The publish/subscribe communication model is increasingly considered for implementing middleware infrastructures for widely distributed applications. Scalability issues and routing algorithms of such systems have recently been the focus of intensive research. So far little attention has been given to security and management issues.

Publish/subscribe is emerging as a very flexible communication paradigm that is applicable to environments demanding scalable and evolvable architectures. Although considered for workflow, electronic commerce, mobile systems, and others, security issues have long been neglected in publish/subscribe systems. Recent advances address this issue, but only on a low, technical level. In this paper, we analyze the trust relationships between producers, consumers, and the notification infrastructure. We devise groups of trust to model and implement security constraints both on the application and the system level. The concept of scopes helps to localize and implement security policies as an aspect of structured publish/subscribe systems.

In the paper we present a framework for the secure end-to-end delivery of messages in distributed messaging infrastructures based on the publish/subscribe paradigm. The framework enables authorized publishing and consumption of messages. Brokers, which constitute individual nodes within the messaging infrastructure, also ensure that the dissemination of content is enabled only for authorized entities. The framework includes strategies to cope with attack scenarios such as denial of service attacks and replay attacks. Finally, we include experimental results from our implementation of the framework outlined in this paper.

Content-based publish/subscribe systems offer an interaction scheme that is appropriate for a variety of large scale dynamic applications. However, widespread use of these systems is hindered by a lack of suitable security services. In this paper we present scalable solutions for confidentiality, integrity, and authentication for these systems. We also provide verifiable usagebased accounting services, which are required for e-commerce and e-business applications that use publish/subscribe systems. Our solutions are applicable in a setting where publishers and subscribers may not trust the publish/subscribe infrastructure. Keywords: Publish/subscribe systems, Electronic Commerce, Security

this paper, we present our prototype implementation of this framework. The paper presents implementation details of key components within the system. We have also performed a series of experiments that would affect the design of components within the system, as well as the encryption strategies chosen by entities within the system

Publish/subscribe systems provide an efficient, event-based, wide-area distributed communications infrastructure. Large scale publish/subscribe systems are likely to employ components of the event transport network owned by cooperating, but independent organisations. As the number of participants in the network increases, security becomes an increasing concern. This paper extends previous work to present and evaluate a secure multi-domain publish/subscribe infrastructure that supports and enforces fine-grained access control over the individual attributes of event types. Key refresh allows us to ensure forward and backward security when event brokers join and leave the network. We demonstrate that the time and space overheads can be minimised by careful consideration of encryption techniques, and by the use of caching to decrease unnecessary decryptions. We show that our approach has a smaller overall communication overhead than existing approaches for achieving the same degree of control over security in publish/subscribe networks.

Publish/subscribe research has so far been mostly focused on efficient event routing, event filtering, and composite event detection. The little research that has been published regarding security in publish/subscribe systems has been tentative at best. This paper presents a model for secure type names, and definitions for type-checked, content-based publish/subscribe systems. Our model provides a cryptographically verifiable binding between type names and type definitions. It also produces self-certifiable type definitions that guarantee type definition authenticity and integrity. We also consider type management in a large-scale publish/subscribe system and present a way for delegating management duties to type managers by issuing SPKI authorisation certificates. We feel that secure names are a prerequisite for most other security related work with publish/subscribe systems. 1.

Abstract. A simple and effective way of coordinating distributed, mobile, and parallel applications is to use a virtual shared memory (VSM), such as a Linda tuple-space. In this paper, we propose a new kind of VSM, called a tagged set. Each element in the VSM is a value with an associated tag, and values are read or removed from the VSM by matching the tag. Tagged sets exhibit three properties useful for VSMs: 1. Ease of use. A tagged value naturally corresponds to the notion that data has certain attributes, expressed by the tag, which can be used for later retrieval. 2. Flexibility. Tags are implemented as propositional logic formulae, and selection as logical implication, so the resulting system is quite powerful. Tagged sets naturally support a variety of applications, such as shared data repositories (e.g., for media or e-mail), message passing, and publish/subscribe algorithms; they are powerful enough to encode existing VSMs, such as Linda spaces. 3. Security. Our notion of tags naturally corresponds to keys, or capabilities: a user may not select data in the set unless she presents a legal key or keys. Normal tags correspond to symmetric keys, and we introduce asymmetric tags that correspond to public and private key pairs. Treating tags as keys permits users to easily specify protection criteria for data at a fine granularity. This paper motivates our approach, sketches its basic theory, and places it in the context of other data management strategies. 1

Two convincing paradigms have emerged for achieving scalability in widely distributed systems: publish/subscribe communication and role-based, policy-driven control of access to the system by applications. A strength of publish/ subscribe is its many-to-many communication paradigm and loose coupling of components, so that publishers need not know the recipients of their data and subscribers need not know the number and location of publishers. But some data is sensitive, and its visibility must be controlled carefully for personal and legal reasons. We describe the requirements of several application domains where the event-based paradigm is appropriate yet where security is an issue. Typical are the large-scale systems required by government and public bodies for domains such as healthcare, police, transport and environmental monitoring. We discuss how a publish/subscribe service can be secured; firstly by specifying and enforcing access control policy at the service API, and secondly by enforcing the security and privacy aspects of these policies within the service network itself. Finally, we describe an alternative to whole-message encryption, appropriate for highly sensitive and long-lived data destined for specific domains with varied requirements. We outline our investigations and findings from several research projects in these areas.

A location tracking sensor network is being deployed in several buildings at the University of Michigan to help explore issues in design of pervasive environments. Managing privacy is expected to be a significant concern for acceptance of such pervasive environments. This paper outlines an initial design of a publish-subscribe communication substrate for controlled distribution of sensor data. We describe our prototype as well as a privacy-aware location-tracking application built on top of the system. The focus of this paper is on policy management. We provide users with the means to control distribution of data about them (such as their location information) through the use of privacy policies. The paper shows how a wide variety of policies can be specified in the system and points out directions for future work.