krb ccn lightweight authentication access control for
play

KRB-CCN: Lightweight Authentication & Access Control for Private - PowerPoint PPT Presentation

Mar 16, 2023 •14 likes •604 views

KRB-CCN: Lightweight Authentication & Access Control for Private Content-Centric Networks Ivan O. Nunes and Gene Tsudik University of California Irvine {ivanoliv, gene.tsudik}@uci.edu ACNS 2018 1 Agenda CCN Overview

  1. KRB-CCN: Lightweight Authentication & Access Control for Private Content-Centric Networks Ivan O. Nunes and Gene Tsudik University of California Irvine {ivanoliv, gene.tsudik}@uci.edu ACNS 2018 1

  2. Agenda • CCN Overview – Authentication and AC in CCN • Kerberos • KRB-CCN – Design – Security – Implementation & Evaluation • Final Remarks ACNS 2018 2

  3. CCN Overview ACNS 2018 3

  4. Content-Centric Networking: • Named data, instead of host addresses: – /edu/uci/ics/ivan/krbccn-paper.pdf • Decouples Content from its location • Optional in-network caching: potentially better network utilization, lower latency... ACNS 2018 4

  5. Content-Centric Networking: • Network entities: – Producers: generate and publish contents under unique names ( owns a prefix ) – Consumers: issue “interests” for contents containing such contents names – Routers: forward interests and contents • May cache content ACNS 2018 5

  6. Content-Centric Networking: ACNS 2018 6

  7. Content-Centric Networking: ACNS 2018 7

  8. Content-Centric Networking: ACNS 2018 8

  9. Content-Centric Networking: ACNS 2018 9

  10. Content-Centric Networking: ACNS 2018 10

  11. Content-Centric Networking: ACNS 2018 11

  12. Content-Centric Networking: ACNS 2018 12

  13. Content-Centric Networking: Overview Routing: – Pending Interest Table (PIT) : • Table of pending interests and corresponding incoming interfaces • Used to route the content back to the requesting consumer ACNS 2018 13

  14. Content-Centric Networking: Overview Routing: – Pending Interest Table (PIT) : • Table of pending interests and corresponding incoming interfaces • Used to route the content back to the requesting consumer – Forwarding Interest Base (FIB) : • Table of name prefixes and corresponding outgoing interfaces • Used to route interests towards content producers (Longest Prefix Match of names) ACNS 2018 14

  15. CCN Security • The architecture demands that content is signed by its producer ACNS 2018 15

  16. CCN Security • The architecture demands that content is signed by its producer • Some IP-equivalent services have been proposed: – Anonymity networks, VPNs, TLS-like key exchange... ACNS 2018 16

  17. CCN Security • The architecture demands that content is signed by its producer • Some IP-equivalent services have been proposed: – Anonymity networks, VPNs, TLS-like key exchange... • Currently 2 flavors of AC: – CBAC: inability to decrypt unauthorized content – IBAC: inability to request (generate interests for) unauthorized content • must be used jointly with CBAC ACNS 2018 17

  18. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own ACNS 2018 18

  19. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy ACNS 2018 19

  20. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer ACNS 2018 20

  21. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer – Confidentiality: If consumer is authenticated by other means, e.g., passwords and biometrics, each producer would have to store and manage potentially sensitive state information ACNS 2018 21

  22. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer – Confidentiality: If consumer is authenticated by other means, e.g., passwords and biometrics, each producer would have to store and manage potentially sensitive state information • What else can we do? ACNS 2018 22

  23. Kerberos ACNS 2018 23

  24. Kerberos Overview • Since mid-1980s, Kerberos has been successfully and widely used for authentication and AC in IP-based private networks • Separate entities for authentication, AC, and services • Solves aforementioned issues of other approaches for authentication and AC in CCNs. • Suited for private networks (within autonomous system) ACNS 2018 24

  25. Kerberos Overview • Authentication and AC service for private networks and autonomous systems ACNS 2018 25

  26. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: ACNS 2018 26

  27. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: 1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication ACNS 2018 27

  28. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: 1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication 2 - Authorization Request: Generates an ST (“Service Ticket”) that serves as a “proof” of authorization ACNS 2018 28

  29. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: 1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication 2 - Authorization Request: Generates an ST (“Service Ticket”) that serves as a “proof” of authorization 3 - Service Request: Execution/Access to the actual service/data (authenticated both ways). ACNS 2018 29

  30. KRB-CCN ACNS 2018 30

  31. KRB-CCN: Big Picture ACNS 2018 31

  32. Design • Parties: – TGT Producer (TGT-Prod) : • Verifies Identity Produces a TGT ACNS 2018 32

  33. Design • Authentication (Between Consumer and TGT-Prod ) ACNS 2018 33

  34. Design • Authentication (Between Consumer and TGT-Prod ) ACNS 2018 34

  35. Design • Authentication (Between Consumer and TGT-Prod ) ACNS 2018 35

  36. Design • Authentication (Between Consumer and TGT-Prod ) Encrypted using a Same key key shared between as in the TGT-Prod and token CGT-Prod ACNS 2018 36

  37. Design • Authentication (Between Consumer and TGT-Prod ) Encrypted using a Same key key shared between as in the TGT-Prod and token Someone else can CGT-Prod not decrypt the token ACNS 2018 37

  38. Design • Parties: – TGT Producer (TGT-Prod) : • Verifies Identity Produces a TGT – CGT Producer (CGT-Prod) : • Verifies TGT and AC Policy Produces a CGT ACNS 2018 38

  39. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* ACNS 2018 39

  40. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* ACNS 2018 40

  41. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer ACNS 2018 41

  42. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer From authentication phase: only UID has this key ACNS 2018 42

  43. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer From authentication phase: only UID has this key Someone else can ACNS 2018 43 not decrypt the token

  44. Design • Parties: – TGT Producer (TGT-Prod) : • Verifies Identity Produces a TGT – CGT Producer (CGT-Prod) : • Verifies TGT and AC Policy Produces a CGT – Content Producer : • Verifies CGT Produces Content/Service ACNS 2018 44

  45. Design • Content requests (Between Consumer and Producer ) ACNS 2018 45

  46. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! ACNS 2018 46

  47. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! ACNS 2018 47

  48. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! From authorization phase: only UID has this key ACNS 2018 48

  49. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! From authorization phase: only UID has this key Someone else can not access content D! ACNS 2018 49

  50. Design • Content requests (Between Consumer and Producer ) Mutual Authentication Support ACNS 2018 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Lightweight Statistical Authentication Protocol for Access Control in Wireless LANs Haoli Wang,

A Lightweight Statistical Authentication Protocol for Access Control in Wireless LANs Haoli Wang,

A Lightweight Statistical Authentication Protocol for Access Control in Wireless LANs Haoli Wang, Joel Cardo, Yong Guan ECE, Iowa State University ASWN 2004 Introduction Emergence of visitor networks Visitor Networks: LANs that are

671 views • 13 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We want to control how users can interact with information E.g., Users should only be able to view their own messages Users can only

465 views • 12 slides
Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction to Computer Security Announcements intermission OS security: access control Unix-style access control Stephen McCamant Multilevel and mandatory

656 views • 9 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is

Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is

I5020 Computer Security Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. User Authentication

862 views • 43 slides
CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering Access Control Mechanisms Declarative Authorization using Realms The expression of app security external to the app

540 views • 26 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication Introduction to Computer Security Basics of access control OS authentication and access control (combined lecture) Announcements, Ex. 1 debrief Stephen

440 views • 11 slides
ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.24k views • 66 slides
Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.15k views • 70 slides
Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

ECE590 Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.02k views • 70 slides
OPT : LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION

OPT : LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION

OPT : LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION Tiffany Hyun-Jin Kim , 1 Cris(na Basescu, 2 Limin Jia, 1 Soo Bum Lee, 3 Yih-Chun Hu, 4 and Adrian

502 views • 26 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton , Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview User: webdb User: httpd

446 views • 22 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Sequentially Cohen-Macaulay Rees modules Naoki Taniguchi Meiji University Joint work with T. N.

Sequentially Cohen-Macaulay Rees modules Naoki Taniguchi Meiji University Joint work with T. N.

Seq C-M property in E Intro Filtration Survey on seq C-M modules Main results Application References Sequentially Cohen-Macaulay Rees modules Naoki Taniguchi Meiji University Joint work with T. N. An, N. T. Dung and T. T. Phuong at

709 views • 49 slides
Business Succession Planning Christine Atencia Financial Adviser, Nexia Sydney Darren

Business Succession Planning Christine Atencia Financial Adviser, Nexia Sydney Darren

Business Succession Planning Christine Atencia Financial Adviser, Nexia Sydney Darren Chinnappa Superannuation Manager, Nexia Sydney 8 November 2017 Disclaimer Material contained in this presentation is a summary only and is based on

813 views • 53 slides
Melbourne Tax Discussion Group 19 June 2019 Taxation of Cryptocurrencies What is blockchain?

Melbourne Tax Discussion Group 19 June 2019 Taxation of Cryptocurrencies What is blockchain?

Melbourne Tax Discussion Group 19 June 2019 Taxation of Cryptocurrencies What is blockchain? What is blockchain? Public v private Decentralised network Consensus protocols (e.g. Proof of Work, Proof of Stake) Smart contracts

270 views • 16 slides
Playful game comparison and Absolute CGT Urban Larsson, Technion - Israel Institute of

Playful game comparison and Absolute CGT Urban Larsson, Technion - Israel Institute of

Playful game comparison and Absolute CGT Urban Larsson, Technion - Israel Institute of Technology, coauthors Richard N. Nowakowski and Carlos P . dos Santos GAG-2017, Lyon 1 Thanks to organizers We develop a framework for many classes

1.13k views • 20 slides
Valuable Realizations James R. Hines Jr. and Daniel Schaffa Discussion Sebastian Eichfelder

Valuable Realizations James R. Hines Jr. and Daniel Schaffa Discussion Sebastian Eichfelder

Valuable Realizations James R. Hines Jr. and Daniel Schaffa Discussion Sebastian Eichfelder (Otto-von-Guericke-Universitt Magdeburg) 112 th NTA Annual Conference on Taxation Tampa, November 23, 2019 1. Summary (1) Research question and

528 views • 6 slides
Philip Baker QC Field Court Tax Chambers 3 Field Court Grays Inn London WC1R 5EP e-mail:

Philip Baker QC Field Court Tax Chambers 3 Field Court Grays Inn London WC1R 5EP e-mail:

FIELD COURT TAX CHAMBERS Philip Baker QC Field Court Tax Chambers 3 Field Court Grays Inn London WC1R 5EP e-mail: pb@fieldtax.com FIELD COURT TAX CHAMBERS FIELD COURT TAX CHAMBERS Revenue yield A separate tax Rates of tax

230 views • 10 slides
Gauge invariant regularization for perturbative chiral gauge theory Yu Hamada Kyoto Univ.

Gauge invariant regularization for perturbative chiral gauge theory Yu Hamada Kyoto Univ.

Gauge invariant regularization for perturbative chiral gauge theory Yu Hamada Kyoto Univ. 2018/7/30 @Strings and Fields 2018 Based on YH, H. Kawai, arXiv:1705.01317, YH, H. Kawai, K. Sakai, arXiv:1806.00349 YH, H. Kawai, K. Sakai, to appear

465 views • 22 slides
Stability results for non-autonomous dynamical systems Cecilia Gonz alez Tokman (

Stability results for non-autonomous dynamical systems Cecilia Gonz alez Tokman (

Stability results for non-autonomous dynamical systems Cecilia Gonz alez Tokman ( Collaborators: G. Froyland, R. Murray & A. Quas ) New Developments in Open Dynamical Systems and Their Applications Banff International Research Station, 19

738 views • 59 slides

More recommend