SIGNET: A Tool for Securing Complex Petri-Net Projects

shoulderslyricalΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

74 εμφανίσεις


SIGNET: A Tool for Securing Complex Petri
-
Net Projects

Anastasia Pagnoni
1
, Andrea Visconti
1
, Massimo Russo
1

1
Department of Computer Science and Communication


University of Milan, Italy

{pagnoni, visconti}@dico.unimi.it




Abstract.
SIGNET
TM

is a multifu
nctional tool for making secure large,
complex Petri net
projects. It provides for: (a)
authentication
, digital signature, and public
-
key encryption of net
plans and their analysis (reachability graphs and net invariants)

to be transmitted or stored,
and
(
b) detection and correction of marking errors in Petri nets used for monitoring system
implementations.


Keywords.

Petri net, integrity, authentication, digital signature, cryptography, error correction


Contents

1.

Introduction

2.

Overall Design and Data Input

3.

Authentication

4.

Cryptography

5.

Signature Protocols

6.

Error
-
correction

7.

Implementation and Testing

8.

References

9.

Acknowledgements


1. Introduction

Real
-
world Petri net applications usually result in a substantial collection of complex net
plans, together with some a
nalysis outcome


reachability graphs, invariants, deadlocks, traps,
simulations, etc. This is a valuable, often quite costly throughput that can be endangered in
many ways.

Large, complex Petri nets produced by means of net editors can very easily be dama
ged
by incompetent users with access to the programs; both net components and analysis outcome
may be damaged


markings can be accidentally modified, arcs deleted, and so on. Whenever
a Petri net project has to be delivered to a customer its authenticatio
n becomes a bipartisan
issue. From the one side, project designers want to preserve the integrity of the project, that is,
to make sure that no alterations are introduced by unauthorized persons; from the other,
customers require that the project designer
take full responsibility for their work, possibly in a
legally binding form (digital signature).

Confidentiality may be required in order to prevent unauthorized individuals from
illegally accessing, copying, or using project components.

SIGNET
TM

is a too
l specifically designed for the protection of large, complex Petri
-
net
projects. It offers four services:

a.

Protection of the integrity of project components:
a strong fingerprinting algorithm
protects net plans and their analysis (reachability graph and net

invariants) from
accidental corruption due to unskilled or malicious users.

b.

Digital signature of project components:

easy
-
to
-
verify, non
-
repudiable public
-
key
(RSA) signature allows certification of the origin of net plans and their analysis.

c.

Confidentia
lity of Petri net projects:
RSA encryption of project components guards
the secrecy of net plans and their analysis.

d.

Error correction in Petri
-
net
-
monitored implementations:

Hamming encoding for the
detection and correction of accidental marking errors in
k
-
limited place/transition nets
used for monitoring real
-
world project implementations.

Sections 2
-
5 present a detailed description of these services; implementation and testing will
be discussed in Section 6. We assume readers to be familiar with Petri ne
ts, and with the
basics of coding theory and cryptography.

2. Overall Design and Data Input

SIGNET
TM

is a stand
-
alone application, but was designed for later embedding into one of the
existing Petri
-
net editors. For this reason, it has neither graphical e
ditor, nor analysis
functionalities of his own. As it is, users input data directly; in particular, Petri nets are input
as a pair of input and output incidence matrices. This choice


two separate incidence
matrices, one for the input, and one for the out
put arcs of transitions


is to allow for the
modeling of side conditions.

Reachability graphs will be input as adjacency lists, that is, as indexed vectors of linked
lists. Net invariants will be input in the usual way, as S
-

and T
-
vectors.

3. Authentic
ation

Integrity protection.
Fingerprinting is a very efficient way of securing the integrity of data of
large, variable size, like complex Petri net plans and reachability graphs. Secure encryption of
data alone would also protect their integrity, because

decryption of altered cryptograms results
in meaningless information. However, encryption of large, complex Petri nets and reachability
graphs is a very time
-
consuming operation, that should better be avoided whenever
confidentiality is not required.

In

SIGNET the fingerprint of a binary string
m

is implemented as the RSA
-
encrypted
MD5
-
message digest of
m
. MD5 is a
strong
hash function, developed by Ron Rivest at MIT,
and NIST cryptographic standard RFC 1321. MD5 inputs a string of bit of variable lengt
h, and
outputs a (short) string of 128 bit, MD5(
m
), called the
message digest
of
m.

It is called a
strong
hash function because it is computationally unfeasible to find two different strings with
the same message digest [St95]. Therfore, bit changes in
m

w
ill be detected by the mismatch
between the altered string
m’

and the message digest of the original string
m.


As it is costumary in cryptographic literature, will will assume that SIGNET
TM

user
Alice
is the author/owner of a certain piece of information
m



a net plan, a reachability graph,
etc.


while user that
Bob
is the intended recipient/costumer of it.

The fingerprint of
m
is produced by Alice by RSA
-
encrypting [St95] the 128
-
bit
message digest of
m,

h =
MD5(
m
), with the public key of Bob. She wil
l than send the
concatenation
<
m
,

MD5(
m
)
>
to Bob. The message digest must always be encrypted to
prevent malicious users to forge counterfeit
<
m
,

MD5(
m
)
>

pairs.

The fingerprint of

m

allows Bob to verify that no accidental or intentional changes have
been m
ade to the original message

m.

To this end, Bob will first apply his RSA secret key to
the fingerprint, and recover the original message digest
h
. He will then re
-
compute MD5(
m
),
the message digest of the received string
m,
and check if
h

and MD5(
m
) match.

If, and only if,
they do match,
m
will be accepted as the original string.


A fingerprint protects Alice and Bob from both accidental errors and malicious third
parties, but it does not protect them from each other. Bob can always forge a different proje
ct
component, compute its fingerprint (encrypted with Bob’s own public
-
key) and claim that the
rusulting pair
<
m’,

MD5(
m’
)
>

came from Alice. For this reason, Alice can always deny that
she ever produced a certain project component. In order to protect the

two parties from each
other, a digital signature must be used.

Digital signature.
The author of a project can digitally sign net plans, reachability graphs,
and/or net invariants in order to guarantee their origin. Digital signature of a Petri net project
,
or of any of its components, protects authors and customers as well, because: (a) it is not
forgeable, and constitutes a sure proof of the author’s identity, and of the date and time of
signature, (b) it cannot be repudiated, as it was computed using in
formation uniquely known to
its author, (c) it is verifiable by third parties, and can therefore be used as a legal proof of
origin of signed information, and (c) a signed net cannot be altered by either its author or its
recipient.

In SIGNET
TM

digital si
gnature on a binary string

m
is implemented by RSA
-
encrypting
the message digest MD5(
m
) with the user’s

secret
key.

4. Cryptography

SIGNET
TM

offers the choice between two different signature protocols: the one only provides
for digital signature, while th
e other also protects confidentiality. Let us describe them briefly.
Let
m
be a binary string representing some piece of relevant information


a Petri net plan, its
invariants, or reachability graph.

Protocol 1:
User Alice is the author/owner of binary st
ring
m,

which she has already input to
SIGNET
TM
.
In order to sign

m,

Alice performs the following steps:

a.

She computes the fingerprint of
m
by means of hash function MD5:





h

= MD5(
m
)

b.

She signs
m

by encrypting its fingerprint
h with

E, the encryp
tion function of the
public
-
key system RSA, using her own secret key
S
(A).

The signature of string
m
will
be
s
= E
S
(A)

(
h
) .

c.

Alice sends concatenation <
m, s

> to Bob, its intended recipient.

Bob can verify
Alice’s signature
s

on message
m
, by performi
ng the following steps:

a.

He computes the hash function of message
m:

h’
= MD5(
m
)

b.

He decrypts
s
by means of the RSA decryption function D, using Alice’s public key
P
(A):

D
P
(A)

(
s
) = D
P
(A)

(
E
S
(A)

(
h
)
)

=
h.

This way Bob retrieves the original fingerprint
h.

c.

Bo
b accepts Alice’s signature if
h = h’.

Every system user can verify Alice’s signature the same way.

Protocol 2:
User Alice, again the author/owner of binary string
m,

wants
to both sign and
encrypt

m.

To this end, she performs the following steps:

a.

She com
putes the fingerprint of
m

by means of hash function MD5:
h

= MD5(
m
)

b.

She signs
h

by encrypting it with E, the RSA encryption function, using her own
secret key
S
(A).

The signature of
h
will be s = E
S
(A)

(
h
) .

c.

To provide for confidentiality, she again encr
ypts
m with

function E, but this time
using Bob’s public key
P
(B)
. The result is ciphertext

c

= E
P
(B)

(
m
) .

d.

Alice sends concatenation <
c, s

> to Bob.

In order to verify
Alice’s signature
s

and decrypt

ciphertext
c
,
Bob
has to perform following
steps:

a.

He
decrypts
c
by means of the RSA decryption function D using his own secret key
S
(B).

This way he retrieves the original string
m

= D
S
(B)

(
E
P
(B)

(
m
)
)

.

b.

He computes the hash function of string

m:

h’
= MD5(
m
)

c.

He decrypts
s
by means of the RSA decryption func
tion D, using Alice’s public key
P
(A).

He retrieves the original fingerprint
h
= D
P
(A)

(
s
)

= D
P
(A)

(
E
S
(A)

(
h
)
) .

d.

Bob accepts Alice’s signature if
h = h’.

Only Bob can verify Alice’s signature and decrypt the ciphertext, because no other user
knows his se
cret key
S
(B).


In SIGNET
TM
, fingerprinting, digital signature, and encryption are all based on RSA
cryptographic functions, and on the corresponding key generation algorithms. The next section
presents an overview on the authentication and confidentiality

functions of SIGNET
TM
.

5. SIGNET
TM

Services

In this section, we will present a comprehensive list of SIGNET
TM

services . Again we shall
assume Alice to be the author of a certain Petri net project, Bob its recipient, and
m

any
project component in binary
string form.

Key generation.

The KeyGenerator algorithm generates key pairs in the following format:

Secret key:

prime
p,

prime
q,

secret exponent
e

Public key:


public exponent
d,

modulus
n

Fingerprinting.

This service enables Alice fingerprint project
components to be sent to Bob,
by using his public key. Her choices are:



Attach fingerprint to input matrix



Attach fingerprint to output matrix



Attach fingerprint to incidence matrix



Attach fingerprint to S
-
invariants




Attach fingerprint to T
-
invariants



Att
ach fingerprint to reachability graph

This service also enables Bob, and only Bob, to check fingerprints using his own secret key.

Digital signature.

This service enables Alice to sign project components to be sent to Bob, by
encrypting them with her secre
t key. Her choices are:



Sign input matrix



Sign output matrix



Sign incidence matrix



Sign S
-
invariants




Sign

T
-
invariants




Sign reachability graph


This service enables Bob, or any interested third party, to check Alice’s signature by using her
public key.

E
ncryption.

This service enables Alice to

sign and encrypt
project components to be sent to
Bob by using both her own secret key (to sign), and his public key (for encryption) Her
choices are:



Sign and encrypt input matrix



Sign and encrypt output matrix



Sig
n and encrypt incidence matrix



Sign and encrypt S
-
invariants



Sign and encrypt T
-
invariants



Sign and encrypt reachability graph

The same service enables Bob, and only Bob, to check Alice’s signature by using her public
key and

decrypt the encrypted data.

6.

Error correction

Petri net plans are used to represent the intended behavior of real
-
world systems. However,
when a system is implemented and operated, all kind of unplanned situations may occur, re
-
gardless of the error states considered in its design.
Real
-
time detection and correction of such
accidental errors is a serious practical problem. SIGNET
TM

offers a solution based on the ap
-
plication of error
-
correcting codes, and suitable for distributed systems designed by means of
k
-
limited place
-
transitio
n nets. The key idea, previously published in [Pa96], is to extend the
net in such a way that "le
gal" net markings become words of a suitable error
-
correcting code.
Real
-
time algebra helps detecting and cor
recting unwanted situations.

SIGNET
TM

offers det
ection and correction of single marking errors by means via a
Hamming code defined over a suitable finite field.

7. Implementation and Testing

SIGNET
TM

was developed in Java2
TM
, using Sun Microsystems’ JDK 1.4 (Java Development
Kit), and IBM’s WebSphere S
tudio Application Developer
TM

for Windows.
SIGNET
TM

is a
highly portable application, which runs on any PC with an operating system supporting the
Java interpreter JVM (Java Virtual Machine).

The MD5 message digest algorithm, and the signature protocols we

used were taken
from the JCA
TM

(Java Cryptography Architecture) library
. RSA encryption/decryption
functions, and the key pair generator were taken from
JCE
TM

(Java Cryptography Extension).

On the contrary, error
-
correction algorithms were developed ex no
vo, in order to take the Petri
net structure into proper account.


SIGNET
TM

has been tested on a
Pentium Celeron
-
R, at 1.80 GHz, with a 256 MB
RAM under Windows XP
TM
.

Table 1 summarizes computation times for the generation of
RSA key pairs. Times are liste
d for key pairs of increasing modulus length.














Table 1



Incidence matrix size

(rows


columns)

Number of
elements

Signature CPU time
(seconds)

Signature verification
CPU time (seconds)

20


30

600

0,453

0,121

30


40

1200

0,609

0,182

50


50

2500

1,219

0,202

70


60

4200

1,572

0,310

90


80

720
0

1,678

0,261

120


100

12000

3,313

0,315

150


170

25500

11,860

0,303

170


200

34000

20,460

0,381

200


250

50000

43,406

0,411

200


300

60000

60,719

0,388

300


320

96000

151,375

0,454

400


300

120000

241,203

0,512

500


500

250000

978,343

0,54
1


Table 2


modulus length (bits)

CPU time (seconds)

512

6,375

640

6,375

768

6,656

896

6,813

1024

7,281

1152

6,969

1280

7,312

1408

7,469

1536

8,281

1664

8,620

1792

8,281

1920

10,781

2048

11,328


Table 2 summarizes computation times for signature and signature verification of a
variable
-
size incidence matrix with secret keys of 2048
-
bit. In both cases CPU times include
message digest computations. Table 3 summarizes computation times f
or encryption and
decryption of a variable
-
size incidence matrix, with keys of both 512
-
bit and of 2048
-
bit
lenght.



Incidence matrix size

(rows


columns)

Number of
elements

Encryption

512 bit
-

(2048 bit)

(seconds)

Decryption

512 bit
-

(2048 bit)

(s
econds)

20


30

600

0,563
-

(0,933)

0,437
-

(17,188)

30


40

1200

0,703
-

(1,780)

1,141
-

(34,828)

50


50

2500

0,282
-

(0,844)

1,812
-

(71,390)

70


60

4200

0,328
-

(1,328)

2,703
-

(119,60)

90


80

7200

0,594
-

(2,172)

4,421
-

(203,70)

120


100

120
00

0,781
-

(3,547)

7,188
-

(338,21)

150


170

25500

1,657
-

(3,468)

15,31
-

(713,95)

170


200

34000

2,630
-

(9,484)

20,54
-

(965,36)

200


250

50000

2,688
-

(14,78)

32,20
-

(1358,7)

200


300

60000

3,609
-

(16,86)

43,18
-

(1692,6)

300


320

96000

5,
687
-

(27,45)

62,92
-

(2703,6)

400


300

120000

5,188
-

(35,17)

79,57
-

(3379,3)

500


500

250000

11,78
-

(71,18)

205,2
-

(7048,6)


Table 3


All testing has been completed on a common PC with both 512
-
bit and 2048
-
bit keys.
Recall that 2048
-
bit RSA keys

are considered to be of military security level, and that a
500

500 incidence matrix represents a quite unusually large Petri net.


8. References


[Ad91]

Adámek J., Foundations of Coding, John Wiley & Sons, 1991

[Li82]


Lint van J.H., Introduction to Co
ding Theory, Springer
-
Verlag, 1991

[Pa96]


Pagnoni A., Detecting and Correcting Errors of Distributed Systems, Bulletin of the
EATCS, N.58, 1996

[Sc94]


Schneier B., Applied Cryptography, John Wiley & Sons, 1994

[St95]

Stallings W., Network and Internetw
ork Security, Prentice Hall, 1995


9. Acknowledgements

The idea of cryptographically securing complex Petri net projects was suggested to us by Prof.
Monika Heiner, Cottbus University; we truly thank her here.