SIGNET: A Tool for Securing Complex Petri

Net Projects
Anastasia Pagnoni
1
, Andrea Visconti
1
, Massimo Russo
1
1
Department of Computer Science and Communication
–
University of Milan, Italy
{pagnoni, visconti}@dico.unimi.it
Abstract.
SIGNET
TM
is a multifu
nctional tool for making secure large,
complex Petri net
projects. It provides for: (a)
authentication
, digital signature, and public

key encryption of net
plans and their analysis (reachability graphs and net invariants)
to be transmitted or stored,
and
(
b) detection and correction of marking errors in Petri nets used for monitoring system
implementations.
Keywords.
Petri net, integrity, authentication, digital signature, cryptography, error correction
Contents
1.
Introduction
2.
Overall Design and Data Input
3.
Authentication
4.
Cryptography
5.
Signature Protocols
6.
Error

correction
7.
Implementation and Testing
8.
References
9.
Acknowledgements
1. Introduction
Real

world Petri net applications usually result in a substantial collection of complex net
plans, together with some a
nalysis outcome
–
reachability graphs, invariants, deadlocks, traps,
simulations, etc. This is a valuable, often quite costly throughput that can be endangered in
many ways.
Large, complex Petri nets produced by means of net editors can very easily be dama
ged
by incompetent users with access to the programs; both net components and analysis outcome
may be damaged
–
markings can be accidentally modified, arcs deleted, and so on. Whenever
a Petri net project has to be delivered to a customer its authenticatio
n becomes a bipartisan
issue. From the one side, project designers want to preserve the integrity of the project, that is,
to make sure that no alterations are introduced by unauthorized persons; from the other,
customers require that the project designer
take full responsibility for their work, possibly in a
legally binding form (digital signature).
Confidentiality may be required in order to prevent unauthorized individuals from
illegally accessing, copying, or using project components.
SIGNET
TM
is a too
l specifically designed for the protection of large, complex Petri

net
projects. It offers four services:
a.
Protection of the integrity of project components:
a strong fingerprinting algorithm
protects net plans and their analysis (reachability graph and net
invariants) from
accidental corruption due to unskilled or malicious users.
b.
Digital signature of project components:
easy

to

verify, non

repudiable public

key
(RSA) signature allows certification of the origin of net plans and their analysis.
c.
Confidentia
lity of Petri net projects:
RSA encryption of project components guards
the secrecy of net plans and their analysis.
d.
Error correction in Petri

net

monitored implementations:
Hamming encoding for the
detection and correction of accidental marking errors in
k

limited place/transition nets
used for monitoring real

world project implementations.
Sections 2

5 present a detailed description of these services; implementation and testing will
be discussed in Section 6. We assume readers to be familiar with Petri ne
ts, and with the
basics of coding theory and cryptography.
2. Overall Design and Data Input
SIGNET
TM
is a stand

alone application, but was designed for later embedding into one of the
existing Petri

net editors. For this reason, it has neither graphical e
ditor, nor analysis
functionalities of his own. As it is, users input data directly; in particular, Petri nets are input
as a pair of input and output incidence matrices. This choice
–
two separate incidence
matrices, one for the input, and one for the out
put arcs of transitions
–
is to allow for the
modeling of side conditions.
Reachability graphs will be input as adjacency lists, that is, as indexed vectors of linked
lists. Net invariants will be input in the usual way, as S

and T

vectors.
3. Authentic
ation
Integrity protection.
Fingerprinting is a very efficient way of securing the integrity of data of
large, variable size, like complex Petri net plans and reachability graphs. Secure encryption of
data alone would also protect their integrity, because
decryption of altered cryptograms results
in meaningless information. However, encryption of large, complex Petri nets and reachability
graphs is a very time

consuming operation, that should better be avoided whenever
confidentiality is not required.
In
SIGNET the fingerprint of a binary string
m
is implemented as the RSA

encrypted
MD5

message digest of
m
. MD5 is a
strong
hash function, developed by Ron Rivest at MIT,
and NIST cryptographic standard RFC 1321. MD5 inputs a string of bit of variable lengt
h, and
outputs a (short) string of 128 bit, MD5(
m
), called the
message digest
of
m.
It is called a
strong
hash function because it is computationally unfeasible to find two different strings with
the same message digest [St95]. Therfore, bit changes in
m
w
ill be detected by the mismatch
between the altered string
m’
and the message digest of the original string
m.
As it is costumary in cryptographic literature, will will assume that SIGNET
TM
user
Alice
is the author/owner of a certain piece of information
m
–
a net plan, a reachability graph,
etc.
–
while user that
Bob
is the intended recipient/costumer of it.
The fingerprint of
m
is produced by Alice by RSA

encrypting [St95] the 128

bit
message digest of
m,
h =
MD5(
m
), with the public key of Bob. She wil
l than send the
concatenation
<
m
,
MD5(
m
)
>
to Bob. The message digest must always be encrypted to
prevent malicious users to forge counterfeit
<
m
,
MD5(
m
)
>
pairs.
The fingerprint of
m
allows Bob to verify that no accidental or intentional changes have
been m
ade to the original message
m.
To this end, Bob will first apply his RSA secret key to
the fingerprint, and recover the original message digest
h
. He will then re

compute MD5(
m
),
the message digest of the received string
m,
and check if
h
and MD5(
m
) match.
If, and only if,
they do match,
m
will be accepted as the original string.
A fingerprint protects Alice and Bob from both accidental errors and malicious third
parties, but it does not protect them from each other. Bob can always forge a different proje
ct
component, compute its fingerprint (encrypted with Bob’s own public

key) and claim that the
rusulting pair
<
m’,
MD5(
m’
)
>
came from Alice. For this reason, Alice can always deny that
she ever produced a certain project component. In order to protect the
two parties from each
other, a digital signature must be used.
Digital signature.
The author of a project can digitally sign net plans, reachability graphs,
and/or net invariants in order to guarantee their origin. Digital signature of a Petri net project
,
or of any of its components, protects authors and customers as well, because: (a) it is not
forgeable, and constitutes a sure proof of the author’s identity, and of the date and time of
signature, (b) it cannot be repudiated, as it was computed using in
formation uniquely known to
its author, (c) it is verifiable by third parties, and can therefore be used as a legal proof of
origin of signed information, and (c) a signed net cannot be altered by either its author or its
recipient.
In SIGNET
TM
digital si
gnature on a binary string
m
is implemented by RSA

encrypting
the message digest MD5(
m
) with the user’s
secret
key.
4. Cryptography
SIGNET
TM
offers the choice between two different signature protocols: the one only provides
for digital signature, while th
e other also protects confidentiality. Let us describe them briefly.
Let
m
be a binary string representing some piece of relevant information
–
a Petri net plan, its
invariants, or reachability graph.
Protocol 1:
User Alice is the author/owner of binary st
ring
m,
which she has already input to
SIGNET
TM
.
In order to sign
m,
Alice performs the following steps:
a.
She computes the fingerprint of
m
by means of hash function MD5:
h
= MD5(
m
)
b.
She signs
m
by encrypting its fingerprint
h with
E, the encryp
tion function of the
public

key system RSA, using her own secret key
S
(A).
The signature of string
m
will
be
s
= E
S
(A)
(
h
) .
c.
Alice sends concatenation <
m, s
> to Bob, its intended recipient.
Bob can verify
Alice’s signature
s
on message
m
, by performi
ng the following steps:
a.
He computes the hash function of message
m:
h’
= MD5(
m
)
b.
He decrypts
s
by means of the RSA decryption function D, using Alice’s public key
P
(A):
D
P
(A)
(
s
) = D
P
(A)
(
E
S
(A)
(
h
)
)
=
h.
This way Bob retrieves the original fingerprint
h.
c.
Bo
b accepts Alice’s signature if
h = h’.
Every system user can verify Alice’s signature the same way.
Protocol 2:
User Alice, again the author/owner of binary string
m,
wants
to both sign and
encrypt
m.
To this end, she performs the following steps:
a.
She com
putes the fingerprint of
m
by means of hash function MD5:
h
= MD5(
m
)
b.
She signs
h
by encrypting it with E, the RSA encryption function, using her own
secret key
S
(A).
The signature of
h
will be s = E
S
(A)
(
h
) .
c.
To provide for confidentiality, she again encr
ypts
m with
function E, but this time
using Bob’s public key
P
(B)
. The result is ciphertext
c
= E
P
(B)
(
m
) .
d.
Alice sends concatenation <
c, s
> to Bob.
In order to verify
Alice’s signature
s
and decrypt
ciphertext
c
,
Bob
has to perform following
steps:
a.
He
decrypts
c
by means of the RSA decryption function D using his own secret key
S
(B).
This way he retrieves the original string
m
= D
S
(B)
(
E
P
(B)
(
m
)
)
.
b.
He computes the hash function of string
m:
h’
= MD5(
m
)
c.
He decrypts
s
by means of the RSA decryption func
tion D, using Alice’s public key
P
(A).
He retrieves the original fingerprint
h
= D
P
(A)
(
s
)
= D
P
(A)
(
E
S
(A)
(
h
)
) .
d.
Bob accepts Alice’s signature if
h = h’.
Only Bob can verify Alice’s signature and decrypt the ciphertext, because no other user
knows his se
cret key
S
(B).
In SIGNET
TM
, fingerprinting, digital signature, and encryption are all based on RSA
cryptographic functions, and on the corresponding key generation algorithms. The next section
presents an overview on the authentication and confidentiality
functions of SIGNET
TM
.
5. SIGNET
TM
Services
In this section, we will present a comprehensive list of SIGNET
TM
services . Again we shall
assume Alice to be the author of a certain Petri net project, Bob its recipient, and
m
any
project component in binary
string form.
Key generation.
The KeyGenerator algorithm generates key pairs in the following format:
Secret key:
prime
p,
prime
q,
secret exponent
e
Public key:
public exponent
d,
modulus
n
Fingerprinting.
This service enables Alice fingerprint project
components to be sent to Bob,
by using his public key. Her choices are:
Attach fingerprint to input matrix
Attach fingerprint to output matrix
Attach fingerprint to incidence matrix
Attach fingerprint to S

invariants
Attach fingerprint to T

invariants
Att
ach fingerprint to reachability graph
This service also enables Bob, and only Bob, to check fingerprints using his own secret key.
Digital signature.
This service enables Alice to sign project components to be sent to Bob, by
encrypting them with her secre
t key. Her choices are:
Sign input matrix
Sign output matrix
Sign incidence matrix
Sign S

invariants
Sign
T

invariants
Sign reachability graph
This service enables Bob, or any interested third party, to check Alice’s signature by using her
public key.
E
ncryption.
This service enables Alice to
sign and encrypt
project components to be sent to
Bob by using both her own secret key (to sign), and his public key (for encryption) Her
choices are:
Sign and encrypt input matrix
Sign and encrypt output matrix
Sig
n and encrypt incidence matrix
Sign and encrypt S

invariants
Sign and encrypt T

invariants
Sign and encrypt reachability graph
The same service enables Bob, and only Bob, to check Alice’s signature by using her public
key and
decrypt the encrypted data.
6.
Error correction
Petri net plans are used to represent the intended behavior of real

world systems. However,
when a system is implemented and operated, all kind of unplanned situations may occur, re

gardless of the error states considered in its design.
Real

time detection and correction of such
accidental errors is a serious practical problem. SIGNET
TM
offers a solution based on the ap

plication of error

correcting codes, and suitable for distributed systems designed by means of
k

limited place

transitio
n nets. The key idea, previously published in [Pa96], is to extend the
net in such a way that "le
gal" net markings become words of a suitable error

correcting code.
Real

time algebra helps detecting and cor
recting unwanted situations.
SIGNET
TM
offers det
ection and correction of single marking errors by means via a
Hamming code defined over a suitable finite field.
7. Implementation and Testing
SIGNET
TM
was developed in Java2
TM
, using Sun Microsystems’ JDK 1.4 (Java Development
Kit), and IBM’s WebSphere S
tudio Application Developer
TM
for Windows.
SIGNET
TM
is a
highly portable application, which runs on any PC with an operating system supporting the
Java interpreter JVM (Java Virtual Machine).
The MD5 message digest algorithm, and the signature protocols we
used were taken
from the JCA
TM
(Java Cryptography Architecture) library
. RSA encryption/decryption
functions, and the key pair generator were taken from
JCE
TM
(Java Cryptography Extension).
On the contrary, error

correction algorithms were developed ex no
vo, in order to take the Petri
net structure into proper account.
SIGNET
TM
has been tested on a
Pentium Celeron

R, at 1.80 GHz, with a 256 MB
RAM under Windows XP
TM
.
Table 1 summarizes computation times for the generation of
RSA key pairs. Times are liste
d for key pairs of increasing modulus length.
Table 1
Incidence matrix size
(rows
columns)
Number of
elements
Signature CPU time
(seconds)
Signature verification
CPU time (seconds)
20
30
600
0,453
0,121
30
40
1200
0,609
0,182
50
50
2500
1,219
0,202
70
60
4200
1,572
0,310
90
80
720
0
1,678
0,261
120
100
12000
3,313
0,315
150
170
25500
11,860
0,303
170
200
34000
20,460
0,381
200
250
50000
43,406
0,411
200
300
60000
60,719
0,388
300
320
96000
151,375
0,454
400
300
120000
241,203
0,512
500
500
250000
978,343
0,54
1
Table 2
modulus length (bits)
CPU time (seconds)
512
6,375
640
6,375
768
6,656
896
6,813
1024
7,281
1152
6,969
1280
7,312
1408
7,469
1536
8,281
1664
8,620
1792
8,281
1920
10,781
2048
11,328
Table 2 summarizes computation times for signature and signature verification of a
variable

size incidence matrix with secret keys of 2048

bit. In both cases CPU times include
message digest computations. Table 3 summarizes computation times f
or encryption and
decryption of a variable

size incidence matrix, with keys of both 512

bit and of 2048

bit
lenght.
Incidence matrix size
(rows
columns)
Number of
elements
Encryption
512 bit

(2048 bit)
(seconds)
Decryption
512 bit

(2048 bit)
(s
econds)
20
30
600
0,563

(0,933)
0,437

(17,188)
30
40
1200
0,703

(1,780)
1,141

(34,828)
50
50
2500
0,282

(0,844)
1,812

(71,390)
70
60
4200
0,328

(1,328)
2,703

(119,60)
90
80
7200
0,594

(2,172)
4,421

(203,70)
120
100
120
00
0,781

(3,547)
7,188

(338,21)
150
170
25500
1,657

(3,468)
15,31

(713,95)
170
200
34000
2,630

(9,484)
20,54

(965,36)
200
250
50000
2,688

(14,78)
32,20

(1358,7)
200
300
60000
3,609

(16,86)
43,18

(1692,6)
300
320
96000
5,
687

(27,45)
62,92

(2703,6)
400
300
120000
5,188

(35,17)
79,57

(3379,3)
500
500
250000
11,78

(71,18)
205,2

(7048,6)
Table 3
All testing has been completed on a common PC with both 512

bit and 2048

bit keys.
Recall that 2048

bit RSA keys
are considered to be of military security level, and that a
500
500 incidence matrix represents a quite unusually large Petri net.
8. References
[Ad91]
Adámek J., Foundations of Coding, John Wiley & Sons, 1991
[Li82]
Lint van J.H., Introduction to Co
ding Theory, Springer

Verlag, 1991
[Pa96]
Pagnoni A., Detecting and Correcting Errors of Distributed Systems, Bulletin of the
EATCS, N.58, 1996
[Sc94]
Schneier B., Applied Cryptography, John Wiley & Sons, 1994
[St95]
Stallings W., Network and Internetw
ork Security, Prentice Hall, 1995
9. Acknowledgements
The idea of cryptographically securing complex Petri net projects was suggested to us by Prof.
Monika Heiner, Cottbus University; we truly thank her here.
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο