Introduction: Geode uses UDP communication for peer-to-peer membership protocol. It also uses UDP communication for region operations, when a region is configured with multicast enabled.  But all these communication happens communications happen through plain text over the wire. In Geode there is no option to encrypt UDP data.  

Proposal: We propose an encryption layer on top of UDP messages. Each message will be encrypted and decrypted using a cluster wide secret key. This secret cluster-key will be created by a coordinator and any member can get the cluster-key using a member-coordinator private key.  Using the existing authentication mechanism, Geode can be configured to authenticate a new member at with the coordinator.  This authentication happens , when a member joins the cluster. Thus the new member will see the cluster-key only when it is authenticated by an application. In that way all members can have a cluster-key, which can be use used to encrypt and decrypt the UDP messages.


We plan to generate these keys using the diffie-hellman key exchange mechanism. Using this each member will have a secret key with other member members in the cluster.

We will have define the distributed system property “securesecurity-udp-dhalgo” to enable UDP message encryption. Application An application can define specify any algorithm available in JDK like , such as “AES”, “DES”, or “Blowfish” etc. Each member need needs to define this property with the same algorithm.

Work-flow: In Geode, a new member joins the cluster using the locator. It makes a “FindCoordinatorRequest” request to the configured locator over tcp. And it gets TCP. It receivers a “FindCoordinatorResponse” response which includes the current coordinator’s address. This response will include the coordinator’s public key, if UDP encryption is enabled. This “FindCoordinatorRequest” request can be made secure by configuring cluster-ssl.  

Then member will send The member then sends a “JoinRequestMessage” message to the coordinator. This message will be encrypted using member-coordinator key. Apart from this, the member will append its public key with to the “JoinRequestMessage” , so that the coordinator can decrypt the  “JoinRequestMessage” using the member-coordinator key. Then the coordinator will authenticate the join request, if its it is configured. And The coordinator then it will send a “JoinResponseMessage” with the cluster-key. This “JoinResponseMessage” will be encrypted using the member-coordinator key.

From this point onwards, the member will communicate UDP messages using the cluster-key as described in the following diagram.


titletitle This diagram shows a member (N) using a locator (L) discovering the Coordinator (C) and joining
hide footbox
entity N
entity L
entity C
N -> L : FindCoordinatorRequest(myId) 
note right of N : via tcp/ip over ssl while starting the new node. 
L --> N : FindCoordinatorResponse(c) this will have publickey for coordinator
note right of N
Restart of locator will use saved publickey in view.dat file, to encrypt FindCoordinator request over udp.
We will prefix its publicKey with FindCoordinator message, so that member can decrypt findCoordinator request.
end note
N -> C : N's Public key and JoinRequest (this request will be encrypted using N-C key)
note left of C : Application can authenticate new member here.
C -> N : coordinator will send joinResponse containing cluster-secret-key. This message will be encrypted using N-C key.
note right of N
From here all communication will happen through cluster-secret-key
end note
C -> N : PrepareView(c,l,n) 
N --> C : ack
C -> L : PrepareView(c,l,n)
L --> C : ack
C -> N : InstallView(c,l,n)
N --> C : ack
C -> L : InstallView(c,l,n)
L --> C : ack

Special case: When the locator restarts, it knows the previous view which was saved in view.dat file. This file will contain the public keys of all the members in the view as well. Thus, the locator can now locator sends send “FindCoordinatorRequest” using udp message UDP messages instead of tcp TCP as described above. We will encrypt the “FindCoordinatorRequest” request using the saved public key of each member to find the coordinator.

Testing: We will be testing various scenario scenarios with UDP encryption enableenabled. Extending We will extend unit tests with the distributed config property  “secure-udp-dhalgo” enabled. This will ensure testing of all the scenarios (like such as multicast, locator HA, reconnect etc).

Performance: There will be a cost of to encrypting/decrypting the message.  But in this approach the message will be encrypted once only, even that need when sent to send more than one member. As , as we have a cluster wide secret key.

