperformancesincenocryptographicoperationsisneedtogeneratethefingerprint,followedbyconfigurationsCOandCD.
AlthoughmoretimeisnecessarytoprocessthefingerprintforCDwhencomparedtoCO(Table2),thisfactdoesnotimpactitsperformancesinceitdemandslessthanamillisecondtoexecute(0.
033ms).
Thecon-figurationOPalsopresentedanacceptableperformance,althoughmoretimeisnecessarytoprocessthefinger-print.
Ontheotherhand,theconfigurationORpresentedpoorperformancesincealotoftimewasnecessarytoprocessthefingerprint.
Besidesthat,Table3showstheamountofinformationthatmustbeexchangedamongclientsandserversforeachconfiguration.
Therequestsizeisimportantsinceitgoesthroughthereplicationprotocolsthathavecomplex-ityofO(n2)messages[5].
Thereplysizealsoisimportantsinceeveryservermaysendittotheclient,resultinginacommunicationsofnto1.
Table2Costsrelatedtocryptographicprocessingnecessaryto(1)generateafingerprint,(2)verifyifafingerprintisgoodforatuplereceivedfromservers,(3)extractaoperablefieldfromthefingerprintand(4)executeamatchattheserversFingerprintVerifyExtractQuery/Match(av/σ)(av/σ)(av/σ)(av/σ)PU––––CO(0.
003/0.
0003)(0.
003/0.
0003)––PR––––CD(0.
033/0.
0067)(0.
033/0.
0067)––OP(0.
619/0.
0322)–(0.
601/0.
1064)–OR(375.
091/2.
3129)(375.
348/1.
9041)–(0.
001/0.
0002)Allvaluespresentedinthetableconsiderthecoststoprocessonlyonefieldanditispresentedtheaverage(av)andthestandarddeviation(σ)inmilliseconds(ms)Figure6aandbpresentthelatencyresultsfortherdpoperation.
Theseresultsareverysimilartotheresultsfortheinpoperation(Fig.
7aandb),sincetheonlydifferenceisthattheinpoperationremovesthetuplefromthespace.
Thecryptographiccostsfortheseoperationsarerelatedto:(1)theclientmustgeneratethefingerprintfforthetemplate;(2)serverssearchforatuplewithafingerprintthatmatchesf;(3)serversexecutethePVSSschemetoextracttheirshares;and(4)theclientmustexecutethePVSSschemetocombinethereceivedsharesandrecoverthetupleandverifyiffisvalidforthereceivedtuple.
Moreover,itisnecessarytoextractthevaluesofoper-ablefieldsfromthefingerprint.
Table2presentsthesecosts,exceptforthePVSSschemethatarethesameforallconfigurations.
Thesizeofarequest/replyalsoispre-sentedatTable3and,asalreadycommented,impactsthecommunicationcosts.
Theperformancepresentedbythesystemintheexecutionofreading(rdp)andremoval(inp)operationsfollowedthesamepatternoftheinsert(out)operations,basicallyforthesamereasons.
Anotherveryimportantaspectisthatmostofthecryp-tographiccostsareexecutedattheclientside,i.
e.
,thecostsreportedatcolumnsfingerprint,verifyandextractofTable2.
Onlythequery/match(lastcolumnofTable2)forORfieldsareexecutedbytheserversduringthesearchforatuplewhichhasafingerprintthatmatchesthefin-gerprintofthetemplateinareadorremovaloperation.
Moreover,mostofthecostsrelatedtotheexecutionofthePVSSschemealsoareplacedattheclientside[5].
Thisisimportantbecauseitshowsthatitispossibletohaveatuplespacethatensurestheprivacyoftheinformationitstoresand,atthesametime,isscalable.
Consequently,althoughthesecostsimpactthelatency,itisnotexpectedtohaveasignificantimpactonthesystemthroughput.
Tryingtoinvestigatethisaspect,Fig.
8presentsthethroughputpresentedattheserversforeachoperationandconfiguration.
Thethroughputissimilarforallcon-figurationssincenosignificantcryptographicoperationisexecutedattheservers(onlyanegligibletimeisdemandedtoexecuteaquery/marchfortheORconfiguration).
Florianoetal.
JournalofInternetServicesandApplications(2017)8:19Page12of16Table3Amountofdata(inbytes)sentinarequest/replyforeachconfigurationandoperationOUT(request/reply)RDP/INP(request/reply)3fields5fields7fields3fields5fields7fieldsPU(874/133)(917/133)(951/133)(364/1081)(386/1122)(408/1156)CO(937/133)(1064/133)(1195/133)(336/1147)(358/1269)(380/1405)PR(794/133)(831/133)(859/133)(288/996)(310/1038)(332/1072)CD(1144/133)(1399/133)(1665/133)(403/1342)(425/1610)(447/1868)OP(1763/133)(2433/133)(3113/133)(288/1969)(310/2640)(332/3324)OR(825/133)(866/133)(916/133)(297/1026)(319/1081)(341/1124)Moreover,thethroughputtoinsert(Fig.
8a)atupleinthespaceishigherthanthethroughputtoread(Fig.
8b)ortoremove(Fig.
8c)itfromthespace.
Infact,intheexe-cutionofareadingorremovaloperation,serversmustextractandverifytheshareswhilenocryptographicfunc-tionisexecutedattheserversforinsertionoperations(Section2.
1).
Anotherimportantaspecttobeobservedintheexper-imentsisthatthenumberoffieldsinatupledoesnotsignificantlyimpactedthesystemperformanceforbothlatencyandthroughput.
Infact,forallconfigurationsandoperations,theperformancefor3,5,and7fieldsaresim-ilar,exceptfortheORfieldssincetheydemandedmuchmoretimetogeneratethefingerprint(Table2).
7DiscussionsThissectionpresentssomeimportantdiscussionsaboutsomeaspectsoftheproposedsolutions.
7.
1(Im)possibilityofcombinationsoffieldstypesTheproposedprotocolandimplementationdonotpermitthatafieldassumesmorethanonetype.
However,sometypescouldbeseenasacombinationofsometypessincetheyprovideequivalentfunctionalities.
Belowwepresentsomeexamples.
ORtypealsoprovidesadeterministicencryptionandcouldbeusedasCDorCO,i.
e.
,itallowsequalitymatchqueries.
COandCDprovidethesamefunctionalitybutwithdifferentsecuritylevels.
PUtypeprovidesallfunctionalities,butitisinsecure.
Ontheotherhand,thecombinationspresentedbelowarenotpossible:OPfieldsarenotdeterministicsincetheyuseanasymmetricrandomizedalgorithmand,therefore,eachencryptionofthesamenumberwiththesamekeymayproducedifferentresults.
Consequently,itdoesnotprovidethefunctionalitiesofCDorCO.
OPistheonlysecurefieldthatallowscomputation.
ORistheonlysecurefieldthatallowsordering.
PRtypepresentsthebestsecuritylevel,butdoesnotprovideanyfunctionality.
7.
2Statemachinereplicationvs.
operablefieldsOperablefieldscouldbechangedthroughtheexecutionofcomputationsattheservers.
Thesechangesoccurinthefingerprintinsteadofinthetuplethatisencryptedasasinglepieceofdata.
Thisapproachbringstwoissuesthatneedsomeattention:abFig.
6Tuplereading(rdp)latency.
aLatency-90thPercentile.
bLatency-AverageFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page13of16abFig.
7Tupleremoval(inp)latency.
aLatency-90thPercentile.
bLatency-AverageFirstly,whendecryptedafterareading/removaloperation,theOPfingerprintfieldmaynotmatchthecorrespondingOPtuplefield.
Consequently,duringthisverification(Section2.
1),OPfieldsarealwaysconsideredvalid.
Moreover,thevalueinthetuplefieldshouldbereplacedbytheupdatedvalueinthefingerprintfield.
Secondly,andmorecritical,duringtheStateMachineReplication(SMR)protocolsexecutionattheclient[16,34],therepliesreceivedfromtheserversmaybedifferentsincetheOPfieldsuseanon-deterministicalgorithm.
Infact,thecryptogramsresultingfromsomecomputationattheserversmaydifferamongthem,althoughtheyrefertothesamedecryptedvalue.
TheseaspectsimpacttheSMRprotocols,whichrequiref+1identicalrepliestoterminatebyreturningsomeofthesereplies.
Inordertocircumventthisproblem,itisnecessarytodecrypttheOPfieldspriortocountthenumberofreceivedreplies.
7.
3KeymanagementKeymanagementalmostalwaysisabigchallengeinthedevelopmentofsecuresystems.
Fortunately,inourmodelwecanusethecomputationalpowerofthetuplespaceitselfforthismanagement.
Theideaistouseacombina-tionofPUandPRfieldstoexchange,amongthegroupofcommunicatingprocesses,thekeysusedtocomputethefingerprintforCD,OPandORfields.
Theprotocolisquitesimple:acbFig.
8Throughputforinsert(out),read(rdp)andremove(inp)atuplefromthespace.
aTupleinsertion(out)throughput.
bTuplereading(rdp)throughput.
cTupleremoval(inp)throughputFlorianoetal.
JournalofInternetServicesandApplications(2017)8:19Page14of16Eachclientcgeneratesasecretkeykanddefinesatuplet=secret_key,kandatemplatet=secret_key,,bothdefinedasPU,PR(firstfieldispublicandthesecondisprivate).
Later,cinvokesacas(t,t)operation.
Ifitreturnsnull,thencuseskasasharedsecretkeysincenootherpreviousdefinedsecretkeywasinsertedintothespace.
Otherwise,theoperationreturnsatuplet=secret_key,kreadfromthespaceandcuseskasthesharedsecretkey.
Theprotocoltoexchangeakeypair(OPfields)isverysimilar,theonlydifferenceisthattheclientshouldcre-ateatuplet=OP_keys,kpub,kprivandatemplatet=OP_keys,,inthefirststep,bothdefinedasPU,PU,PR.
Finally,theDEPSPACEaccesscontrolsubsystemmustbeusedanditisenoughtoensurethatonlythegroupofcommunicatingprocessesisallowedtoaccessthetuplesstoringthekeys(noticethatisispossibletousedifferentkeysfordifferentfields).
Toremovesomeprocessfromthegroup,thekeymustberedefinedandsharedwiththeappropriatedaccesscontrolconfiguration,aspreviouslydescribed.
Noticethatalltuples/fingerprintsgeneratedthroughtheoldkeyneedtobereplacedbyanotherthatusesthenewkey.
Ontheotherhand,theadditionofsomeprocessinthegroupisstraightforwardsinceanewtuplewiththesamekeybutwithappropriatedaccesscon-trolconfiguration(includingthenewprocess)mustbeinsertedintothespaceandthejoiningprocessonlyneedstoreaditfromthespace.
7.
4AlternativesforfingerprintimplementationSection5reportsonourchoicestoimplementthefin-gerprintforeachfield.
However,otheralternativesarepossibleandcouldbeinvestigatedtoincreasethesystemsecurityleveland/ortoboostthesystemperformance.
Amongmanyciphersavailableintheliterature,wediscussbelowsomealternativesforeachoneoftheseaspects.
Increasingthesystemsecuritylevel.
–CDfields:itispossibletoimprovethesecuritylevelprovidedinorimplementationforCDfieldstoachievethelevelreportedinTable1inthefollowingway.
First,usethetuplefieldasinputofaHMAC-SHA256functionunderthefirst16bytesofasecretkeyof256bits,generatingtheIV(initializationvector).
After,applythenativeJavaAESCBCmodeencryptionoverthetuplefieldusingthesecondhalfofthesecretkeyandthecomputedIV.
–ORfields:weusedaOPEalgorithmaloneforORfields,butitispossibletouseitinconjunctionwithanOREalgorithmtomeetthesecuritylevelreportedinTable1.
Improvingsystemperformance:ourimplementationforORfieldspresentedapoorperformancebecauseitisbasedonhyper-geometricdistributionfunctions,whichpresenthighcomputationalcosts.
Thisisanaturalcandidatetobereplacedbyanothercipherwiththesamefunctionality.
8RelatedworksThereareseveralsystemsdevelopedtoprovidesecurityand/orfault-toleranceinthetuplespacesmodel.
Amongtheseproposals,theDepSpace[5]anditsextendedversiontodistributedcoordination[8]aretheuniquetoconsiderbothfault-tolerancebyusingreplicationtechniquesandsecuritybycombiningcryptographicandaccesscontrolmechanisms.
Someoftheproposedsystemsimplementonlyreplicationmechanisms[12,38],whileothersuseonlyaccesscontroltechniques[9–11].
Theseproposalsforsecurityinthetuplespacemodelhaveaverylim-itedfocussincetheyconsideronlysimpleattackslikeinvalidaccessoruseweakcryptographymechanisms,whicharenotenoughtoensurethesecurityofthestoredinformation.
Othersystemsprovidesomeleveloffault-tolerancebyusingtheconceptoftransactions[35–37].
Table4comparesthefeaturesprovidedbythesetuplespaceapproachesandthesolutionsproposedinthispaper.
Strongerandrobustcryptographicmechanismswereusedinthedatabasecontextaimingtoprovideconfiden-tialityandprotectionagainstinformationleakagethroughtheprocessingofqueriesoverencrypteddatabases[21,22].
Intheseworks,differentcryptographyschemesareusedinthesameapplicationaccordingtothespeci-ficityofthedatatobestoredandtheexpectedqueriestobeexecutedoverthesedata(e.
g.
:equality,comparisonandwordsoccurrenceintexts).
Homomorphicencrypteddata,forinstance,canacceptUPDATEoperationswithoutbeendecrypted.
Inthesameway,OPEandOREciphersareusedtoperformcomparisonqueries,like≤or≥,withagoodperformance/securitytrade-off.
Ourproposalfornewfieldclassificationemploysthesecryptographicmechanismsaimingtomitigatethesecurityproblemsforapplicationsthatusethetuplespaceprogrammingparadigm.
InCryptDB[21]andrelatedworks,suchastheframe-workforsearchingencrypteddatabases[22],theperfor-mancedecreaseswiththeuseofcryptographicfunctions,beingmoresubstantialwhenincreasingeitherthenum-berofclientordatabasesizes.
Intheproposedsystem,theserversideisnotsignificantlyimpactedwiththeexecutionofcryptographicfunctionssincetheheavycryptographicprocessingoccursattheclientside(Table2).
Florianoetal.
JournalofInternetServicesandApplications(2017)8:19Page15of16Table4ComparisonamongtuplespacesapproachesReplicationTransactionAccesscontrolConfidentialityAllowsoperationsandsearchesoverencrypteddataTSpaces[35]X√XXXJavaSpaces[36]X√XXXGigaSpaces[37]X√XXXFT-Linda[12]√XXXXParallel-Linda[38]√XXXXSecSpaces[10]XX√XXKLAIM[9]XX√XXSECOS[11]XX√XXDepSpace[5]√X√√XDepSpace+thispapersolutions√X√√√9ConclusionsandfutureworkThispaperreportsonoureffortstoprovideprivacyinthetuplespacesmodelbyapplyingrobustcryptographicschemes.
Themainchallengeinthismodelisthattuplesareaccessedbytheircontents(associativememory),beingnecessarytosupplysomeinformationaboutthemtoallowserverstoselecttuplesthatmatchtemplates.
Toover-comethisproblem,thispaperproposestheuseofrobustcryptographicschemesthatallowbothcomputationsanddefinitionofanorderoverencrypteddata.
Asetofexperimentsillustratedthecostsrelatedtotheproposedsolutions.
Asfutureworkweintendtoinvestigatetheperformanceofotherrobustcryptographiclibrariesthatprovidethesamesecuritylevelandcharacteristicsoftheseusedinthefirstimplementation.
Additionally,weintendtodevelopaapplicationthatusesallthecomputationpowerprovidedbyoursolutionandsomesecureextensibledistributedcoordinationservices,likesharedcounters,distributedqueuesanddistributedbarriers.
AcknowledgementsWewouldliketothanktheuniversitiesinvolvedforthesupportprovided.
Wealsothankthemanycontributionsfromthereviewers.
FundingNotapplicable.
AvailabilityofdataandmaterialsNotapplicable.
Authors'contributionsEFisastudentatPPGInf/CIC/UnBandhasconductedtheanalysisaboutthesecurityofDepSpaceandproposedthenewfieldsclassificationsandimplementations.
Prof.
EAistheadvisorofEFandhelpedmainlyinthedefinitionsoftheproposalsandintheimplementationsandexperiments.
Prof.
DAisco-advisorofEFand,togetherwithProf.
PS,workedmainlyinthesecurityaspectsofthework.
Moreover,allauthorsparticipatedinalldiscussionsandinthewrittenphaseofthefinaltext.
Allauthorsreadandapprovedthefinalmanuscript.
EthicsapprovalandconsenttoparticipateNotapplicable.
ConsentforpublicationAllauthorsagreetothesubmittedversion.
CompetinginterestsTheauthorsdeclarethattheyhavenocompetinginterests.
Publisher'sNoteSpringerNatureremainsneutralwithregardtojurisdictionalclaimsinpublishedmapsandinstitutionalaffiliations.
Authordetails1DepartmentofComputerScience,UniversityofBrasilia,UnB,Brasília,DF,Brazil.
2InstituteofComputing,UniversityofCampinas,UNICAMP,Campinas,SP,Brazil.
Received:6September2017Accepted:22November2017References1.
AvizienisA,LaprieJC,RandellB,LandwehrC.
Basicconceptsandtaxonomyofdependableandsecurecomputing.
IEEETransDependableSecureComput.
2004;1(1):11–33.
2.
VeríssimoP.
DialogueonCyberPoliciesbetweenBrazilandtheEU:prospectingthreatsandopportunitiesofthecyberspace.
DialogueCyberPolicies.
2016.
3.
NaveedM,KamaraS,WrightCV.
Inferenceattacksonproperty-preservingencrypteddatabases.
In:Proceedingsofthe22ndACMSIGSACConferenceonComputerandCommunicationsSecurity.
NewYork:ACM;2015.
p.
644–55.
4.
GelernterD.
GenerativeCommunicationinLinda.
ACMTransProgramingLangSyst.
1985;7(1):80–112.
5.
BessaniAN,AlchieriEP,CorreiaM,daSilvaFragaJ.
DEPSPACE:Abyzantinefault-tolerantcoordinationservice.
In:Proceedingsofthe3rdACMSIGOPS/EuroSysEuropeanConferenceonComputerSystems2008.
NewYork:ACM;2008.
p.
163–76.
6.
AlchieriEAP,BessaniAN,FragadSJ.
Adependableinfrastructureforcooperativewebservicescoordination.
In:IEEEInternationalConferenceonWebServices.
Beijing:IEEE;2008.
p.
21–8.
7.
BessaniAN,CorreiaM,FragaJS,LungLC.
SharingmemorybetweenByzantineprocessesusingpolicy-enforcedtuplespaces.
In:Proceedingsof26thIEEEInternationalConferenceonDistributedComputingSystems.
Lisboa:IEEE;2006.
8.
DistlerT,BahnC,BessaniA,FischerF,JunqueiraF.
Extensibledistributedcoordination.
In:ProceedingsoftheTenthEuropeanConferenceonComputerSystems.
EuroSys'15.
NewYork:ACM;2015.
9.
DeNicolaR,FerrariGL,PuglieseR.
KLAIM:AKernelLanguageforAgentsInteractionandMobility.
IEEETransSoftwEng.
1998;24(5):315–30.
10.
BusiN,GorrieriR,LucchiR,ZavattaroG.
SecSpaces:aData-DrivenCoordinationModelforEnvironmentsOpentoUntrustedAgents.
ElectronNotesTheorComputSci.
2003;68(3):310–27.
Florianoetal.
JournalofInternetServicesandApplications(2017)8:19Page16of1611.
VitekJ,BryceC,OriolM.
CoordinatingprocesseswithSecureSpaces.
SciComputProgram.
2003;46(1–2):163–93.
12.
BakkenDE,SchlichtingRD.
SupportingFault-TolerantParallelPrograminginLinda.
IEEETransParallelDistribSyst.
1995;6(3):287–302.
13.
SegallEJ.
Resilientdistributedobjects:Basicresultsandapplicationstosharedspaces.
In:Proceedingsofthe7thIEEESymposiumonParallelandDistributedProcessing-SPDP'95.
SanAntonio:IEEE;1995.
p.
320–7.
14.
LamportL,ShostakR,PeaseM.
TheByzantinegeneralsproblem.
ACMTransProgramLangSyst.
1982;4(3):382–401.
15.
SchoenmakersB.
Asimplepubliclyverifiablesecretsharingschemeanditsapplicationtoelectronicvoting.
In:Proceedingsofthe19thAnnualInternationalCryptologyConferenceonAdvancesinCryptology-CRYPTO'99.
SantaBarbara:SpringerBerlinHeidelberg.
1999.
p.
148–64.
16.
CastroM,LiskovB.
PracticalByzantinefault-toleranceandproactiverecovery.
ACMTransComputSyst.
2002;20(4):398–461.
17.
MenezesAJ,VanstoneSA,OorschotPCV.
HandbookofAppliedCryptography,1st.
BocaRaton:CRCPress,Inc.
;1996.
18.
BonehD,ShoupV.
AGraduateCourseinAppliedCryptography.
2015.
https://crypto.
stanford.
edu/~dabo/cryptobook/draft_0_2.
pdf.
AccessedNov2017.
19.
BellareM,DesaiA,PointchevalD,RogawayP.
Relationsamongnotionsofsecurityforpublic-keyencryptionschemes.
In:AdvancesinCryptology-CRYPTO'98,18thAnnualInternationalCryptologyConference.
SantaBarbara:SpringerBerlinHeidelberg.
1998.
p.
26–45.
20.
BoldyrevaA,ChenetteN,LeeY,O'NeillA.
Order-PreservingSymmetricEncryption.
2012.
CryptologyePrintArchive,Report2012/624.
http://eprint.
iacr.
org/2012/624.
AccessedNov2017.
21.
PopaRA,RedfieldCMS,ZeldovichN,BalakrishnanH.
CryptDB:Protectingconfidentialitywithencryptedqueryprocessing.
In:ProceedingsoftheTwenty-ThirdACMSymposiumonOperatingSystemsPrinciples.
NewYork:ACM;2011.
p.
85–100.
22.
AlvesPGMR,AranhaDF.
Aframeworkforsearchingencrypteddatabases.
In:XVISimpósioBrasileiroemSeguranadaInformaoedeSistemasComputacionais(SBSEG2016).
Niterói:SBC;2016.
p.
142–55.
23.
BonehD,LewiK,RaykovaM,SahaiA,ZhandryM,ZimmermanJ.
SemanticallySecureOrder-RevealingEncryption:Multi-InputFunctionalEncryptionWithoutObfuscation.
2014.
CryptologyePrintArchive,Report2014/834.
http://eprint.
iacr.
org/2014/834.
AccessedNov2017.
24.
ChenetteN,LewiK,WeisSA,WuDJ.
PracticalOrder-RevealingEncryptionwithLimitedLeakage.
2015.
CryptologyePrintArchive,Report2015/1125.
http://eprint.
iacr.
org/2015/1125.
AccessedNov2017.
25.
LewiK,WuDJ.
Order-revealingencryption:Newconstructions,applications,andlowerbounds.
In:Proceedingsofthe2016ACMSIGSACConferenceonComputerandCommunicationsSecurity,CCS'16.
NewYork:ACM;2016.
p.
1167–78.
26.
TourkyD,ElKawkagyM,KeshkA.
Homomorphicencryptionthe"holygrail"ofcryptography.
In:20162ndIEEEInternationalConferenceonComputerandCommunications(ICCC).
Chengdu:IEEE;2016.
p.
196–201.
27.
NaehrigM,LauterK,VaikuntanathanV.
CanhomomorphicencryptionbepracticalIn:Proceedingsofthe3rdACMWorkshoponCloudComputingSecurityWorkshop.
NewYork:ACM;2011.
p.
113–24.
28.
PaillierP.
Public-keycryptosystemsbasedoncompositedegreeresiduosityclasses.
In:Proceedingsofthe17thInternationalConferenceonTheoryandApplicationofCryptographicTechniques.
EUROCRYPT'99.
Berlin:Springer-Verlag;1999.
p.
223–38.
29.
GamalTE.
Apublickeycryptosystemandasignatureschemebasedondiscretelogarithms.
IEEETransInfTheory.
1985;31(4):469–72.
30.
KhaderAS,LaiD.
Preventingman-in-the-middleattackindiffie-hellmankeyexchangeprotocol.
In:22ndInternationalConferenceonTelecommunications.
Sydney:IEEE;2015.
p.
204–8.
31.
AnalyticsN.
AJavalibraryforPaillierpartiallyhomomorphicencryption.
Availableathttps://github.
com/n1analytics/javallier.
AccessedNov2017.
32.
SavvidesS.
Order-preservingencryptioninJava.
Availableathttps://github.
com/ssavvides/jope.
AccessedNov2017.
33.
WhiteB,LepreauJ,StollerL,RicciR,GuruprasadS,NewboldM,HiblerM,BarbC,JoglekarA.
AnIntegratedExperimentalEnvironmentforDistributedSystemsandNetworks.
In:Proc.
of5thSymp.
onOperatingSystemsDesignandImplementations.
Boston:ACM;2002.
34.
SchneiderFB.
Implementingfault-tolerantserviceusingthestatemachineaproach:Atutorial.
ACMComputSurv.
1990;22(4):299–319.
35.
LehmanTJ,etal.
HittingthedistributedcomputingsweetspotwithTSpaces.
ComputNetw.
2001;35(4):457–72.
36.
JavaSpaces.
JavaSpacesGuide.
2016.
Availableathttp://www.
oracle.
com/technetwork/articles/java/javaspaces-140665.
html.
AccessedNov2017.
37.
GigaSpaces.
GigaSpacesHomepage.
2016.
Availableathttp://www.
gigaspaces.
com/.
AccessedNov2017.
38.
XuA,LiskovB.
Adesignforafault-tolerant,distributedimplementationofLinda.
In:Proc.
ofthe19thSymposiumonFault-TolerantComputing.
Chicago:IEEE;1989.
p.
199–206.