Faster Data Forwarding in Content-Centric Network via Overlaid Packet Authentication Architecture
Abstract
:1. Introduction
Contribution and Organization of the Paper
2. Preliminaries
2.1. Basic Structure of CCN
2.1.1. Packet Structures
Interest Packet
Data Packet
2.1.2. CCN Forwarding Engine
2.1.3. Data Packet Authentication in (Naive) CCN
2.2. Requirements
2.2.1. Security Model
Distribute Poisoned Data
DDoS Attack
Cache Consumption Attack
2.2.2. Functional Requirements
Verification Independence
On-the-Fly Data Packet Generation
Non-Deniability (or Traceability)
Setup-Free Construction
3. Proposed Overlaid Authentication Mechanism
3.1. Basic Idea
3.2. Components
3.2.1. Signature Scheme for Content Publishers
- is the private signing key;
- is the corresponding public verification key;
- m is a message to be signed;
- is a signature generated by the signature scheme.
3.2.2. Signature Scheme for Forwarding Engine
3.2.3. Public Key Verification
3.3. Authenticated Data Generation and Verification
3.3.1. Publisher Side
- c-name is the content name of the file F;
- ;
- ;
- ;
- .
Algorithm 1 Authenticated Content Generation at Content Publisher (DPG) |
|
Algorithm 2 Transmitting Authenticated Data Packets at Content Publisher |
|
3.3.2. Consumer Side
- uid is the user’s ID;
- selector is a set of rules for obtaining the target file;
- nonce is a random nonce for uniquely identifying messages.
3.3.3. Forwarding Engine
Data Publisher → Forwarding Engine
Forwarding Engine → Forwarding Engine
Forwarding Engine → Data Requester
4. Security Analysis
- Type-0 forgery : Original data packet generated by publisher ;
- Type-1 forgery : Data packet for higher layer, which is re-generated by forwarding engine .
- Signing Queries. In the beginning of the simulation, guesses a publisher who will be attacked by the adversary . For a publisher , chooses a signature scheme and sets as the signing/verification key pair for the scheme. maintains the list of i, , and . When asks a signature of on M, responses to the query by generating a valid signature as If the query is made for the target publisher on M, uses the signing oracle to obtain and gives it to .For each forwarding engine, chooses a signature scheme and the corresponding key pairs. Let and be the signature scheme and key pairs of the forwarding engine . also maintains the list of k, , and . For a signing query on M, generates a valid signature as ;
- Publisher Corrupt Queries. In the adversary model, we assumed that a set of publishers can collude to break the proposed architecture, which implies that can ask for the private key of a publisher . Here, we assume that the queried key exists in , and the assumption is reasonable since can generate the publisher’s key information, as in the above, before response to the corrupt query. For the corrupt query, retrieves i, , and from and gives to . If the queried publisher is , stops the simulation;
- Forwarding Engine Corrupt Queries. In this case, it is assumed that can ask for the private key of a forwarding engine . For Type-0 forgery, retrieves i, , and from and gives to .
- Signing Queries. For each publisher , chooses a signature scheme and the corresponding key pairs. Let and be the signature scheme and key pairs of the publisher . also maintains the list of i, , and . For a signing query on M, generates a valid signature as and gives it to .Differently from the simulation for type-1 forgery, guesses a forwarding engine who will be attacked by the adversary . For a forwarding engine , chooses a signature scheme and a sets as the signing/verification key pair for the scheme. maintains the list of k, , and . When asks a signature of on M, responses to the query by generating a valid signature as If the query is made for the target publisher on M, uses the signing oracle to obtain and gives it to ;
- Publisher Corrupt Queries. When asks the private key of a publisher , retrieves i, , and from and gives to ;
- Forwarding Engine Corrupt Queries. When asks the private key of the forwarding engine , retrieves k, , and from and gives to . If the queried forwarding engine is , stops the simulation.
5. Instantiation
5.1. Data Publisher
5.2. Data Consumer
5.2.1. Forwarding Engine
Data Publisher → Forwarding Engine
Forwarding Engine → Forwarding Engine
Forwarding Engine → Data Consumer
6. Comparisons
6.1. Requirement Comparison
6.2. Performance Analysis
7. Conclusions
Author Contributions
Funding
Conflicts of Interest
Appendix A
References
- Jacobson, V.; Smetters, D.; Thornton, J.; Plass, M.; Briggs, N.; Braynard, R. Networking Named Content. In Proceedings of the 5th international conference on Emerging networking experiments and technologies(CoNEXT’09), Rome, Italy, 1–4 December 2009. [Google Scholar]
- Smetters, D.; Jacobson, V. Securing Network Content; PARC Technical Report; PARC: Palo Alto, CA, USA, 2009. [Google Scholar]
- Named Data Networking (NDN) Project. Available online: https://named-data.net (accessed on 20 October 2020).
- CCNx Project. Available online: http://github.com/ProjectCCNx/ccnx (accessed on 20 October 2020).
- Merkle, R. A Digital Signature Based on a Conventional Encryption Function. In Proceedings of the Advances in cryptology (CRYPTO’87), LNCS 293, Barbara, CA, USA, 11–15 August 1987; pp. 369–378. [Google Scholar]
- Merkle, R. A Certified Digital Signature. In Proceedings of the Advances in cryptology (CRYPTO’89), LNCS 435, Barbara, CA, USA, 23–27 August 1989; pp. 218–238. [Google Scholar]
- Baugher, M.; Davie, B.; Narayanan, A.; Oran, D. Self-Verifying Names for Read-Only Named Data. In Proceedings of the IEEE INFOCOM 2012 Workshop on Emerging Design Choices in Named-Oriented Networking, Newark, NJ, USA, 30 March 2012; pp. 274–279. [Google Scholar]
- Moiseenko, I. Fetching Content in Named Data Networking with Embedded Manifests. NDN Technical Report NDN-0025. 2014. Available online: https://named-data.net/wp-content/uploads/2014/09/ndn-tr-25-manifest-embedding.pdf (accessed on 20 October 2020).
- Burke, J.; Horn, A.; Marianantoni, A. Authenticated Lighting Control Using Named Data Networking. NDN Technical Report NDN-011 Rev.1. 2012. Available online: https://named-data.net/wp-content/uploads/TRlighting.pdf (accessed on 20 October 2020).
- Burke, J.; Gasti, P.; Nathan, N.; Tsudik, G. Securing Instrumented Environments over Content-Centric Networking: The Case of Lighting Control and NDN. In Proceedings of the IEEE INFOCOM 2013 Workshop on Emerging Design Choices in Named-Oriented Networking, Turin, Italy, 14–19 April 2013; pp. 393–398. [Google Scholar]
- Li, Q.; Zhang, X.; Zheng, Q.; Sandhu, R.; Fu, X. LIVE: Lightweight integrity verification and content access control for named data networking. IEEE Trans. Inf. Forensics Secur. 2015, 10, 308–320. [Google Scholar] [CrossRef]
- Refaei, T.; Horvath, M.; Schumaker, M.; Hager, C. Data Authentication for NDN using Hash Chains. In Proceedings of the IEEE Symposium on Computers and Communication (ISCC), Messina, Italy, 27–30 June 2016; pp. 982–987. [Google Scholar]
- Seo, S.C.; Youn, T. TIM: A Trapdoor Hash Function-based Authentication Mechanism for Streaming Authentication. KSII Trans. Internet Inf. Syst. 2018, 12, 2922–2945. [Google Scholar] [CrossRef] [Green Version]
- Seo, S.C.; Youn, T. TLDA: An Efficient Two-Layered Data Authentication Mechanism for Content-Centric Networking. Hindawi Secur. Commun. Netw. 2018, 2018, 5429798. [Google Scholar] [CrossRef]
- Zhang, Z.; Yu, Y.; Zhang, H.; Newberry, E.; Mastorakis, S.; Li, Y.; Afanasyev, A.; Zhang, L. An Overview of Security Support in Named Data Networking. Technical Report NDN-0057. Available online: http://named-data.net/techreports.html (accessed on 20 October 2020).
- Gasti, P.; Tsudik, G.; Uzun, E.; Zhang, L. Dos and DDoS in Named Data Networking. In Proceedings of the 22nd International Conference on Computer Communications and Networks (ICCCN), Nassau, Bahamas, 30 July–2 August 2013; pp. 1–7. [Google Scholar]
- Mastorakis, S.; Afanasyev, A.; Zhang, L. On the Evolution of ndnSIM: An Open-Source Simulator for NDN Experimentation. ACM Comput. Commun. Rev. 2017, 47, 19–33. [Google Scholar] [CrossRef]
- OCSP Response Time. Available online: https://www.digicert.com/blog/ocsp-times-and-what-they-mean-for-you/ (accessed on 20 October 2020).
- Qamar, A.; Karim, A.; Chang, V. Mobile malware attacks: Review, taxonomy & future directions. Future Gener. Comput. Syst. 2019, 97, 887–909. [Google Scholar]
- Sun, J.; Zhang, Y.; Liao, D.; Sun, G.; Chang, V. AI-based survivable design for hybrid virtual networks for single regional failures in cloud data centers. Clust. Comput. 2019, 22, 12009–12019. [Google Scholar] [CrossRef]
Verification Independence | On-the-fly Generation | Non Deniability | Setup Freeness | Used Technique | Verification Cost for Forwarding Engines | |
---|---|---|---|---|---|---|
Naive CCN | O | O | O | O | Per-Packet Signing | + |
LIVE [11] | O | X | X | X | OTS | + |
[9,10] | O | O | X | X | HMAC | Cannot Support |
CCNx [1,2,3] | O | X | O | O | MHT | ++ |
TIM [13] | O | X | O | O | THF, MHT | +++ |
TLDA [14] | X | X | O | O | MHT | Cannot Support |
This work | O | O | O | O | Overlaid Signing | ++ |
Methods | Time (S) | Operations |
---|---|---|
Naive CCN with RSA-PSS | 0.100146 s | Verify Certificate and RSA-PSS |
Naive CCN with DSA | 0.102420 s | Verify Certificate and DSA |
Naive CCN with ECDSA | 0.100741 s | Verify Certificate and ECDSA |
with RSA-PSS (This work) | 0.105048 s | Verify Certificate and Generate RSA-PSS |
with DSA (This work) | 0.104390 s | Verify Certificate and Generate RSA-PSS |
with ECDSA (This work) | 0.101094 s | Verify Certificate and Generate RSA-PSS |
with RSA-PSS (This work) | 0.000146 s | Verify RSA-PSS |
with DSA (This work) | 0.002420 s | Verify RSA-PSS |
with ECDSA (This work) | 0.000741 s | Verify RSA-PSS |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Youn, T.-Y.; Kim, J.; Mohaisen, D.; Seo, S.C. Faster Data Forwarding in Content-Centric Network via Overlaid Packet Authentication Architecture. Sustainability 2020, 12, 8746. https://doi.org/10.3390/su12208746
Youn T-Y, Kim J, Mohaisen D, Seo SC. Faster Data Forwarding in Content-Centric Network via Overlaid Packet Authentication Architecture. Sustainability. 2020; 12(20):8746. https://doi.org/10.3390/su12208746
Chicago/Turabian StyleYoun, Taek-Young, Joongheon Kim, David Mohaisen, and Seog Chung Seo. 2020. "Faster Data Forwarding in Content-Centric Network via Overlaid Packet Authentication Architecture" Sustainability 12, no. 20: 8746. https://doi.org/10.3390/su12208746
APA StyleYoun, T. -Y., Kim, J., Mohaisen, D., & Seo, S. C. (2020). Faster Data Forwarding in Content-Centric Network via Overlaid Packet Authentication Architecture. Sustainability, 12(20), 8746. https://doi.org/10.3390/su12208746