Design and implementation of a confidentiality and access control solution for publish/subscribe systems

The publish/subscribe model offers a loosely-coupled communication paradigm where applications interact indirectly and asynchronously. Publishers generate events that are sent to interested applications through a network of brokers. Subscribers express their interest by specifying filters that brokers can use for routing the events. Supporting confidentiality of messages being exchanged is still challenging. First of all, it is desirable that any scheme used for protecting the confidentiality of both the events and filters should not require publishers and subscribers to share secret keys. In fact, such a restriction is against the loose-coupling of the model. Moreover, such a scheme should not restrict the expressiveness of filters and should allow the broker to perform event filtering to route the events to the interested parties. Existing solutions do not fully address these issues. In this paper, we provide a novel scheme that supports (i) confidentiality for events and filters; (ii) allows publishers to express further constraints about who can access their events; (iii) filters that can express very complex constraints on events even if brokers are not able to access any information in clear on both events and filters; (iv) and, finally, it does not require publishers and subscribers to share keys. Furthermore, we show how we applied our scheme to a real-world e-health scenario, developed together with a hospital. We also describe the implementation of our solution in Java and the integration with an existing publish/subscribe system.