Content Confidentiality in Named Data Networking
aa r X i v : . [ c s . CR ] F e b Content Confidentiality in Named Data Networking ∗ Aleksandr Lenin, Peeter LaudCybernetica AS aleksandr.lenin|[email protected]
February 23, 2021
Abstract
In this paper we present the design of name based access control scheme which facilitatesdata confidentiality by applying end-to-end encryption to data published on NDN with flexiblefine-grained access control, which allows to define an enforce access policies on published data.The scheme is based on ciphertext-policy attribute-based encryption (CP-ABE). We discuss theuse of the scheme on the basis of two use-cases, and report overhead associated with it, basedon our implementation.
Named Data Networking (NDN) is one of five projects funded by the U.S. National Science Founda-tion under its Future Internet Architecture Program [33]. Named Data Networking builds upon theresults of an earlier project, Content–Centric Networking (CCN), while both NDN and CCN areinstances of more general network research direction called Information–Centric Networking (ICN),under which different future network architecture designs have emerged [25, 33]. CCN originallyproposed transition from today’s connection–oriented IP networks to content–centric architectures,and NDN develops these ideas even further. Currently, named data networking exists as a testbedprototype built as overlay network on top of the IP network, but active research is going on toinvestigate possibilities to replace the IP stack with NDN stack [4].The main design principle of NDN and the distinction from the IP networks is that IP networksare communication networks, where packets address nodes, that are communication endpoints inthe network, while NDN is a distribution network, which focus on solving the content distributionproblem. Solving this problem over communication network is complex and error–prone [33].The main innovation of NDN is the approach to change the transport layer in the networkprotocol stack, such that packets name content objects, rather than communication endpoints.This changes the semantics of the network from delivering packets to a given destination to fetchingdata identified by given names [33]. This change is conjectured to help solving not only end-to-endcommunications, but also content distribution and control problems. ∗ This research has been funded by the Defense Advanced Research Projects Agency (DARPA) under contractHR0011-17-C-0111. The views, opinions, and/or findings expressed are those of the author(s) and should not beinterpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
NDN follows data-centric security approach, in which the content producer is required to sign allthe data packets it generates. This ensures the integrity and authenticity of a data packet. It allowsto decouple the consumer’s trust from the network node that served the content, and replaces itwith the trust towards the producer directly, thus allowing the consumers to decide if they trusta given data producer as a reliable source of the requested content. The trust management is themost challenging part of the NDN architecture, and several models, hierarchical as well as the onesbased on the web of trust, have been proposed, but still the problem of establishing trust remainsan open question [33].While integrity properties in data-centric networks are easy to state and compare with similarproperties in connection-centric networks, the issues with confidentiality properties are less clear-cut. In a connection-centric network, the integrity of a channel means that (i) it is known where2he source of the channel is, and (ii) the messages on the channel are not being tampered with.From these properties one may deduce that whenever one receives a data item over a channel withintegrity, then the source of that data item will be known and that source intended to send thisdata item. The same properties are ensured by the cryptographic primitive of digital signatures,and their preserverance is not affected by the manner the data item moves across the network. Aconfidential channel is one where (i) its sink is known, and (ii) the messages on the channel cannotbe observed. Its analogue in a data-centric network is less clear.In a data-centric network, end-to-end confidentiality for a piece of data would have to bemeaningful independently of considering any server or network node that stores this content. Itis definitely possible to use the routing mechanisms of NDN to distribute encrypted content, andalso to distribute the decryption keys, protecting the latter with public-key encryption of somesort. In a sense, this would simulate the confidentiality properties in connection-centric networks:a publisher has a list of recipients (with their public keys) for its content, and makes the contentavailable only to them.Publishers face two problems — key distribution and key management. In order to grantcontent access to authorized consumers, the publisher needs to deliver each of the consumers theirindividual decryption key in a secure way. This can be achieved by publishing as many shortmessages (encryptions of the key) as there are recipients, each of them meaningful only to a singlerecipient. A better way would somehow separate out the group of recipients, with the publishernot required to keep a comprehensive list of them, but still somehow matching the intent of thepublisher.In this paper we make no assumptions regarding the existence of an established trust model, northe existence of trusted authorities in NDN network. We look for a solution that would not increasethe complexity of the NDN network by assigning trusted certifying authorities, and will be usingself-certifying public keys instead. There exist a relatively recent results in cryptography researchwhich reconsider the concept of a public key cryptography — the identity based encryption (IBE)and attribute-based encryption (ABE). In a typical public key cryptosystem, a user is assignedwith one or more keypairs, and every keypair consists of a private and a public key. Identity basedencryption changed the common understanding of public key cryptography by allowing the publickey of a user to be an arbitrary string (i.e. email, a phone number, state issued identificationcode, etc). For anyone to encrypt something using IBE, all one needs to know is the public stringidentity of the recipient. This identity is directly used for encryption, and the recepient’s public keyis explicitly derived from this public identity. On the other hand, attribute-based encryption (ABE)has taken it even further away from the traditional understanding of public key cryptography, anddefines the user’s identity not as one single piece of information, not as one single token, but as aset of strings, which are called attributes. ABE allows to encrypt a message for a set of specificattributes, so that only users holding private keys that match this set of attributes, can decrypt themessage. In an ABE scheme, the users’ keys are issued by some trusted party, usually called the keydistribution center (KDC). Each producer may fulfill the role of a KDC by properly verifying theidentities of his clients and issuing private keys to authorized customers. This approach replaces thetrust model from globally trusted certifying authorities with trust towards the content publisher,and the publisher itself being the trust anchor is a feature naturally occurring in NDN.Attribute based encryption can be viewed as a secret sharing scheme with general access struc-ture, encoded by a set of ABE attributes. ABE permits fine-grained access control over the at-tributes and allows to express access policies in the form, semantically equivalent to a Boolean3unction as a logic statement over the attributes. Depending on the location of the access struc-ture, two versions of ABE may be distinguished: the ciphertext policy attribute based encryption(CP-ABE) and the key policy attribute based encryption (KP-ABE). In CP-ABE, the ciphertextcontains the access structure and defines an access policy over a global set of users’ attributes.The users’ keys contain attributes that specify users’ access permissions, and the users whose keyattributes match the access structure in a ciphertext, get access to the shared secret, which is usu-ally the symmetric key. In KP-ABE on the contrary, the access policy is located in users’ privatekeys and specifies which ciphertexts this key is permitted to decrypt, while the ciphertexts containattributes describing the type of content. Only the ciphertexts whose attributes match the accessstructure of a given key, will be correctly decrypted by a given key.
For a data-centric access control that NDN ideology strives for, we compare CP-ABE solutions vsKP-ABE solutions. In the case of KP-ABE, the access policy is located in the users’ keys, which initself, is not really data centric. The publisher attaches a set of attributes to the content, specifyingwhich keys are able to decrypt it. Changing the access policy necessitates a re-key process duringwhich users are issued with new private keys containing new updated access policy. In the case ofCP-ABE, the access policy is contained within the published content, independently of the user’skeys. If there is a need to update the access policy, the publisher can re-encrypt the content witha new access policy, and no changes are required to the users’ keys. ABE primitive can be used forbroadcast encryption, and in this case it is called attribute-based broadcast encryption (ABBE),and depending whether it is key policy or ciphertext policy version, they are called KP-ABBE andCP-ABBE correspodingly. It more in–line with the data–centric access control ideology to allowthe access policy to be attached to the content itself, rather than the keys possessed by the users,and thus CP-ABBE fits our problem the best.CP-ABBE also seamlessly integrates with the organizational role hierarchy as described on oursecond scenario. A publisher can encrypt some content to a particular group of users by encryptingthe content to the attributes, shared among all the users of the group. I.e., one may encrypt thecontent using the attributes ”senior academic personnel” and ”computer science department”, andall the users whose keys have both of these attributes, will be granted access to the publishedcontent. The publisher doesn’t even need to know who the senior academic personnel in thecomputer science department exactly are — all one ever needs to know, is that the intendedrecipients’ share the ”senior academic personnel” and ”computer science department” attributes.Such abstraction mechanisms make CP-ABBE much more powerful alternative compared to IBEsolutions, where one needs to explicitly list all the identities of the recipients. Abstract attributesoffered by CP-ABBE bring along some difficulties related to efficient attribute revocation. Severalusers may share the same abstract attribute, and quite often there is a need to revoke access ofany specific user only, without affecting the others who share the same attribute. Therefore we arefocusing our attention on CP-ABBE schemes having efficient revocation capabilities. Revocationin CP-ABE schemes comes at a price, and despite active research being conducted to tackle thisproblem, there are a handful of solutions that offer efficient revocation capabilities. Such CP-ABBE schemes increase the flexibility of access control at a cost of reduced efficiency, as comparedto CP-ABBE schemes without revocation capabilities.In this paper we present a concrete implementation of a CP-ABBE scheme, its integrationwith NDN, and measurements of the overheads it creates. We present and discuss two case studies4here this implementation is useful; our measurements of overheads are tightly related to the usagescenarios in one of the case studies.
Bethencourt et al. [3] present a CP-ABE scheme with monotone access structure. The authorscall it the monotonic access tree, which is a tree structure where every node is a threshold gate.This structure naturally supports the Boolean semantics via AND and OR type gates, and besidesmore general m -of- n threshold gates. A key can decrypt the content encrypted under such anaccess structure, if the assignment of attributes to the tree leaves, corresponding to the attributesin the key, satisfy the access tree. The monotone access structure can be seen as a limitation of thescheme, since it doesn’t support efficient attribute revocation. To support non-monotone accessstructures, for every attribute s , the authors suggest to introduce another attribute ˆ s that wouldcorrespond to negated s . This construction would result is doubling the number of attributes.since in CP-ABBE schemes, the size of the ciphertext tends to grow linearly in the number ofattributes, doubling the number of attributes is equal to doubling the size of the ciphertext. If auser’s key is identified with n attributes, the key contains 2 n + 1 bilinear group elements, and thekey generation requires 2( n + 1) exponentiations. The ciphertext contains an access tree, a blindedmessage, and 2 k + 1 bilinear group elements, where k is the number of leaf nodes in the access tree.The encryption operation requires 2( k + 1) exponentiations. If an access tree has u leaves and v non–leaf nodes, decryption requires 2 u pairing computations, and v exponentiations. The authorsprove semantic security in the generic bilinear group model. Although the authors did not proveCCA security, they mentioned that it is possible to do, by applying certain techniques to theirscheme. The authors state that their system is collusion–resistant, however they do not quantifythe collusion resistance property of their system.Emura et al. [5] propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) withconstant ciphertext length, where the number of pairing computations is also constant. The accessstructure is a set of attributes, where every attribute may take on one of the three values: positive(attribute is required), negative (attribute is negated and must not be present in the key), wildcard(the access structure is indifferent w.r.t. the presence or absence of a specific attribute in the key).The scheme supports possibility to add new attributes after the setup phase without breakingthe security properties. The authors prove CPA security under the DBDH assumption. The keygeneration requires 3 exponentiations, and the user’s private key contains 2 group elements. If W = [ W , . . . , W n ] is an access structure, then the encryption operation takes 2 exponentiations,as well as | W | multiplications, and the cryptogram contains an access structure | W | and 3 groupelements. The decryption operation requires 3 exponentiations, as well as 2 pairing computations.Zhou et al. [36] proposed a new construction of CP-ABE, named Constant-size CP-ABE (CCP-ABE), and a corresponding broadcast version CCP-ABBE having constant ciphertext size. Thescheme uses AND gate access policy, where an attribute is labeled as positive, negative, or wild-card (any). The authors prove CPA security under decisional bilinear Diffie-Hellman exponent(K–BDHE) assumption. If there are k attributes in the system, key generation requires 2 k + 1exponentiations, and the size of the key is also 2 k + 1. Encryption requires 2 exponentiations.The size of ciphertext size, apart from the size of the access structure and the encrypted message,5ontains 2 additional group elements, which are bounded by 300 bytes total. Decryption takes 1pairing computation.Yamada et al. [26] propose a CP–ABE scheme with non–monotone access structure and constantsize of master public key. The private key contains 4 k + 2 bilinear group elements, where k is thenumber of attributes in the key. The key generation procedure requires 8 k + 3 exponentiations.The ciphertext contains 3 n + 2 group elements, where n is the number of elements used in accesspolicy. Encryption requires 5 n + 2 exponentiations and 1 pairing computation. Decryption requires3 l + m (2 k + 1) pairing computations, where l is the number of non–negated attributes in the key,and k is the number of negated attributes in the key, such that k = l + m . The authors proveselective security under a new n–(B) assumption which is secure in the generic group model.Li et al. [16] suggest a CP–ABE scheme with non–monotone access structure based on orderedbinary recision diagrams (OBDD). Therefore, access policies expressed in the form of OBDDs aresemantically equivalent to Boolean functions. The size and generation time of the users’ privatekeys is constant. The private key contains 2 bilinear group elements, and key generation requires2 exponentiations. The ciphertext contains 2 + k bilinear group elements, where k is the numberof valid paths in OBDD, and encryption requires 2 + k exponentiations. The decryption operationrequires OBDD traversal, hence the time complexity is thus proportional to the OBDD size, and itappears that it requires 2 pairing computations for every branch in OBDD access structure. Theauthors proved collusion–resistance and CPA under the bilinear DH assumption.Roy et al. [22] present a CP-ABE scheme that uses access structure in the form of an accesstree, and hence supports positive as well as negative attributes, and is semantically equivalent toa Boolean function. One of the distinct features of this encryption scheme is that attributes areallowed to change over time. The user’s private key contains 2 + 4 n bilinear group elements, andits generation takes 2 + 4 n exponentiations, where n is the number of attributes in the key. Theciphertext contains 2+2 k +3 m bilinear group elements, encryption takes 2+2 k +3 m exponentiations,where k is the number of non-negated attributes, and m is the number of negated attributes in anaccess structure. Decryption requires 2 s pairing computations, as well as 3 t + 1 exponentiations,where s is the number of non-negated attribute in the leaves of the access tree, and t is the numberof non-leaf nodes in the access tree structure.Lubicz et al. [18] propose a CP-ABBE scheme using monotone AND-gate as an access structure,with revocation capabilities that are external to the access structure. The private key contains 2+ n bilinear group elements, where n is the number of attributes in the key. Key generation requires2 + n elliptic group multiplications. Ciphertext contains k + 3 bilinear group elements, where k is the number of revoked attributes. Encryption requires 3 + k elliptic group multiplications, anddecryption requires 3 pairing computations. The authors prove full collusion security in the genericmodel of groups with pairing.Li et al. [17] propose a CP-ABBE scheme that supports any monotone access structure. It can beadapted to support user revocation by doubling the number of attributes and introducing a negatedversion for every attribute. The authors prove, through a dual system encryption methodology,that their system is fully-secure under the composite order bilinear groups assumption. If n is thenumber of attributes in the key, m is one less than the total number of users in the system, and k is the number of attributes in an access structure, then the key generation requires 3 + n + m exponentiations, encryption requires 1 pairing computation, as well as 3( k + 1) exponentiations,decryption requires 1 pairing computations. A private key contains 2 + n + m bilinear groupelements, and a ciphertext contains 3 + 2 k bilinear group elements.6hang et al. [32] propose a CP-ABBE scheme offering recipient anonymity by hiding the accessstructure. Key generation requires 4 + n exponentiations, where n is one less than the totalnumber of users in the system. Private key contains 3 + n bilinear group elements. Encryptiontakes 1 pairing computation and 4 exponentiations. Decryption requires 4 pairing computations.Ciphertext contains 4 bilinear group elements.Asim et al. [2] proposes a CP-ABBE scheme that uses AND/OR access tree structure andsupports revocation that is external to the access structure. The authors prove their scheme issecure under DBDH assumption. Private key contains 3 + n bilinear group elements, where n isthe number of attributes in the key. Key generation requires 3 + n exponentiations. Ciphertextcontains 3 + t + s bilinear group elements, where t is the number of attributes in access policy, and s is the number of revoked attributes. Encryption requires 3 + t + s exponentiations and 2 pairingcomputations. Decryption requires 4 pairing computations and 2 exponentiations.Junod et al. [13] propose a CP-ABBE system with access policies supporting AND,OR,NOTgates. The authors prove semantic security and collusion resistance in generic group model withpairings. Private key contains 2 n + s + t bilinear group elements, where n is the total amountof attributes in use, s is the number of non-negated attributes in the key, and t is the number ofnegated attributes in the key. Key generation requires n exponentiations, encryption requires 1pairing computation as well as 2 + k exponentiations, decryption requires 2 pairing computationsas well as k exponentiations. Ciphertext contains 3 bilinear group elements. Fotiou et al. [7] mention that traditional forms of encryption introduce significant overhead whenit comes to sharing content with large and dynamic groups of users, with proxy re-encryptionbeing a convenient solution. The authors use Identity-Based Proxy Re-Encryption (IBPRE) toprovide confidentiality and access control for content items shared over ICN, realizing secure contentdistribution among dynamic sets of users. The suggested approach does not suffer from key escrowproblem, as is the case with a similar approach IB-PRE, and does not require out-of-band secretkey distribution.Mannes et al. [19] suggest an access control solution to ICN by adapting and optimizing aproxy re-encryption scheme. The authors state that the proposed solution is perfectly aligned withICN demands, simultaneously ensuring content protection against unauthorized access of contentsretrieved from unrestricted in-network caches as well as access control policies enforcement forlegitimate users.Wood et al. [24] present a secure content distribution architecture for CCN that is based on proxyre-encryption. The design provides strong end-to-end content security and reduces the numberof protocol messages required for user authentication and key retrieval. Unlike widely-deployedsolutions, the suggested solution is also capable of utilizing the opportunistic in-network cachesin CCN. We also experimentally compare two proxy re-encryption schemes that can be used toimplement the architecture, and describe the proof of concept application the authors developedover CCNx.Misra et al. [20] propose a novel secure content delivery framework, for an information-centricnetwork, which will enable content providers (e.g., Netflix and Youtube) to securely disseminatetheir content to legitimate users via content distribution networks (CDNs) and Internet serviceproviders (ISPs). Use of the framework will enable legitimate users to receive/consume encryptedcontent cached at a nearby router (CDN or ISP), even when the providers are offline. Our framework7ould slash system-downtime due to server outages, such as that recently experienced by Netflix,Pinterest, and Instagram users in the US (October 22, 2012). It will also help the providers utilizein-network caches for shaping content transmission and reducing delivery latency. The authorsdiscuss the handling of security, access control, and system dynamics challenges and demonstratethe practicality of the framework by implementing it on a CCNx testbed.AccConF [21] is an efficient access control framework for ICN, which allows legitimate users toaccess and use the cached content directly, and does not require verification/authentication by anonline provider authentication server or the content serving router.Zhang et al. [35] present the design of name based access control (NAC) which provides auto-mated key management by developing systematic naming conventions for both data and crypto-graphic keys. The authors also discuss an enhanced version of NAC that leverages attribute basedencryption mechanisms (NAC-ABE) to improve the flexibility of data access control.Yu et al. [30] present the design of Name-based Access Control (NAC), which implements thecontent-based access control model in Named Data Networking (NDN). The paper demonstrateshow to make use of naming convention to explicitly convey access control policy and efficientlydistribute access control keys, thus enabling effective access control. The authors evaluate thescalability of NAC against CCN-AC, another encryption-based access control scheme.Yingdi Yu in his Ph.D thesis [28] introduces a data-centric security model for NDN whichconsists of two parts: data-centric authenticity and data-centric confidentiality. NDN achievesdata-centric authenticity by mandating per packet signature, and data-centric confidentiality bydata encryption. The dissertation presents a security framework to automate data-centric securityof NDN and reduce the enabling overhead. To achieve that, the author designed NDN certificatesystem to facilitate public key distribution in NDN; a Trust Schema – a name-based policy languageto specify trust model, in order to automate fine-grained data authentication; a timestamp serviceDe-Lorean to address the authenticity problem of archival data; an access control protocol Name-based Access Control to automate data-centric confidentiality at fine granularities.Ghali et al. [8] state that caching makes it difficult to enforce access control policies on sensitivecontent, since routers only use interest information for forwarding decisions. The authors introduceInterest-Based Access Control (IBAC) which is a scheme for access control enforcement usingonly information contained in interest messages. It makes sensitive content names unpredictable tounauthorized parties. It supports both hash- and encryption-based name obfuscation. The solutionalso addresses interest replay attacks by formulating a mutual trust framework between producersand consumers that enables routers to perform authorization checks before satisfying interestsfrom local caches. The proposed design is flexible and allows producers to arbitrarily specify andenforce any type of content access control, without having to deal with content encryption and keydistribution.Fotiou et al. [6] propose an access control enforcement delegation scheme which enables thepurveyor of an information item to evaluate a request against an access control policy, withouthaving access to the requestor credentials nor to the actual definition of the policy. The authorsstate that such an approach has multiple merits: it enables the interoperability of various stake-holders, it protects user identity and it can set the basis for a privacy preserving mechanism. Animplementation of the scheme supports its feasibility.Hemanathan et al. [12] introduce a Role Based Content Access Control mechanism which pro-vides the contents specific to user based on the role to which it was assigned. Each and every useris authenticated with an AAA server specifically designed for NDN and is validated against the8ccess control policy. Only if a user has access to the content then the Content Packets will be sentor else access will be denied. In this method, when Content Provider receives Interest Packet fromthe user, it will be forwarded to AAA server and based on the response, the decision is made. Inaddition to that, NDN routers will also have an access table which will maintain the content nameand the allowable & deniable enroll ID’s. Based on the access table, it allows or denies the accessto content packet or to the content provider. If there is no entry in the access table for the enrollID, then it adds an entry into Pending Validation Table and sends validation request to ContentProvider (CP) which will validate with AAA server and reply back with allow or denial message.Kurihara et al. [14] propose a comprehensive encryption-based access control framework forcontent centric networking (CCN), called CCN-AC. This framework is both flexible and extensible,enabling the specification, implementation, and enforcement of a variety of access control policiesfor sensitive content in the network. The design of CCN-AC heavily relies on the concept of securecontent object manifests and leverages them to decouple encrypted content from access policyand specifications for minimum communication overhead and maximum utilization of in-networkcaches. To demonstrate the flexibility of framework, the authors also describe how to implementtwo sample access control schemes, group-based access control and broadcast access control, withinCCN-AC framework.Hamdane et al. [10] use the generic and conceptual access control scheme called UCONABCto propose an optimum and secured data centric access control model. In the proposal, data isprotected by encryption and lock password, and the access is managed by a centralized accesscontrol list (ACL).Hamdane et al. [9] propose an encryption based access control solution that does not requireprior knowledge of all authorized entities. The solution assigns access rights based on certifiedencrypted credentials provided by the different entities. A formal security analysis is provided aswell.Shang et al. [23] present NDN-ACE, a lightweight access control protocol for constrained en-vironments over Named Data Networking (NDN). NDN-ACE uses symmetric cryptography toauthenticate the actuation commands on the constrained devices but offloads the key distributionand management tasks to a more powerful trusted third party. It utilizes hierarchical NDN namesto express fine-grained access control policies that bind the identity of the command senders tothe services they are authorized to access. The key management protocol in NDN-ACE allowsthe senders to update their access keys periodically without requiring tight synchronization amongthe devices. The evaluation shows that NDN-ACE has fewer message exchange and uses fewercomponents in the overall network architecture compared to the IP-based alternatives.Abdallah et al. [1] propose a Decentralized Access Control Protocol for ICN architectures(DACPI). In this protocol, fewer public messages are needed for access control enforcement be-tween ICN subscribers and ICN nodes than the existing access control protocols. DACPI dependson ICN self-certifying naming scheme. The authors perform security analysis on DACPI for thefollowing attacks: man-in-the-middle, forward security, replay attacks, integrity, and privacy vio-lations. According to the security analysis, DACPI prevents unauthorized access to ICN contentswith fewer messages passed.Zhang et al. [34] propose a new name-based trust and security protection mechanism. Thescheme is built with identity-based cryptography (IBC), where the identity of a user or device canact as a public key string. In a named content network, a content name or its prefixes can be usedas public identities, with which content integrity and authenticity can be achieved using IBC algo-9ithms. The trust of a content is seamlessly integrated with the verification of content’s integrityand authenticity with its name or prefix, instead of public key certificate of its publisher. Flexi-ble confidentiality protection is enabled between content publishers and consumers. For scalabledeployment purpose the authors propose a hybrid scheme combined with PKI and IBC.Hamdane et al. [11] propose to enhance security in CCN/NDN projects. The authors first definerequirements for their naming system in order to provide security services that bind both namingand content. Then, they propose a hybrid scheme which combines public-key infrastructure (PKI)and Hierarchical Identity-Based Cryptography (HIBC) in order to meet the defined requirements.This proposal represents a defense against a potential attack and perfectly fits in with the structuresof the various objects of CCN/NDN.Kurihara et al. [15] argue that explicitly-given names of content makes the censorship easilyenforceable in CCNs. The paper introduces an anonymization framework to circumvent the censor-ship under the novel concept of consumer-driven access control to interest names and opportunitiesof cache recycling at network nodes. The framework leverages an arbitrary type of encryption-basedaccess control and enables to recycle the CCN-specific content cache at intermediate nodes in pathof the anonymized communication. Furthermore, by combining CCNx manifests and nameless ob-jects with anonymization framework, it becomes possible to maximize the benefit of CCN-specificin-network caching simultaneously with minimizing the computational overhead and circumvent-ing the censorship. The authors claim this is the first anonymization framework for censorshipcircumvention, which is designed by the CCN-specific approach.Yu et al. [29] explores the ability of NDN to enable automated decision making about which keycan sign which data and the procedure of signature verification through the use of trust schemas.Trust schemas can provide data consumers an automatic way to discover which keys to use toauthenticate individual data packets, and provide data producers an automatic decision processabout which keys to use to sign data packets and, if keys are missing, how to create keys whileensuring that they are used only within a narrowly defined scope (“the least privilege principle”).The authors have developed a set of trust schemas for several prototype NDN applications withdifferent trust models of varying complexity.Yu et al. [31] propose an endorsement-based key management system, which is inspired by theconcept of Web-of-Trust, to secure ChronoChat, a serverless group chat application over NDN.With the endorsement-based key management system, users in a chatroom can collaboratively au-thenticate each other’s membership in the chatroom. The system also leverages the synchronizationmechanism provided in ChronoChat for efficient key/endorsement distribution and revocation. Wefurther extend the key management system for user identity authentication in a chatroom to en-able one user to authenticate another user’s identity without resorting to any external public keyinfrastructure.Yu, Y. [27] proposed the new NDN certificate format, discussed several approaches for servingcertificates in NDN, and discusses the process of certificate revocation considering the new certificatedesign.
We consider two case studies, where the set of communicating parties is relatively fixed, changesinfrequently, or there are no performance requirements regarding the re-keying operation.The first example is of a university that uses a cloud as a storage service. There is a need for10ne-grained access control to ensure that content access is granted on a per-need basis, to thosewho need it for official purposes. Universities have a well established hierarchical structure ofthe employees’ roles, as well as the structural units, and this structure stays fixed throughout aconsiderable amount of time (usually, several years, until the next major university restructuring).Such a well established hierarchical structure implies that in the corresponding secret sharingscheme, the access structure stays more or less fixed, and even if the solution implies a major re-key operation whenever the access structure changes, this might be acceptable, due to the scarcityof events which result in any changes to the access structure. Sometimes it may be needed torevoke a particular user’s access to a published material, thus a revocation mechanism must to bein place. Revoked users should not be able to get access to any content that was published after therevocation event, even if several revoked users collude. For pre-existing content, such a revocationrequires re-encryption of the content with a different access structure, in which a particular useror a group of users is explicitly marked as revoked. This is not the only use of the revocationmechanism, however. It is handy to exploit the hierarchical structure of the organizational units,and to assign specific attributes to those units. Quite often, information needs to be shared to theentire bigger organizational unit, with the exception for some individual subgroups. In this case,it is very efficient still to encrypt the content for the attribute of a bigger organizational unit, andto revoke access for specific smaller sub-units to enforce the required access policy.The second example is of a group discussions. Consider a fixed set of users who wish tocommunicate in such a way that any participant can dynamically create a chat room with anysubset of the set of all the other participants. The list of all the participants, as well as theircredentials, is known to everyone. One participant may be a part of several chat rooms. Userrevocation is not much of an issue in the second example, assuming that there is no requirement topreserve the conversation history. New chat rooms can be created dynamically as needed. Everytime a user joins or leaves a chat room, a re-key operation is performed, and the remaining groupparticipants get their new credentials to continue communication. Technically, this is the creationof a new chat room with increased or reduced number of participants.Both examples describe use cases for a secret sharing scheme with general (non-monotone)access structures. The reasons behind this choice is that uniform access structures (as opposed togeneral ones) lack expressivity and do not provide means for fine-grained access control. The non-monotonicity assumption widens the range of possible applications we wish to tackle and facilitatesgreater flexibility w.r.t. possible set of solutions. It can be seen that in the second example describedabove, the monotone access structure will not work for the university case, since we might wishto share the contents with all members of a research group, but we want to exclude some certainindividuals, which would break monotonicity.
To begin with, we describe our hardware and software platforms we used to run the benchmarkingexperiments, as well as describe the prototype implementation of the Lubicz-Sirvent CP-ABBEcryptosystem. 11 .1.1 Hardware Setup
The experiments were run on a Lenovo X1 Carbon notebook having the following specifications: • CPU: Intel Core i7-5600U CPU @ 2.60GHz • CPU cache: 32KB (L1i/d), 256K (L2), 4096MB (L3) • CPU cores: 4 • RAM: 7.7 GiB
The following NDN tools and their corresponding versions have been used for running the experi-ments: • NFD 0.7.0-36-gbc0e617e • ndn-tools 0.7-15-g3527558The NDN network contained one single NFD node, with ndnputchunks acting as publisher,and ndncatchunks acting as consumer. The experiments were run by Python 3 interpreter running in Debian Linux 10 (Buster) operatingsystem. The Lubicz-Sirvent cryptosystem was implemented in C++ and uses on libpari library foralgebraic computations.The prototype implementation is a toolset that consists of: • the elliptic curve calculator — a tool that generates pairing-friendly curves from Barreto-Naehrig family with 128-bit security level. • the key generation tool — a tool that, given a json formatted configuration file, generatesmaster public key, master secret key, as well as private keys for the users. The tool dumpsthe generated keys in json format in a file specified by the user on the command line. • the encryption tool — a tool that, given a json formatted configuration file, json formattedfile containing keys, generates a session key and wraps it in ABBE header, which is dumpedinto a json header file supplied by the user on the command line. The access structure forthis encryption is described in the json configuration file. • the decryption tool — a tool that takes the json configuration file, json keys file, json headerfile, decrypts the ABBE header with the given user’s private key and displays the session key,if the user is a valid recipient of the encryption, or notifies the user that he is not an intendedrecipient otherwise. In this section, we report on the benchmarking results of the Lubicz-Sirvent CP-ABBE schemecoupled with sharing files over NDN. 12 .2.1 Experiment 1
First, we measure the time it takes to generate the master public key (MPK), as well as individualmaster secret keys (MSK) for varying number of users. The number of users is varied starting from1,2,5,10, then from 10 to 100, increasing in steps of 10. Every user is assigned with 3 attributes,uniformly selected at random from a pool of 50 attributes.The Python script that runs the tests performs the following actions:1. Fills in the template of the json formatted configuration file that contains the description ofthe Barreto–Naehrig elliptic curve having 128–bit security level, and populates this templatewith descritions of 1 , , ,
10 users, each having 3 attributes, randomly selected from a poolof 50 attributes. A separate configuration file is created for every number of users.2. Runs the key generation tool with each of the configuration files generated in the previousstep, and measures the time it takes for the ABBE implementation to complete this task.Only the time of the last step is measured, the time it takes to generate the configurationfiles is not included in this report.The results are given in Table 1.
In this experiment, we measure the time it takes to generate MSK and individual MPK keys forthe users with varying number of attributes. First, we consider the case of 2,5,10,20,30,50 randomuniformly selected attributes, and afterwards increase the number of attributes in the range 100 to1000 in steps of 50.Similarly to the previous experiment, the Python script performs the following actions:1. Fills in the template of the json formatted configuration file that contains the description ofthe Barreto-Naehrig elliptic curve having 128-bit security level, and populates this templatewith the descrition of a single user, each having varying number of attributes. A separateconfiguration file is created for every number of attributes under consideration.2. Runs the key generation tool with each of the configuration files generated in the previousstep, and measures the time it takes for the ABBE implementation to complete this task.Only the time of the last step is measured, the time it takes to generate the configurationfiles is not included in this report.The results are given in Table 2.
In the third measurement experiment, we measure the time it takes for varying number of usersto download files of varying sizes over NDN. We consider 1,2,5, and 10 users, as well as files of 50MiB, 100 MiB, and 500 MiB size. Users download a file in parallel, the time is measured for everyuser individually, as well as the worst time among all of them.To run the experiment, first files of 50 MiB, 100 MiB, and 500 MiB are generated by the Linux dd command using /dev/urandom device as the source.Prior to the commencement of the experiment, these following files are published in NDN usingthe ndnputchunks tool from ndn--tools : 13able 1: MPK and MSK generation time, fixed number of attributesNumber of users Generation time (s)1 0 .
242 0 .
395 0 . . . . . . . . . . . . . . . . . . . . . . . . . /data/file50M.bin — 50 MiB file2. /data/file100M.bin — 100 MiB file3. /data/file500M.bin — 500 MiB fileFor any of the 1 , , ,
10 groups of users, the Python script runs the same amount of threads,one thread per user. I.e. to simulate the actions of 10 users, 10 threads are launched. Each threadretrieves all the published files using ndncatchunks tool for every file under consideration anddumping its contents to the filesystem. We measure the time it takes to download the file and getits contents. The results are given in Table 3.
This experiment measures the time it takes for 1 , , ,
10 users to simultaneously download anencrypted files of 50 , ,
500 MiB over NDN, decrypt the ABBE header, obtain the symmetric key14able 2: MSK and MPK generation time, varying number of attributesNumber of attributes Generation time (s)2 0 .
135 0 . .
420 0 . . . . . . . . . . . . . . . . . . . . . . . dd command using /dev/urandom device as the source.An encryption Python script is then launched which, for every file under consideration, executesthe following actions:1. Launches CP-ABBE key generation tool to generate a new set of keys2. Launches CP-ABBE encryption tool to get an ABBE header which is stored as header.json file3. Extracts the session key from the output of the CP-ABBE encryption tool and encrypts allthe files using AES with the session key.The script produces 3 encrypted files: file50M.aes , file100M.aes , and file500M.aes .Prior to the commencement of the experiment, these following files are published in NDN usingthe ndnputchunks tool from ndn-tools : 15able 3: NDN unencrypted file download performanceFilesize(MB) Numberofusers 1 2 3 4 5 6 7 8 9 10 worsttime50 1 1 .
11 1 . .
29 0 .
79 4 . .
17 0 .
79 1 .
81 2 .
45 0 .
78 2 . .
26 0 .
87 3 .
06 0 .
95 1 . .
84 1 .
06 1 .
88 1 .
84 2 .
23 2 . .
83 1 . .
79 2 .
77 2 . .
76 1 .
75 5 .
25 1 .
32 3 .
06 5 . .
17 1 .
58 1 .
91 2 .
48 3 .
27 1 .
32 1 .
52 3 .
52 4 .
23 1 .
41 4 . .
56 11 . .
98 11 .
46 11 . .
38 10 .
39 13 .
32 10 .
21 12 .
32 13 . .
48 14 .
33 11 .
83 15 .
09 14 .
04 13 .
25 14 .
07 14 .
22 13 .
84 13 . . /headers/header.json — the header file produced by CP-ABBE2. /data/file50M.aes — AES encrypted 50 MiB file3. /data/file100M.aes — AES encrypted 100 MiB file4. /data/file500M.aes — AES encrypted 500 MiB fileFor any of the 1 , , ,
10 groups of users, the Python script runs the same amount of threads,one thread per user. For each file, each thread performs the following actions:1. Uses ndncatchunks tool to retrieve header.json and the encrypted file over NDN2. Launches CP—ABBE decryption tool to decrypt the ABBE header and obtain the AES key3. Decrypts the encrypted file with the AES keyWe measure the time it takes for every thread to download all the relevant files and to decryptthem. The results are given in Table 4.
For the second case study we consider using CP-ABBE encryption in a chat running over NDN.CP-ABBE flexible access policies facilitate the creation of virtual chatrooms. No separate chatinstances are required if CP-ABBE is handling access permissions.Instead of keeping a chat instance per chatroom, it is possible to encrypt the messages tospecific set of recipients using CP-ABBE and broadcast AES-encrypted message, together withABBE-encrypted symmetric key (ABBE header) to everyone. The chat client would match theuser’s private key against the published ABBE header. If the header’s access policy permits theuser to decrypt the message, the user is a valid recipient. In this case, the chat application will16able 4: NDN encrypted file download and decryption performanceFilesize(MB) Numberofusers 1 2 3 4 5 6 7 8 9 10 worsttime50 1 2 .
33 2 . .
52 2 .
13 4 . .
64 2 .
16 2 .
32 2 .
02 2 .
02 7 . .
82 2 . .
38 3 .
86 2 .
34 2 .
06 2 .
18 2 .
81 2 .
15 4 .
59 5 . .
74 3 . .
37 6 .
21 6 . .
17 4 .
04 5 .
26 4 .
49 3 .
78 5 . .
55 6 .
66 3 .
42 6 .
17 3 .
66 6 .
58 5 .
37 4 .
28 4 .
27 3 .
69 6 . .
29 16 . .
87 22 .
26 22 . .
71 22 .
97 19 .
89 22 . .
06 25 . .
36 29 .
05 25 .
44 29 .
01 21 . .
48 19 .
14 24 .
52 18 .
83 20 .
81 29 . In this paper, we have demonstrated an application of ciphertext-policy attribute-based encryptiontaking the role of a flexible access policy moderator in secure group communication over the NDN.We have applied a prototype implementation of the Lubicz-Sirvent CP-ABBE system to one of thecase studies, the secure data sharing over NDN and reported on its performance characteristics.The results show that the operations of key generation, encryption and decryption are manageableand CP-ABBE can be used in practice. We have also analyzed the merits of CP-ABBE in the caseof dynamic groups in use case 2 and conclude that CP-ABBE can be applied to this use case aswell, and would offer merits compared to other alternative conventional approaches.
References [1] E. G. AbdAllah, M. Zulkernine, and H. S. Hassanein. Dacpi: A decentralized access con-trol protocol for information centric networking. In , pages 1–6, May 2016.[2] Muhammad Asim, Luan Ibraimi, and Milan Petkovic. Ciphertext-policy attribute-basedbroadcast encryption scheme. In Bart De Decker, Jorn Lapon, Vincent Naessens, and Andreas17hl, editors,
Communications and Multimedia Security, 12th IFIP TC 6 / TC 11 Interna-tional Conference, CMS 2011, Ghent, Belgium, October 19-21,2011. Proceedings , volume 7025of
Lecture Notes in Computer Science , pages 244–246. Springer, 2011.[3] J. Bethencourt, A. Sahai, and B. Waters. Ciphertext-policy attribute-based encryption. In , pages 321–334, May 2007.[4] Mauro Conti, Ankit Gangwal, Muhammad Hassan, Chhagan Lal, and Eleonora Losiouk. Theroad ahead for networking: A survey on ICN-IP coexistence solutions.
IEEE Commun. Surv.Tutorials , 22(3):2104–2129, 2020.[5] Keita Emura, Atsuko Miyaji, Akito Nomura, Kazumasa Omote, and Masakazu Soshi. Aciphertext-policy attribute-based encryption scheme with constant ciphertext length. In FengBao, Hui Li, and Guilin Wang, editors,
Information Security Practice and Experience: 5thInternational Conference, ISPEC 2009 Xi’an, China, April 13-15, 2009 Proceedings , pages13–23, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg.[6] Nikos Fotiou, Giannis F. Marias, and George C. Polyzos. Access control enforcement delegationfor information-centric networking architectures. In
Proceedings of the Second Edition of theICN Workshop on Information-centric Networking , ICN ’12, pages 85–90, New York, NY,USA, 2012. ACM.[7] Nikos Fotiou and George C. Polyzos. Securing content sharing over icn. In
Proceedings of the3rd ACM Conference on Information-Centric Networking , ACM-ICN ’16, pages 176–185, NewYork, NY, USA, 2016. ACM.[8] Cesar Ghali, Marc A. Schlosberg, Gene Tsudik, and Christopher A. Wood. Interest-basedaccess control for content centric networks. In
Proceedings of the 2Nd ACM Conference onInformation-Centric Networking , ACM-ICN ’15, pages 147–156, New York, NY, USA, 2015.ACM.[9] B. Hamdane and S. G. E. Fatmi. A credential and encryption based access control solution fornamed data networking. In , pages 1234–1237, May 2015.[10] B. Hamdane, M. Msahli, A. Serhrouchni, and S. G. E. Fatmi. Data-based access control innamed data networking. In , pages 531–536, Oct 2013.[11] B. Hamdane, A. Serhrouchni, A. Fadlallah, and S. G. E. Fatmi. Named-data security schemefor named data networking. In , pages 1–6, Nov 2012.[12] V. Hemanathan and N. Anusha. Role Based Content Access Control in NDN.
Journal ofInnovative Technology and Education , 2(1):65 – 73, 2015.[13] Pascal Junod and Alexandre Karlov. An efficient public-key attribute-based broadcast en-cryption scheme allowing arbitrary access policies. In Ehab Al-Shaer, Hongxia Jin, and MarcJoye, editors,
Proceedings of the 10th ACM Workshop on Digital Rights Management, Chicago,Illinois, USA, October 4, 2010 , pages 13–24. ACM, 2010.1814] J. Kurihara, E. Uzun, and C. A. Wood. An encryption-based access control framework forcontent-centric networking. In , pages1–9, May 2015.[15] Jun Kurihara, Kenji Yokota, and Atsushi Tagami. A consumer-driven access control approachto censorship circumvention in content-centric networking. In
Proceedings of the 3rd ACMConference on Information-Centric Networking , ACM-ICN ’16, pages 186–194, New York,NY, USA, 2016. ACM.[16] Long Li, Tianlong Gu, Liang Chang, Zhoubo Xu, Yining Liu, and Junyan Qian. A ciphertext-policy attribute-based encryption based on an ordered binary decision diagram.
IEEE Access ,5:1137–1145, 2017.[17] Qinyi Li and Fengli Zhang. A fully secure attribute based broadcast encryption scheme.
I. J.Network Security , 17(3):255–263, 2015.[18] David Lubicz and Thomas Sirvent. Attribute-based broadcast encryption scheme made ef-ficient. In Serge Vaudenay, editor,
Progress in Cryptology – AFRICACRYPT 2008: FirstInternational Conference on Cryptology in Africa, Casablanca, Morocco, June 11-14, 2008.Proceedings , pages 325–342, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg.[19] E. Mannes, C. Maziero, L. Lassance, and F. Borges. Optimized access control enforcement overencrypted content in information-centric networks. In , pages 924–929, July 2015.[20] Satyajayant Misra, Reza Tourani, and Nahid Ebrahimi Majd. Secure content delivery ininformation-centric networks: Design, implementation, and analyses. In
Proceedings of the 3rdACM SIGCOMM Workshop on Information-centric Networking , ICN ’13, pages 73–78, NewYork, NY, USA, 2013. ACM.[21] Satyajayant Misra, Reza Tourani, F. Natividad, Travis Mick, Nahid Ebrahimi Majd, and HongHuang. Accconf: An access control framework for leveraging in-network cached data in icns.
CoRR , abs/1603.03501, 2016.[22] S. Roy and M. Chuah. Secure data retrieval based on ciphertext policy attribute-based en-cryption (cp-abe) system for the dtns.[23] Wentao Shang, Yingdi Yu, Teng Liang, Beichuan Zhang, and Lixia Zhang. Ndn-ace: Accesscontrol for constrained environments over named data networking. Technical report, 2015.[24] C. A. Wood and E. Uzun. Flexible end-to-end content security in ccn. In , pages 858–865, Jan 2014.[25] G. Xylomenos, C. N. Ververidis, V. A. Siris, N. Fotiou, C. Tsilopoulos, X. Vasilakos, K. V.Katsaros, and G. C. Polyzos. A survey of information-centric networking research.
IEEECommunications Surveys Tutorials , 16(2):1024–1049, Second 2014.[26] Shota Yamada, Nuttapong Attrapadung, Goichiro Hanaoka, and Noboru Kunihiro. A frame-work and compact constructions for non-monotonic attribute-based encryption. In HugoKrawczyk, editor,
Public-Key Cryptography – PKC 2014: 17th International Conference on ractice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26-28,2014. Proceedings , pages 275–292, Berlin, Heidelberg, 2014. Springer Berlin Heidelberg.[27] Yingdi Yu. Public key management in named data networking. Technical report, NDN, 2015.[28] Yingdi Yu. Usable Security For Named Data Networking . PhD thesis, University of California,Los Angeles, 2016.[29] Yingdi Yu, Alexander Afanasyev, David Clark, kc claffy, Van Jacobson, and Lixia Zhang.Schematizing trust in named data networking. In
Proceedings of the 2Nd ACM Conference onInformation-Centric Networking , ACM-ICN ’15, pages 177–186, New York, NY, USA, 2015.ACM.[30] Yingdi Yu, Alexander Afanasyev, and Lixia Zhang. Name-based access control. TechnicalReport NDN-0034, NDN, 2016.[31] Yingdi Yu, Alexander Afanasyev, Zhenkai Zhu, and Lixia Zhang. An endorsement-based keymanagement system for decentralized NDN chat application. Technical Report NDN-0023,NDN, July 2014.[32] Leyou Zhang and Hongjian Yin. Recipient anonymous ciphertext-policy attribute-based broad-cast encryption.
I. J. Network Security , 20(1):168–176, 2018.[33] Lixia Zhang, Alexander Afanasyev, Jeffrey Burke, Van Jacobson, K. C. Claffy, Patrick Crowley,Christos Papadopoulos, Lan Wang, and Beichuan Zhang.
Named data networking , volume 44,pages 66–73. Association for Computing Machinery, 3 edition, 2014.[34] X. Zhang, K. Chang, H. Xiong, Y. Wen, G. Shi, and G. Wang. Towards name-based trust andsecurity for content-centric network. In , pages 1–6, Oct 2011.[35] Zhiyi Zhang, Yingdi Yu, Alexander Afanasyev, Jeff Burke, and Lixia Zhang. Nac: Name-based access control in named data networking. In
Proceedings of the 4th ACM Conference onInformation-Centric Networking , ICN ’17, pages 186–187, New York, NY, USA, 2017. ACM.[36] Zhibin Zhou and Dijiang Huang. On efficient ciphertext-policy attribute based encryptionand broadcast encryption: Extended abstract. In
Proceedings of the 17th ACM Conferenceon Computer and Communications Security , CCS ’10, pages 753–755, New York, NY, USA,2010. ACM.[37] Zhenkai Zhu and Alexander Afanasyev. Let’s chronosync: Decentralized dataset state synchro-nization in named data networking. In2013 21st IEEE International Conference on NetworkProtocols, ICNP 2013, G¨ottingen, Germany, October 7-10, 2013