Authorization credentials for controlled sharing in NDN: Experiments - - PowerPoint PPT Presentation

authorization credentials for controlled sharing in ndn
SMART_READER_LITE
LIVE PREVIEW

Authorization credentials for controlled sharing in NDN: Experiments - - PowerPoint PPT Presentation

Sep 02, 2022 291 likes •601 views

Authorization credentials for controlled sharing in NDN: Experiments with codecaps and macaroons in NDN.JS NDNCOMM 2014 Pedro de-las-Heras-Quir os, Eva M. Castro-Barbero <pedro.delasheras@urjc.es> Information Technology and

slide-1
SLIDE 1

Authorization credentials for controlled sharing in NDN: Experiments with codecaps and macaroons in NDN.JS

NDNCOMM 2014 Pedro de-las-Heras-Quir´

  • s, Eva M. Castro-Barbero

<pedro.delasheras@urjc.es>

Information Technology and Communications Department Universidad Rey Juan Carlos, Spain

September 5, 2014

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 1

slide-2
SLIDE 2

c 2014 Pedro de las Heras Qur´

  • s, Eva M. Castro Barbero.

Algunos derechos reservados. Este trabajo se distribuye bajo la licencia Creative Commons Attribution Share-Alike disponible en http://creativecommons.org/licenses/by-sa/3.0/es pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 2

slide-3
SLIDE 3

Contents

1

Codecaps for NDN

2

Macaroons for NDN

3

Why use these mechanisms in NDN?

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 3

slide-4
SLIDE 4

Introduction

We are developing prototypes of codecaps and macaroons for NDN using NDN-CCL (NDN.JS v0.3), ndnd-tlv, ndncert, Mini-CCNx (adapted to ndnd-tlv) Work in progress to explore potential solutions for encryption based group access control for NDN apps Expect more doubts than claims:

Can these mechanisms improve consumer anonymity in NDN when compared with signed interests? Can they facilitate service composition of NDN apps? Example applications:

Raw sensor data stored and published to service that transforms and republishes data to different group, with different rights Example application: want to let my family group / friends group some of the photos in NDNFlickr, withouth them having an account there Delegation of voting rights acording to subject Open mHealth

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 4

slide-5
SLIDE 5

Codecaps for NDN

Contenidos

1

Codecaps for NDN

2

Macaroons for NDN

3

Why use these mechanisms in NDN?

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 5

slide-6
SLIDE 6

Codecaps for NDN

What are Codecaps

Secure abstraction with code capabilities. R. van Renesse, H.D. Johansenn, N. Naigaonkar and D. Johansen. In 21st Euromicro International Conference on Parallel, Distributed and Network-Based Processing, 2013 Codecaps are Capabilities that embed code that programatically expresses the rights acquired by the owner Rights are code (Javascript in the original paper) that is evaluated in the context of a request to grant/deny access.

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 6

slide-7
SLIDE 7

Codecaps for NDN

What are Codecaps

Codecaps can be extended by principals. Each codecap includes a certificate chain that can be extended by its owner by adding new right functions that attenuate the original rights Codecaps are extended for a particular principal: each certificate in the chain signs both a new right function and the Public Key of the principal who can use the new extended codecap

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 7

slide-8
SLIDE 8

Codecaps for NDN

What are Codecaps

A request includes a codecap + action requested A request can be created by any principal owning a Codecap by signing the requested action with its private key and sending it alongside the codecap The original creator of the codecap validates the chain of certificates of the request, and evaluates if every rights function is satisfied in the context of the request, granting or denying access

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 8

slide-9
SLIDE 9

Codecaps for NDN

Example

/ndn/urjc /ndn/urjc/ bob /ndn/ucla/ mary

O1: bob, RW

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 9

slide-10
SLIDE 10

Codecaps for NDN

Example

/ndn/urjc /ndn/urjc/ bob /ndn/ucla/ mary

O1: bob, RW Signed interest /ndn/urjc/get-codecap/O1

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 10

slide-11
SLIDE 11

Codecaps for NDN

Example

/ndn/urjc /ndn/urjc/ bob /ndn/ucla/ mary

O1: bob, RW K-urjc{K+bob, O1, RW} Signed interest /ndn/urjc/get-codecap/O1

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 11

slide-12
SLIDE 12

Codecaps for NDN

Example

/ndn/urjc /ndn/urjc/ bob /ndn/ucla/ mary

O1: bob, RW K-urjc{K+bob, O1, RW} Signed interest /ndn/urjc/bob/get-codecap/O1 Signed interest /ndn/urjc/get-codecap/O1

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 12

slide-13
SLIDE 13

Codecaps for NDN

Example

/ndn/urjc /ndn/urjc/ bob /ndn/ucla/ mary

O1: bob, RW K-urjc{K+bob, O1, RW} K-urjc {K+bob, O1, RW} K-bob {K+mary, O1, R} Signed interest /ndn/urjc/bob/get-codecap/O1 Signed interest /ndn/urjc/get-codecap/O1

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 13

slide-14
SLIDE 14

Codecaps for NDN

Example

/ndn/urjc /ndn/urjc/ bob /ndn/ucla/ mary

O1: bob, RW K-urjc{K+bob, O1, RW} K-urjc {K+bob, O1, RW} K-bob {K+mary, O1, R} Signed interest /ndn/urjc/bob/get-codecap/O1 Signed interest /ndn/urjc/get-codecap/O1 Signed interest /ndn/urjc/O1/W/ K-urjc{K+bob ,O1, RW} K-bob{K+mary, O1, R}

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 14

slide-15
SLIDE 15

Macaroons for NDN

Contenidos

1

Codecaps for NDN

2

Macaroons for NDN

3

Why use these mechanisms in NDN?

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 15

slide-16
SLIDE 16

Macaroons for NDN

What are Macaroons

Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud. A. Birgisson, J.G. Politz, ´ Ulfar Erlingsson, A. Taly, M. Vrable, and M. Lentczner. In Network and Distributed System Security Symposium, 2014 Similar to codecaps although they’re not capabilities, but credentials

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 16

slide-17
SLIDE 17

Macaroons for NDN

What are Macaroons

Also embed code: authorization predicates in caveats, similar to rights functions of codecaps Express when, where, by who and for what purpose a producer principal should authorize requests for content or services it owns

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 17

slide-18
SLIDE 18

Macaroons for NDN

What are Macaroons

Macaroons can also be extended but they don’t use PK certificates for expressing delegation The list of caveats added by principals is chained through HMAC’s: much more efficient, and potentially anonymous for NDN consumers Original creator of macaroon keeps secret the root key used to calculate the first HMAC, and adds nonce identifying it to macaroon Next principal in chain will use the previous HMAC as the key for calculating HMAC of next caveat added Requests can only be validated by original creator, who recalculates the chain of HMACs starting with secret root key indexed by nonce in macaroon of request

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 18

slide-19
SLIDE 19

Macaroons for NDN

What are Macaroons

Main innovation of macaroons: third-party caveats

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 19

slide-20
SLIDE 20

Macaroons for NDN

Example

Bob receives macaroon created by /ndn/urjc

/ndn/urjc /ndn/urjc/ bob /ndn/urjc/ mary

O1: bob, RW Bob friends: mary, K+mary jane, K+jane ...

/auth-service

caveat: O1, RW

nonce X pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 20

slide-21
SLIDE 21

Macaroons for NDN

Example

Bob extends the macaroon with normal caveat and with third-party caveat that requires Mary to authenticate in auth-service, and then sends the extended macaroon to Mary

/ndn/urjc /ndn/urjc/ bob /ndn/urjc/ mary

O1: bob, RW Bob friends: mary, K+mary jane, K+jane ...

/auth-service

caveat: O1, R 3rd party caveat, nonceY: my friend in /auth-service? caveat: O1, RW caveat: O1, RW

nonce X nonce X pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 21

slide-22
SLIDE 22

Macaroons for NDN

Example

In order for Mary to create a request for O1, she must first authenticate herself in the third party auth-service to satisfy the third party caveat as demanded by Bob

/ndn/urjc /ndn/urjc/ bob /ndn/urjc/ mary

O1: bob, RW Bob friends: mary, K+mary jane, K+jane ...

/auth-service

caveat: O1, R 3rd party caveat, nonceY: my friend in /auth-service? caveat: O1, RW 3rd party caveat: my friend in /auth-service? caveat: O1, RW

nonce X

discharge macaroon

nonce Y nonce X pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 22

slide-23
SLIDE 23

Macaroons for NDN

Example

Mary then adds the discharge macaroon to a request sent to /ndn/urjc

/ndn/urjc /ndn/urjc/ bob /ndn/urjc/ mary

O1: bob, RW Bob friends: mary, K+mary jane, K+jane ...

/auth-service

caveat: O1, R 3rd party caveat, nonceY: my friend in /auth-service? caveat: O1, RW 3rd party caveat: my friend in /auth-service? caveat: O1, RW

nonce X

caveat: O1, R 3rd party caveat, nonce Y, caveat: O1, RW discharge macaroon

nonce Y

discharge macaroon

nonce Y nonce X nonce X

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 23

slide-24
SLIDE 24

Macaroons for NDN

Example

/ndn/urjc can validate first party caveats in the context of the request, and can validate the third party caveat imposed by Bob checking the presence of the discharge macaroon Without /ndn/urjc knowing neither what the requirement was, who was the third party, or who the consumer is!

/ndn/urjc /ndn/urjc/ bob /ndn/urjc/ mary

O1: bob, RW Bob friends: mary, K+mary jane, K+jane ...

/auth-service

caveat: O1, R 3rd party caveat, nonceY: my friend in /auth-service? caveat: O1, RW 3rd party caveat: my friend in /auth-service? caveat: O1, RW

nonce X

caveat: O1, R 3rd party caveat, nonce Y, caveat: O1, RW discharge macaroon

nonce Y

discharge macaroon

nonce Y nonce X nonce X

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 24

slide-25
SLIDE 25

Macaroons for NDN

Current work: Adding keys to macaroon

Encryption based group access control: producer adds session keys to macaroon for encrypting interests received and data sent

Data packet sent encrypted uses intrinsic multicast of data packets

By adding the public key of the producer to the macaroon we enable different trust models where those receiving a macaroon from an intermediary principal can verify content of the original producer by trusting the macaroon

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 25

slide-26
SLIDE 26

Macaroons for NDN

Current work: Revocation of macaroons

By frequently revoking macaroons, which are cheap to create:

Producer can frequently change the session keys Producer can frequently change its PK, increasing anonimity

  • f data producers

How-to revocation of macaroons / session keys / public keys:

Directories of macaroons (scaling through hierarchy) + versioning of data + frequent expiration (it is inexpensive to generate new macaroons)

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 26

slide-27
SLIDE 27

Why use these mechanisms in NDN?

Contenidos

1

Codecaps for NDN

2

Macaroons for NDN

3

Why use these mechanisms in NDN?

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 27

slide-28
SLIDE 28

Why use these mechanisms in NDN?

Authorization credentials vs. ACLs

More scalability: producer does not store an amount of state proportional to the number of consumer principals as must be done with ACLs More flexibility: each intermediate principal can design its access control policy before delegating, not constrained by fixed set of policies predefined by the original producer

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 28

slide-29
SLIDE 29

Why use these mechanisms in NDN?

Comparison Codecaps / Macaroons

Codecaps and third-party caveats of macaroons enable flexible service composition in NDN apps Both support restricted delegation, confinement and revocation When using codecaps anonimity of consumers is lost: producers must know and trust consumers’ PK to validate a codecap By using HMAC’s + symmetric-key encryption, macaroons enable consumer anonymity By using HMAC’s instead of PK certificates, macaroons are more efficient both at creation time and at validation time, enabling frequent revocation

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 29

slide-30
SLIDE 30

Why use these mechanisms in NDN?

Future Work

Increase information obscurity through combinations of encrypted namespaces + multi-key searchable encryption of both, encrypted directories and encrypted producer data stores Control access for anycast: producer replicas sharing the root key of macaroons Feedback from NDN + crypto experts about the validity of

  • ur adaptations made to original codecaps/macaroons

It is our first NDN library. Need to improve current code based

  • n NDN.JS v0.3: improve codification with Protocol Buffers,

adaptation to newest version of NDN.JS (keychain), ... Porting to: Firefox plugin, NDN-CCL C++/Python and to NDN-CXX

pedro.delasheras@urjc.es - 2014 Authorization credentials for controlled sharing in NDN 30