KRB-CCN: Lightweight Authentication & Access Control for Private - - PowerPoint PPT Presentation

krb ccn lightweight authentication access control for
SMART_READER_LITE
LIVE PREVIEW

KRB-CCN: Lightweight Authentication & Access Control for Private - - PowerPoint PPT Presentation

Mar 16, 2023 14 likes •606 views

KRB-CCN: Lightweight Authentication & Access Control for Private Content-Centric Networks Ivan O. Nunes and Gene Tsudik University of California Irvine {ivanoliv, gene.tsudik}@uci.edu ACNS 2018 1 Agenda CCN Overview

slide-1
SLIDE 1

KRB-CCN: Lightweight Authentication & Access Control for Private Content-Centric Networks

Ivan O. Nunes and Gene Tsudik University of California Irvine {ivanoliv, gene.tsudik}@uci.edu

ACNS 2018 1

slide-2
SLIDE 2

Agenda

ACNS 2018 2

  • CCN Overview

– Authentication and AC in CCN

  • Kerberos
  • KRB-CCN

– Design – Security – Implementation & Evaluation

  • Final Remarks
slide-3
SLIDE 3

CCN Overview

ACNS 2018 3

slide-4
SLIDE 4

Content-Centric Networking:

ACNS 2018 4

  • Named data, instead of host addresses:

– /edu/uci/ics/ivan/krbccn-paper.pdf

  • Decouples Content from its location
  • Optional in-network caching: potentially better network

utilization, lower latency...

slide-5
SLIDE 5

Content-Centric Networking:

ACNS 2018 5

  • Network entities:

– Producers: generate and publish contents under unique names (owns a prefix) – Consumers: issue “interests” for contents containing such contents names – Routers: forward interests and contents

  • May cache content
slide-6
SLIDE 6

Content-Centric Networking:

ACNS 2018 6

slide-7
SLIDE 7

Content-Centric Networking:

ACNS 2018 7

slide-8
SLIDE 8

Content-Centric Networking:

ACNS 2018 8

slide-9
SLIDE 9

Content-Centric Networking:

ACNS 2018 9

slide-10
SLIDE 10

Content-Centric Networking:

ACNS 2018 10

slide-11
SLIDE 11

Content-Centric Networking:

ACNS 2018 11

slide-12
SLIDE 12

Content-Centric Networking:

ACNS 2018 12

slide-13
SLIDE 13

Content-Centric Networking: Overview

ACNS 2018 13

Routing: – Pending Interest Table (PIT):

  • Table of pending interests and corresponding

incoming interfaces

  • Used to route the content back to the requesting

consumer

slide-14
SLIDE 14

Content-Centric Networking: Overview

ACNS 2018 14

Routing: – Pending Interest Table (PIT):

  • Table of pending interests and corresponding

incoming interfaces

  • Used to route the content back to the requesting

consumer – Forwarding Interest Base (FIB):

  • Table of name prefixes and corresponding
  • utgoing interfaces
  • Used to route interests towards content producers

(Longest Prefix Match of names)

slide-15
SLIDE 15

CCN Security

ACNS 2018 15

  • The architecture demands that content is signed by its

producer

slide-16
SLIDE 16

CCN Security

ACNS 2018 16

  • The architecture demands that content is signed by its

producer

  • Some IP-equivalent services have been proposed:

– Anonymity networks, VPNs, TLS-like key exchange...

slide-17
SLIDE 17

CCN Security

ACNS 2018 17

  • The architecture demands that content is signed by its

producer

  • Some IP-equivalent services have been proposed:

– Anonymity networks, VPNs, TLS-like key exchange...

  • Currently 2 flavors of AC:

– CBAC: inability to decrypt unauthorized content – IBAC: inability to request (generate interests for) unauthorized content

  • must be used jointly with CBAC
slide-18
SLIDE 18

CCN Security

ACNS 2018 18

  • Issues with current approaches for AC:

– Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own

slide-19
SLIDE 19

CCN Security

ACNS 2018 19

  • Issues with current approaches for AC:

– Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy

slide-20
SLIDE 20

CCN Security

ACNS 2018 20

  • Issues with current approaches for AC:

– Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer

slide-21
SLIDE 21

CCN Security

ACNS 2018 21

  • Issues with current approaches for AC:

– Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer – Confidentiality: If consumer is authenticated by other means, e.g., passwords and biometrics, each producer would have to store and manage potentially sensitive state information

slide-22
SLIDE 22

CCN Security

ACNS 2018 22

  • Issues with current approaches for AC:

– Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer – Confidentiality: If consumer is authenticated by other means, e.g., passwords and biometrics, each producer would have to store and manage potentially sensitive state information

  • What else can we do?
slide-23
SLIDE 23

Kerberos

ACNS 2018 23

slide-24
SLIDE 24

Kerberos Overview

ACNS 2018 24

  • Since mid-1980s, Kerberos has been successfully and

widely used for authentication and AC in IP-based private networks

  • Separate entities for authentication, AC, and services
  • Solves aforementioned issues of other approaches for

authentication and AC in CCNs.

  • Suited for private networks (within autonomous system)
slide-25
SLIDE 25

Kerberos Overview

ACNS 2018 25

  • Authentication and AC service for

private networks and autonomous systems

slide-26
SLIDE 26

Kerberos Overview

ACNS 2018 26

  • Authentication and AC service for

private networks and autonomous systems

  • 3 rounds:
slide-27
SLIDE 27

Kerberos Overview

ACNS 2018 27

  • Authentication and AC service for

private networks and autonomous systems

  • 3 rounds:

1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication

slide-28
SLIDE 28

Kerberos Overview

ACNS 2018 28

  • Authentication and AC service for

private networks and autonomous systems

  • 3 rounds:

1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication 2 - Authorization Request: Generates an ST (“Service Ticket”) that serves as a “proof” of authorization

slide-29
SLIDE 29

Kerberos Overview

ACNS 2018 29

  • Authentication and AC service for

private networks and autonomous systems

  • 3 rounds:

1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication 2 - Authorization Request: Generates an ST (“Service Ticket”) that serves as a “proof” of authorization 3 - Service Request: Execution/Access to the actual service/data (authenticated both ways).

slide-30
SLIDE 30

KRB-CCN

ACNS 2018 30

slide-31
SLIDE 31

KRB-CCN: Big Picture

ACNS 2018 31

slide-32
SLIDE 32

Design

ACNS 2018 32

  • Parties:

– TGT Producer(TGT-Prod):

  • Verifies Identity Produces a TGT
slide-33
SLIDE 33

Design

ACNS 2018 33

  • Authentication (Between Consumer and TGT-Prod)
slide-34
SLIDE 34

Design

ACNS 2018 34

  • Authentication (Between Consumer and TGT-Prod)
slide-35
SLIDE 35

Design

ACNS 2018 35

  • Authentication (Between Consumer and TGT-Prod)
slide-36
SLIDE 36

Design

ACNS 2018 36

  • Authentication (Between Consumer and TGT-Prod)

Encrypted using a key shared between TGT-Prod and CGT-Prod Same key as in the token

slide-37
SLIDE 37

Design

ACNS 2018 37

  • Authentication (Between Consumer and TGT-Prod)

Encrypted using a key shared between TGT-Prod and CGT-Prod Same key as in the token Someone else can not decrypt the token

slide-38
SLIDE 38

Design

ACNS 2018 38

  • Parties:

– TGT Producer(TGT-Prod):

  • Verifies Identity Produces a TGT

– CGT Producer(CGT-Prod):

  • Verifies TGT and AC Policy Produces a CGT
slide-39
SLIDE 39

Design

ACNS 2018 39

  • Authorization (Between Consumer and CGT-Prod)

Content’s name prefix, e.g.: edu/uci/ivan/*

slide-40
SLIDE 40

Design

ACNS 2018 40

  • Authorization (Between Consumer and CGT-Prod)

Content’s name prefix, e.g.: edu/uci/ivan/*

slide-41
SLIDE 41

Design

ACNS 2018 41

  • Authorization (Between Consumer and CGT-Prod)

Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer

slide-42
SLIDE 42

Design

ACNS 2018 42

  • Authorization (Between Consumer and CGT-Prod)

Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer From authentication phase: only UID has this key

slide-43
SLIDE 43

Design

ACNS 2018 43

  • Authorization (Between Consumer and CGT-Prod)

Content’s name prefix, e.g.: edu/uci/ivan/* Someone else can not decrypt the token Kp shared between CGT-Prod and Content Producer From authentication phase: only UID has this key

slide-44
SLIDE 44

Design

ACNS 2018 44

  • Parties:

– TGT Producer(TGT-Prod):

  • Verifies Identity Produces a TGT

– CGT Producer(CGT-Prod):

  • Verifies TGT and AC Policy Produces a CGT

– Content Producer:

  • Verifies CGT Produces Content/Service
slide-45
SLIDE 45

Design

ACNS 2018 45

  • Content requests (Between Consumer and Producer)
slide-46
SLIDE 46

Design

ACNS 2018 46

  • Content requests (Between Consumer and Producer)

No UID, only CGT!

slide-47
SLIDE 47

Design

ACNS 2018 47

  • Content requests (Between Consumer and Producer)

No UID, only CGT!

slide-48
SLIDE 48

Design

ACNS 2018 48

  • Content requests (Between Consumer and Producer)

No UID, only CGT! From authorization phase: only UID has this key

slide-49
SLIDE 49

Design

ACNS 2018 49

  • Content requests (Between Consumer and Producer)

No UID, only CGT! From authorization phase: only UID has this key Someone else can not access content D!

slide-50
SLIDE 50

Design

ACNS 2018 50

  • Content requests (Between Consumer and Producer)

Mutual Authentication Support

slide-51
SLIDE 51

Design

ACNS 2018 51

  • TGTs and CGTs can be cached and re-used until

expiration (e.g., 8h, 24h ...)

  • KRB-CCN execution on the consumer is transparent and

automatic

slide-52
SLIDE 52

Implementation & Evaluation

ACNS 2018 52

slide-53
SLIDE 53

Implementation & Evaluation

ACNS 2018 53

  • Authentication and AC services as special purpose

producers

  • CCNx software stack (C)
  • Libsodium Crypto Library (C)
  • Intel Core i7-3770 octacore CPU @3.40GHz, with 16GB
  • f RAM, running Linux (Ubuntu 14.04LTS).
  • Content payload sizes set to 10 kilobytes.
slide-54
SLIDE 54

KRB-CCN: Evaluation

ACNS 2018 54

Testbed Network (Minimal):

slide-55
SLIDE 55

KRB-CCN: Evaluation

ACNS 2018 55

  • Metrics:

– Processing Time – Throughput (Mbps) – Avg. RTT (seconds)

slide-56
SLIDE 56

KRB-CCN: Evaluation

ACNS 2018 56

  • Processing Time:
slide-57
SLIDE 57

KRB-CCN: Evaluation

ACNS 2018 57

  • Round-Trip Time (RTT):
slide-58
SLIDE 58

KRB-CCN: Evaluation

ACNS 2018 58

  • Content Throughput:
slide-59
SLIDE 59

Conclusion

ACNS 2018 59

  • KRB-CCN enables efficient Authentication and AC for private

(intra-AS) CCNs

  • Mutual authentication: Consumer-Producer
  • Consumer privacy and content confidentiality are preserved

(resistant to replay attacks)