Mihaela Ion, Giovanni Russello, Bruno Crispo


Publish/subscribe is a loosely-coupled communication paradigm which allows applications to interact indirectly and asynchronously. Publisher applications generate events that are sent to interested applications through a network of brokers. Subscriber applications express their interests by specifying filters that brokers can use for routing the events. In many cases it is desirable to protect the confidentiality of events and filters from any unauthorised parties, including the brokers themselves. Supporting confidentiality of messages being exchanged is challenging mainly because of the decoupling of publishers and subscribers who should not have to share keys, and because brokers forward messages based on the actual content of the messages that we desire to keep confidential. This paper argues that a complete solution for confidentiality in pub/sub systems should provide: (i) confidentiality of events and filters; (ii) filters that can express very complex constraints on events even if brokers are not able to access any information on both events and filters; (iii) and finally it does not require publishers and subscribers to share keys. We show that current solutions are not able to provide all these properties at the same time and suggest a possible solution based on attribute-based encryption and encrypted search.


  1. Bacon, J., Moody, K., Bates, J., Hayton, R., Ma, C., McNeil, A., Seidel, O., and Spiteri, M. (2000). Generic support for distributed applications. IEEE Computer, 33(3):68-76.
  2. Banavar, G., Chandra, T., Mukherjee, B., Nagarajarao, J., Strom, R., and Sturman, D. (1999). An efficient multicast protocol for content-based publish-subscribe systems. In International Conference on Distributed Computing Systems, volume 19, pages 262-272. IEEE COMPUTER SOCIETY PRESS.
  3. Bethencourt, J., Sahai, A., and Waters, B. (2007). Ciphertext-policy attribute-based encryption. In IEEE Symposium on Security and Privacy, pages 321-334. Citeseer.
  4. Carzaniga, A., Rosenblum, D., and Wolf, A. (2001). Design and evaluation of a wide-area event notification service. ACM Transactions on Computer Systems (TOCS), 19(3):332-383.
  5. Dong, C., Russello, G., and Dulay, N. (2008). Shared and Searchable Encrypted Data for Untrusted Servers. Lecture Notes in Computer Science, 5094:127-143.
  6. Eugster, P., Felber, P., Guerraoui, R., and Kermarrec, A. (2003). The many faces of publish/subscribe. ACM Computing Surveys (CSUR), 35(2):131.
  7. Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006). Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security, page 98. ACM.
  8. Hapner, M., B. R. S. R. F. J. and Stout, K. (2002). Java message service. Sun Microsystems Inc., Santa Clara, CA.
  9. Khurana, H. (2005). Scalable security and accounting services for content-based publish/subscribe systems. In Proceedings of the 2005 ACM symposium on Applied computing, page 807. ACM.
  10. Ostrovsky, R., Sahai, A., and Waters, B. (2007). Attributebased encryption with non-monotonic access structures. In Proceedings of the 14th ACM conference on Computer and communications security, page 203. ACM.
  11. Raiciu, C. and Rosenblum, D. (2006). Enabling confidentiality in content-based publish/subscribe infrastructures. Securecomm and Workshops, 28:1-11.
  12. Shikfa, A., Onen, M., and Molva, R. (2009). PrivacyPreserving Content-Based Publish/Subscribe Networks. In Emerging Challenges for Security, Privacy and Trust: 24th Ifip Tc 11 International Information Security Conference, SEC 2009, Pafos, Cyprus, May 18-20, 2009, Proceedings, page 270. Springer.
  13. Singhera, Z. (2008). A workload model for topic-based publish/subscribe systems.
  14. Srivatsa, M. and Liu, L. (2007). Secure event dissemination in publish-subscribe networks. In Proceedings of the 27th International Conference on Distributed Computing Systems, page 22. Citeseer.
  15. Wang, C., Carzaniga, A., Evans, D., and Wolf, A. (2002). Security issues and requirements for Internet-scale publish-subscribe systems. In PROCEEDINGS OF THE ANNUAL HAWAII INTERNATIONAL CONFERENCE ON SYSTEM SCIENCES, pages 303-303.
  16. Zhuang, S., Zhao, B., Joseph, A., Katz, R., and Kubiatowicz, J. (2001). Bayeux: An architecture for scalable and fault-tolerant wide-area data dissemination. In Proceedings of the 11th international workshop on Network and operating systems support for digital audio and video, page 20. ACM.

Paper Citation

in Harvard Style

Ion M., Russello G. and Crispo B. (2010). PROVIDING CONFIDENTIALITY IN CONTENT-BASED PUBLISH/SUBSCRIBE SYSTEMS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 287-292. DOI: 10.5220/0002993602870292

in Bibtex Style

author={Mihaela Ion and Giovanni Russello and Bruno Crispo},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
SN - 978-989-8425-18-8
AU - Ion M.
AU - Russello G.
AU - Crispo B.
PY - 2010
SP - 287
EP - 292
DO - 10.5220/0002993602870292