SIGNET: A Tool for Securing Complex Petri-Net Projects
Anastasia Pagnoni1, Andrea Visconti1, Massimo Russo1
Department of Computer Science and Communication – University of Milan, Italy
1
{pagnoni, visconti}@dico.unimi.it
Abstract. SIGNETTM is a multifunctional tool for making secure large, complex Petri net
projects. It provides for: (a) authentication, digital signature, and public-key encryption of net
plans and their analysis (reachability graphs and net invariants) to be transmitted or stored, and
(b) detection and correction of marking errors in Petri nets used for monitoring system
implementations.
Keywords. Petri net, integrity, authentication, digital signature, cryptography, error correction
Contents
1.
2.
3.
4.
5.
6.
7.
8.
9.
Introduction
Overall Design and Data Input
Authentication
Cryptography
Signature Protocols
Error-correction
Implementation and Testing
References
Acknowledgements
1. Introduction
Real-world Petri net applications usually result in a substantial collection of complex net
plans, together with some analysis outcome – reachability graphs, invariants, deadlocks, traps,
simulations, etc. This is a valuable, often quite costly throughput that can be endangered in
many ways.
Large, complex Petri nets produced by means of net editors can very easily be damaged
by incompetent users with access to the programs; both net components and analysis outcome
may be damaged – markings can be accidentally modified, arcs deleted, and so on. Whenever
a Petri net project has to be delivered to a customer its authentication becomes a bipartisan
issue. From the one side, project designers want to preserve the integrity of the project, that is,
to make sure that no alterations are introduced by unauthorized persons; from the other,
customers require that the project designer take full responsibility for their work, possibly in a
legally binding form (digital signature).
Confidentiality may be required in order to prevent unauthorized individuals from
illegally accessing, copying, or using project components.
SIGNETTM is a tool specifically designed for the protection of large, complex Petri-net
projects. It offers four services:
a.
Protection of the integrity of project components: a strong fingerprinting algorithm
protects net plans and their analysis (reachability graph and net invariants) from
accidental corruption due to unskilled or malicious users.
b.
Digital signature of project components: easy-to-verify, non-repudiable public-key
(RSA) signature allows certification of the origin of net plans and their analysis.
c.
Confidentiality of Petri net projects: RSA encryption of project components guards
the secrecy of net plans and their analysis.
d.
Error correction in Petri-net-monitored implementations: Hamming encoding for the
detection and correction of accidental marking errors in k-limited place/transition nets
used for monitoring real-world project implementations.
Sections 2-5 present a detailed description of these services; implementation and testing will
be discussed in Section 6. We assume readers to be familiar with Petri nets, and with the
basics of coding theory and cryptography.
2. Overall Design and Data Input
SIGNETTM is a stand-alone application, but was designed for later embedding into one of the
existing Petri-net editors. For this reason, it has neither graphical editor, nor analysis
functionalities of his own. As it is, users input data directly; in particular, Petri nets are input
as a pair of input and output incidence matrices. This choice – two separate incidence
matrices, one for the input, and one for the output arcs of transitions – is to allow for the
modeling of side conditions.
Reachability graphs will be input as adjacency lists, that is, as indexed vectors of linked
lists. Net invariants will be input in the usual way, as S- and T-vectors.
3. Authentication
Integrity protection. Fingerprinting is a very efficient way of securing the integrity of data of
large, variable size, like complex Petri net plans and reachability graphs. Secure encryption of
data alone would also protect their integrity, because decryption of altered cryptograms results
in meaningless information. However, encryption of large, complex Petri nets and reachability
graphs is a very time-consuming operation, that should better be avoided whenever
confidentiality is not required.
In SIGNET the fingerprint of a binary string m is implemented as the RSA-encrypted
MD5-message digest of m. MD5 is a strong hash function, developed by Ron Rivest at MIT,
and NIST cryptographic standard RFC 1321. MD5 inputs a string of bit of variable length, and
outputs a (short) string of 128 bit, MD5(m), called the message digest of m. It is called a
strong hash function because it is computationally unfeasible to find two different strings with
the same message digest [St95]. Therfore, bit changes in m will be detected by the mismatch
between the altered string m’ and the message digest of the original string m.
As it is costumary in cryptographic literature, will will assume that SIGNET TM user
Alice is the author/owner of a certain piece of information m – a net plan, a reachability graph,
etc. – while user that Bob is the intended recipient/costumer of it.
The fingerprint of m is produced by Alice by RSA-encrypting [St95] the 128-bit
message digest of m, h = MD5(m), with the public key of Bob. She will than send the
concatenation <m, MD5(m)> to Bob. The message digest must always be encrypted to
prevent malicious users to forge counterfeit <m, MD5(m)> pairs.
The fingerprint of m allows Bob to verify that no accidental or intentional changes have
been made to the original message m. To this end, Bob will first apply his RSA secret key to
the fingerprint, and recover the original message digest h. He will then re-compute MD5(m),
the message digest of the received string m, and check if h and MD5(m) match. If, and only if,
they do match, m will be accepted as the original string.
A fingerprint protects Alice and Bob from both accidental errors and malicious third
parties, but it does not protect them from each other. Bob can always forge a different project
component, compute its fingerprint (encrypted with Bob’s own public-key) and claim that the
rusulting pair <m’, MD5(m’)> came from Alice. For this reason, Alice can always deny that
she ever produced a certain project component. In order to protect the two parties from each
other, a digital signature must be used.
Digital signature. The author of a project can digitally sign net plans, reachability graphs,
and/or net invariants in order to guarantee their origin. Digital signature of a Petri net project,
or of any of its components, protects authors and customers as well, because: (a) it is not
forgeable, and constitutes a sure proof of the author’s identity, and of the date and time of
signature, (b) it cannot be repudiated, as it was computed using information uniquely known to
its author, (c) it is verifiable by third parties, and can therefore be used as a legal proof of
origin of signed information, and (c) a signed net cannot be altered by either its author or its
recipient.
In SIGNETTM digital signature on a binary string m is implemented by RSA-encrypting
the message digest MD5(m) with the user’s secret key.
4. Cryptography
SIGNETTM offers the choice between two different signature protocols: the one only provides
for digital signature, while the other also protects confidentiality. Let us describe them briefly.
Let m be a binary string representing some piece of relevant information – a Petri net plan, its
invariants, or reachability graph.
Protocol 1: User Alice is the author/owner of binary string m, which she has already input to
SIGNETTM. In order to sign m, Alice performs the following steps:
a.
She computes the fingerprint of m by means of hash function MD5:
h = MD5(m)
b.
She signs m by encrypting its fingerprint h with E, the encryption function of the
public-key system RSA, using her own secret key S(A). The signature of string m will
be s = ES(A) (h) .
c.
Alice sends concatenation < m, s > to Bob, its intended recipient.
Bob can verify Alice’s signature s on message m, by performing the following steps:
a.
He computes the hash function of message m: h’= MD5(m)
b.
He decrypts s by means of the RSA decryption function D, using Alice’s public key
P(A): DP(A) (s) = DP(A) (ES(A) (h)) = h. This way Bob retrieves the original fingerprint
h.
c.
Bob accepts Alice’s signature if h = h’.
Every system user can verify Alice’s signature the same way.
Protocol 2: User Alice, again the author/owner of binary string m, wants to both sign and
encrypt m. To this end, she performs the following steps:
a.
She computes the fingerprint of m by means of hash function MD5: h = MD5(m)
b.
She signs h by encrypting it with E, the RSA encryption function, using her own
secret key S(A). The signature of h will be s = ES(A) (h) .
c.
To provide for confidentiality, she again encrypts m with function E, but this time
using Bob’s public key P(B). The result is ciphertext c = EP(B) (m) .
d.
Alice sends concatenation < c, s > to Bob.
In order to verify Alice’s signature s and decrypt ciphertext c, Bob has to perform following
steps:
a.
He decrypts c by means of the RSA decryption function D using his own secret key
S(B). This way he retrieves the original string m = DS(B) (EP(B) (m)) .
b.
He computes the hash function of string m: h’= MD5(m)
c.
He decrypts s by means of the RSA decryption function D, using Alice’s public key
P(A). He retrieves the original fingerprint h = DP(A) (s) = DP(A) (ES(A) (h)) .
d.
Bob accepts Alice’s signature if h = h’.
Only Bob can verify Alice’s signature and decrypt the ciphertext, because no other user
knows his secret key S(B).
In SIGNETTM, fingerprinting, digital signature, and encryption are all based on RSA
cryptographic functions, and on the corresponding key generation algorithms. The next section
presents an overview on the authentication and confidentiality functions of SIGNETTM.
5. SIGNETTM Services
In this section, we will present a comprehensive list of SIGNETTM services . Again we shall
assume Alice to be the author of a certain Petri net project, Bob its recipient, and m any
project component in binary string form.
Key generation. The KeyGenerator algorithm generates key pairs in the following format:
Secret key: prime p, prime q, secret exponent e
Public key: public exponent d, modulus n
Fingerprinting. This service enables Alice fingerprint project components to be sent to Bob,
by using his public key. Her choices are:
 Attach fingerprint to input matrix
 Attach fingerprint to output matrix
 Attach fingerprint to incidence matrix
 Attach fingerprint to S-invariants
 Attach fingerprint to T-invariants
 Attach fingerprint to reachability graph
This service also enables Bob, and only Bob, to check fingerprints using his own secret key.
Digital signature. This service enables Alice to sign project components to be sent to Bob, by
encrypting them with her secret key. Her choices are:
 Sign input matrix
 Sign output matrix
 Sign incidence matrix
 Sign S-invariants
 Sign T-invariants
 Sign reachability graph
This service enables Bob, or any interested third party, to check Alice’s signature by using her
public key.
Encryption. This service enables Alice to sign and encrypt project components to be sent to
Bob by using both her own secret key (to sign), and his public key (for encryption) Her
choices are:
 Sign and encrypt input matrix
 Sign and encrypt output matrix
 Sign and encrypt incidence matrix
 Sign and encrypt S-invariants
 Sign and encrypt T-invariants
 Sign and encrypt reachability graph
The same service enables Bob, and only Bob, to check Alice’s signature by using her public
key and decrypt the encrypted data.
6. Error correction
Petri net plans are used to represent the intended behavior of real-world systems. However,
when a system is implemented and operated, all kind of unplanned situations may occur, regardless of the error states considered in its design. Real-time detection and correction of such
accidental errors is a serious practical problem. SIGNETTM offers a solution based on the application of error-correcting codes, and suitable for distributed systems designed by means of
k-limited place-transition nets. The key idea, previously published in [Pa96], is to extend the
net in such a way that "legal" net markings become words of a suitable error-correcting code.
Real-time algebra helps detecting and correcting unwanted situations.
SIGNETTM offers detection and correction of single marking errors by means via a
Hamming code defined over a suitable finite field.
7. Implementation and Testing
SIGNETTM was developed in Java2TM, using Sun Microsystems’ JDK 1.4 (Java Development
Kit), and IBM’s WebSphere Studio Application DeveloperTM for Windows. SIGNETTM is a
highly portable application, which runs on any PC with an operating system supporting the
Java interpreter JVM (Java Virtual Machine).
The MD5 message digest algorithm, and the signature protocols we used were taken
from the JCATM (Java Cryptography Architecture) library. RSA encryption/decryption
functions, and the key pair generator were taken from JCETM (Java Cryptography Extension).
On the contrary, error-correction algorithms were developed ex novo, in order to take the Petri
net structure into proper account.
SIGNETTM has been tested on a Pentium Celeron-R, at 1.80 GHz, with a 256 MB
RAM under Windows XPTM. Table 1 summarizes computation times for the generation of
RSA key pairs. Times are listed for key pairs of increasing modulus length.
modulus length (bits)
512
640
768
896
1024
1152
1280
1408
1536
1664
1792
1920
2048
CPU time (seconds)
6,375
6,375
6,656
6,813
7,281
6,969
7,312
7,469
8,281
8,620
8,281
10,781
11,328
Table 1
Incidence matrix size
(rows  columns)
20  30
30  40
50  50
70  60
90  80
120  100
150  170
170  200
200  250
200  300
300  320
400  300
500  500
Number of
elements
600
1200
2500
4200
7200
12000
25500
34000
50000
60000
96000
120000
250000
Signature CPU time
(seconds)
0,453
0,609
1,219
1,572
1,678
3,313
11,860
20,460
43,406
60,719
151,375
241,203
978,343
Table 2
Signature verification
CPU time (seconds)
0,121
0,182
0,202
0,310
0,261
0,315
0,303
0,381
0,411
0,388
0,454
0,512
0,541
Table 2 summarizes computation times for signature and signature verification of a
variable-size incidence matrix with secret keys of 2048-bit. In both cases CPU times include
message digest computations. Table 3 summarizes computation times for encryption and
decryption of a variable-size incidence matrix, with keys of both 512-bit and of 2048-bit
lenght.
Incidence matrix size
(rows  columns)
Number of
elements
20  30
30  40
50  50
70  60
90  80
120  100
150  170
170  200
200  250
200  300
300  320
400  300
500  500
600
1200
2500
4200
7200
12000
25500
34000
50000
60000
96000
120000
250000
Encryption
512 bit - (2048 bit)
(seconds)
0,563 - (0,933)
0,703 - (1,780)
0,282 - (0,844)
0,328 - (1,328)
0,594 - (2,172)
0,781 - (3,547)
1,657 - (3,468)
2,630 - (9,484)
2,688 - (14,78)
3,609 - (16,86)
5,687 - (27,45)
5,188 - (35,17)
11,78 - (71,18)
Decryption
512 bit - (2048 bit)
(seconds)
0,437 - (17,188)
1,141 - (34,828)
1,812 - (71,390)
2,703 - (119,60)
4,421 - (203,70)
7,188 - (338,21)
15,31 - (713,95)
20,54 - (965,36)
32,20 - (1358,7)
43,18 - (1692,6)
62,92 - (2703,6)
79,57 - (3379,3)
205,2 - (7048,6)
Table 3
All testing has been completed on a common PC with both 512-bit and 2048-bit keys.
Recall that 2048-bit RSA keys are considered to be of military security level, and that a
500500 incidence matrix represents a quite unusually large Petri net.
8. References
[Ad91] Adámek J., Foundations of Coding, John Wiley & Sons, 1991
[Li82] Lint van J.H., Introduction to Coding Theory, Springer-Verlag, 1991
[Pa96] Pagnoni A., Detecting and Correcting Errors of Distributed Systems, Bulletin of the
EATCS, N.58, 1996
[Sc94] Schneier B., Applied Cryptography, John Wiley & Sons, 1994
[St95] Stallings W., Network and Internetwork Security, Prentice Hall, 1995
9. Acknowledgements
The idea of cryptographically securing complex Petri net projects was suggested to us by Prof.
Monika Heiner, Cottbus University; we truly thank her here.