Christopher A. Wood

Flexible end-to-end content security in CCN

Content-centric networking (CCN) project, a flavor of information-centric networking (ICN), decouples data from its source by shifting the emphasis from hosts and interfaces to information. As a result, content becomes directly accessible and routable within the network. In this data-centric paradigm, techniques for maintaining content confidentiality and privacy typically rely on cryptographic techniques similar to those used in modern digital rights management (DRM) applications, which often require multiple consumer-to-producer (end-to-end) messages to be transmitted to establish identities, acquire licenses, and access encrypted content. In this paper, we present a secure content distribution architecture for CCN that is based on proxy re-encryption. Our design provides strong end-to-end content security and reduces the number of protocol messages required for user authentication and key retrieval. Unlike widely-deployed solutions, our solution is also capable of utilizing the opportunistic in-network caches in CCN. We also experimentally compare two proxy re-encryption schemes that can be used to implement the architecture, and describe the proof of concept application we developed over CCNx.

An encryption-based access control framework for content-centric networking

This paper proposes a comprehensive encryption-based access control framework for content centric networking (CCN), called CCN-AC. This framework is both flexible and extensible, enabling the specification, implementation, and enforcement of a variety of access control policies for sensitive content in the network. The design of CCN-AC heavily relies on the concept of secure content object manifests and leverages them to decouple encrypted content from access policy and specifications for minimum communication overhead and maximum utilization of in-network caches. To demonstrate the flexibility of framework, we also describe how to implement two sample access control schemes, group-based access control and broadcast access control, within CCN-AC framework.

Client/server data serving for high-performance computing

This paper will attempt to examine the industry requirements for shared network data storage and sustained highspeed (tens to thousands of megabytes per second) network data serving via the NFS and FTP protocol suite. It will discuss the current structural and architectural impediments to achieving these sorts of data rates cost-effectively on many general-purpose servers, and will describe an architecture and resulting product family that addresses these problems. We will show the sustained-performance levels that were achieved in the lab and discuss early customer experiences utilizing both the HIPPI-IP and ATM OC3-IP network interfaces.

Secure Fragmentation for Content Centric Networking

Content-Centric Networking (CCN) is a communication paradigm that emphasizes content distribution. Named-Data Networking (NDN) is an instantiation of CCN, a candidate Future Internet Architecture. NDN supports human-readable content naming and router-based content caching which lends itself to efficient, secure, and scalable content distribution. Because of NDNs fundamental requirement that each content object must be signed by its producer, fragmentation has been considered incompatible with NDN since it precludes authentication of individual content fragments by routers. The alternative is to perform hop-by-hop reassembly, which incurs prohibitive delays. In this paper, we show that secure and efficient content fragmentation is both possible and even advantageous in NDN and similar content-centric network architectures that involve signed content. We design a concrete technique that facilitates efficient and secure content fragmentation in NDN, discuss its security guarantees and assess performance. We also describe a prototype implementation and compare performance of cut-through with hop-by-hop fragmentation and reassembly.

Secure off-path replication in content-centric networks

We present SCR, a secure content replication protocol for the Content-Centric Networking (CCN) architecture. The goal of SCR is to allow a data producer to cache protected content in off-path semi-trusted caches or replicas. In contrast to the standard “take what you want” model of CCN, SCR ensures that no unauthorized, off-path entity can obtain data from these replicas, even if the content is encrypted. SCR allows a producer to encrypt data under any viable access control scheme, such as group-based access backed by broadcast encryption, and delegate the delivery of said content to distributed replicas in the network. SCR is analogous to “blind caching” in IP-based networks, which aim to provide caching as a service in the presence of end-to-end encryption via TLS. We discuss the design details and security features, e.g., revocation, of SCR. We then compare SCR to the HTTP(S)-based blind caching model. We show that our scheme can outperform blind caching due to (1) less protocol complexity and message overhead, (2) faster session establishment, and (3) the ability to obtain data in parallel from multiple, independent replicas.