Secure Content Delivery in InformationCentric Networks: Design, Implementation, and Analysis Satysjayant Misra, Reza Tourani, Nahid Ebrahimi Majd Presenter: WANG YU, Katto Lab 1 Outline • Introduction • Related work • Models and Assumptions • Design of the framework • Implementation results in CCNx • Conclusion 2 Introduction • This paper explores the design of a framework for highly available and efficient secure content delivery in ICN (information centric network) • Motivation: a) Today, Content Provider (CP) uses Content Delivery Network(CDN) to balance the load, reduce data latency and reduce redundant traffic. b) But CDN nodes are at the edge of ISPs; Result in explosive growth in repeated data request. c) So ICN solves the problem by allowing data to be stored anywhere to reduce their network traffic load d) But, the important is, how do we ensure high availability of the cached data to only legitimate users 3 Introduction (Cont.) • Problem A user has to authenticate itself to the server. Upon authentication, it connects a CDN node and obtains the content. However, if the sever is down, the user cannot be authenticated. In this scenario, data is available in routers close to the users, but legitimate users are unable to authenticate themselves and access the data securely. Figure 1 So, the proposed framework is applicable to all scenarios where serverbased authentication is unavailable or difficult. 4 Related work • In CCN, content is split into packets/chunks, and each user sends interest containing the name of the chunk into the network. Any node in the path contains the request chunk can satisfy the interest. Every intermediate node has the chance to caching the chunks. • Composed of three main components: Forwarding Information Base (FIB), the Pending Interest Table (PIT), and the Content Store (CS). • IN the framework, it choose to use the public key-based traitortracing t-resilient algorithm proposed by Tzeng (Broadcast encryption), which uses the Shamir’s secret sharing algorithm as a building block. 5 Shamir’s secret sharing algorithm (additional knowledge) Divide secret S into n pieces of data D1, D2,… Dn, in such a way that: 1. Knowledge of any t or more Di pieces makes S easily computable. 2. Knowledge of any t-1 or fewer pieces Di leaves completely undetermined. This scheme is called ( t, n) threshold scheme. If t=n, then all pieces are required to reconstruct the secret. Example: • Suppose our secret is 1234 (S=1234) • We wish to divide the secret into 6 parts(n=6), where any subset of 3 parts (t=3) is sufficient to reconstruct the secret. At random we obtain two (t-1) numbers:166 and 96. (a1=166; a2=94) • Our polynomial to produce secret shares(points) is therefore: • We construct 6 points from the polynomial: • In order to reconstruct the secret S any 3 points will be enough through Lagrange basis polynomials. 6 Models and Assumptions • System Model Hierarchical set-up as shown in Figure 1 (CP->CDN->ISP->end users), and it can be cached at any node in the path. n is the number of users in the system, t (<<n) is the revocation threshold as we explained in shamir’s secret sharing • Set-up and Security Assumptions Content is encrypted by the content provider, either at the servers or in the CDN, using a symmetric key encryption algorithm Only a legitimate user can obtain the symmetric key to decrypt the content. 7 Models and Assumptions • Threat Model The use of the sequence numbers in the interest and data packets, and caching at the edge routers can help neutralize reply attacks. Interest packets make it difficult to mount DoS attacks on the system. 8 Design of the Framework • Overview of the Framework (3 steps) At the server: 1. First, it generates a polynomial of degree t and evaluates n+t (>>t) number of points on it, and distributes n of the evaluated points among the clients (one per client), and it keeps t of them as its own shares. 2. Then it generates a enabling block, which contains the secret symmetric key (r), and is used by the client in the last component for the secret extraction. (the enabling block is forwarded to all the routers with contents cached as part of the content) At the client: 3. A legitimate client extracts the embedded secret key from the enabling block that is downloaded along with the content, by using its share. 9 Design of the Framework • Basic Protocols: 1. Polynomial and shares generation n is the number of users, and the maximum number of allowed revoked users is t. The server calculates random coefficients a0, . . . , at of a tdegree poly-nominal pt(x). Then it calculates each user uj ’s share/tuple Tj =< xj , f(xj) >, where xj is generated randomly and f(xj) is calculated. Besides, the server calculates t-tuples that it stores as the server share E. Then the server transmits Tj =< xj , f(xj) > to the user uj using uj’s public key, the signature, and the timeout so that uj can correctly extract the secret key and them decrypt the content. 10 Design of the Framework • Basic Protocols: 2. Generation and encryption of enabling block The server encrypts the content using a symmetric key algorithm and a secret key r. A bigger key say 128-bit for AES, can be handled by splitting the key r= {r1|| . . . ||rb|| . . . ||rm}. An enabling block is an integral part of any Broadcast Encryption scheme. It contains information for a legitimate user to extract the secret key r and is delivered to the user along with the data packets. The user can decrypt using the enabling block and by the Lagrangian interpolation method. The original Lagrangian interpolation requires computations of t coefficients at the client with running time complexity of O(t2), the author devised a mechanism for pre-computing the Lagrangian coefficients at the server to reduce the complexity of the coputation at the user to O(t) 11 Design of the Framework • Basic Protocols: 3. Secret Extraction at the User The user uj obtains the enabling block from a router in it’s neighborhood, verifies the source of the enabling block by verifying the signature. On successful verification it computes the t complete Lagrangian coefficients (from the partials) using its share and also the Lagrangian coefficient corresponding to it’s own share, resulting in a total of t + 1 coefficients. The user uj uses the computed Lagrangian coefficients to extract the secret key from using the Lagrangian interpolation method. 12 Design of the Framework • CCN/NDN Architecture Specific Details 1. User registration (Format of registration interest): /Netflix/Registration/Unique User ID It contains user’s credentials, encrypted with the CP’s public key and signed by user’s private key 2. Chunk Creation: The enabling block and the content are both split into equal sized chunks and given appropriate names to distinguish them 13 Design of the Framework • CCN/NDN Architecture Specific Details 3. Packet Naming: Naming rules: CP’s name/kind(video or novel)/category/type data(enabling block or movie name)/version/chunk number 14 of Design of the Framework • CCN/NDN Architecture Specific Details 4. User Revocation The user requests service-cancellation using a revocation interest packet. The revocation interest is sent out to the CP in the same way as the registration request. After that the CP regenerates the new enabling blocks by replacing one of its t tuple in the server share, the updated enabling block has to be disseminated in the network. This may be done in a proactive manner (immediately after a revocation), periodically (every week or month), or by a pull-mechanism from the network (when the enabling block at routers times out, they seek new versions of the enabling) 15 Design of the Framework • Security Analysis A set of colluding nodes can create a new share for a new malicious (illegitimate) node, which requires at least t+1 malicious nodes to collude. With t+1 being the order of thousands that is unlikely. To counter longstanding threats of content privacy, r can be renewed at regular intervals and content re-encrypted. 16 Implementation Results in CCNx • The framework is implemented in the CCNx-0.7 testbed. The multimedia content was hosted (ccnputfile) in the content store of the server. The rest of the nodes were clients, which sent out the interest to the server using ccnsimplecat • They implemented the Polynomial Generation protocol, the Enabling Blocking Generation and Encryption protocol, and the Secret Extraction protocol. 17 Implementation Results in CCNx • Figure (a) shows the time taken by the server to generate a polynomial (pt(x)) of a certain degree, including generating its random coefficients ({a0, . . . , at}), and then evaluating pt(x) at n+t points. • The X-axis represents different values for t and the Y -axis represents the time in thousands of seconds. • The polynomial generation procedure is the most time consuming component of the framework. 18 Implementation Results in CCNx • Figure (b) shows the size of the enabling block in the PSD (with pre-computation of t Lagrangian coefficients at the server) and SD(without precomputation) cases. • It is desirable to have smaller enabling block size to reduce network overhead • But refer to figure (3), PSD reduce the extraction time at the client significantly; PSD adds less than 0.3% overhead for a two-hour movie. 19 Implementation Results in CCNx • Figure(c) presents a comparative analysis of the secret key extraction time in PSD and SD. 20 Conclusion • In this paper, they present an efficient framework for secure and high availability content delivery in ICNs. • They sketch the protocols, present the architecture details and experimental results demonstrating the framework’s practicality. • In future, study in-depth application of the framework to other ICN architectures and optimize and implement their protocols on smartphones and a larger testbed. 21