Secure Content Deliery in Information

advertisement
Secure Content Delivery in InformationCentric Networks: Design, Implementation,
and Analysis
Satysjayant Misra, Reza Tourani, Nahid Ebrahimi Majd
Presenter: WANG YU, Katto Lab
1
Outline
• Introduction
• Related work
• Models and Assumptions
• Design of the framework
• Implementation results in CCNx
• Conclusion
2
Introduction
• This paper explores the design of a framework for highly
available and efficient secure content delivery in ICN
(information centric network)
• Motivation:
a) Today, Content Provider (CP) uses Content Delivery Network(CDN) to
balance the load, reduce data latency and reduce redundant traffic.
b) But CDN nodes are at the edge of ISPs; Result in explosive growth in
repeated data request.
c) So ICN solves the problem by allowing data to be stored anywhere to reduce
their network traffic load
d) But, the important is, how do we ensure high availability of the cached data to
only legitimate users
3
Introduction (Cont.)
• Problem
A user has to authenticate itself to the server.
Upon authentication, it connects a CDN
node and obtains the content.
However, if the sever is down, the user
cannot be authenticated.
In this scenario, data is available in routers
close to the users, but legitimate users are
unable to authenticate themselves and access
the data securely.
Figure 1
So, the proposed framework is applicable to all scenarios where serverbased authentication is unavailable or difficult.
4
Related work
• In CCN, content is split into packets/chunks, and each user sends
interest containing the name of the chunk into the network. Any node
in the path contains the request chunk can satisfy the interest. Every
intermediate node has the chance to caching the chunks.
•
Composed of three main components: Forwarding Information Base
(FIB), the Pending Interest Table (PIT), and the Content Store (CS).
• IN the framework, it choose to use the public key-based traitortracing t-resilient algorithm proposed by Tzeng (Broadcast encryption),
which uses the Shamir’s secret sharing algorithm as a building block.
5
Shamir’s secret sharing algorithm
(additional knowledge)
Divide secret S into n pieces of data D1, D2,… Dn, in such a way that:
1. Knowledge of any t or more Di pieces makes S easily computable.
2. Knowledge of any t-1 or fewer pieces Di leaves completely undetermined.
This scheme is called ( t, n) threshold scheme. If t=n, then all pieces are required
to reconstruct the secret.
Example:
• Suppose our secret is 1234 (S=1234)
• We wish to divide the secret into 6 parts(n=6), where any subset of 3 parts (t=3)
is sufficient to reconstruct the secret. At random we obtain two (t-1)
numbers:166 and 96. (a1=166; a2=94)
• Our polynomial to produce secret shares(points) is therefore:
• We construct 6 points
from the polynomial:
• In order to reconstruct the secret S any 3 points will be enough through
Lagrange basis polynomials.
6
Models and Assumptions
• System Model
 Hierarchical set-up as shown in Figure 1 (CP->CDN->ISP->end users),
and it can be cached at any node in the path.
 n is the number of users in the system, t (<<n) is the revocation
threshold as we explained in shamir’s secret sharing
• Set-up and Security Assumptions
 Content is encrypted by the content provider, either at the servers or
in the CDN, using a symmetric key encryption algorithm
 Only a legitimate user can obtain the symmetric key to decrypt the
content.
7
Models and Assumptions
• Threat Model
 The use of the sequence numbers in the interest and data
packets, and caching at the edge routers can help neutralize
reply attacks.
 Interest packets make it difficult to mount DoS attacks on the
system.
8
Design of the Framework
• Overview of the Framework (3 steps)
 At the server:
1. First, it generates a polynomial of degree t and evaluates n+t (>>t) number of
points on it, and distributes n of the evaluated points among the clients (one per
client), and it keeps t of them as its own shares.
2. Then it generates a enabling block, which contains the secret symmetric key (r),
and is used by the client in the last component for the secret extraction. (the
enabling block is forwarded to all the routers with contents cached as part of
the content)
 At the client:
3. A legitimate client extracts the embedded secret key from the enabling block
that is downloaded along with the content, by using its share.
9
Design of the Framework
• Basic Protocols:
1. Polynomial and shares generation
n is the number of users, and the maximum number of allowed revoked
users is t. The server calculates random coefficients a0, . . . , at of a tdegree poly-nominal pt(x). Then it calculates each user uj ’s share/tuple Tj
=< xj , f(xj) >, where xj is generated randomly and f(xj) is calculated.
Besides, the server calculates t-tuples that it stores as the server share E.
Then the server transmits Tj =< xj , f(xj) > to the user uj using uj’s public
key, the signature, and the timeout so that uj can correctly extract the
secret key and them decrypt the content.
10
Design of the Framework
• Basic Protocols:
2. Generation and encryption of enabling block
The server encrypts the content using a symmetric key algorithm and a secret
key r. A bigger key say 128-bit for AES, can be handled by splitting the key r=
{r1|| . . . ||rb|| . . . ||rm}.
An enabling block is an integral part of any Broadcast Encryption scheme. It
contains information for a legitimate user to extract the secret key r and is
delivered to the user along with the data packets.
The user can decrypt using the enabling block and by the Lagrangian
interpolation method.
The original Lagrangian interpolation requires computations of t coefficients at
the client with running time complexity of O(t2), the author devised a
mechanism for pre-computing the Lagrangian coefficients at the server to
reduce the complexity of the coputation
at the user to O(t)
11
Design of the Framework
• Basic Protocols:
3. Secret Extraction at the User
The user uj obtains the enabling block from a router in it’s neighborhood, verifies
the source of the enabling block by verifying the signature.
On successful verification it computes the t complete Lagrangian coefficients
(from the partials) using its share and also the Lagrangian coefficient
corresponding to it’s own share, resulting in a total of t + 1 coefficients. The user
uj uses the computed Lagrangian coefficients to extract the secret key from
using the Lagrangian interpolation method.
12
Design of the Framework
• CCN/NDN Architecture Specific Details
1. User registration (Format of registration interest):
/Netflix/Registration/Unique User ID
It contains user’s credentials, encrypted with the CP’s public key and signed by
user’s private key
2. Chunk Creation:
The enabling block and the content are both split into equal sized chunks and
given appropriate names to distinguish them
13
Design of the Framework
• CCN/NDN Architecture Specific Details
3. Packet Naming:
Naming rules: CP’s name/kind(video or novel)/category/type
data(enabling block or movie name)/version/chunk number
14
of
Design of the Framework
• CCN/NDN Architecture Specific Details
4. User Revocation
The user requests service-cancellation using a revocation interest packet.
The revocation interest is sent out to the CP in the same way as the registration
request.
After that the CP regenerates the new enabling blocks by replacing one of its
t tuple in the server share, the updated enabling block has to be disseminated
in the network. This may be done in a proactive manner (immediately after a
revocation), periodically (every week or month), or by a pull-mechanism
from the network (when the enabling block at routers times out, they seek
new versions of the enabling)
15
Design of the Framework
• Security Analysis
 A set of colluding nodes can create a new share for a new malicious
(illegitimate) node, which requires at least t+1 malicious nodes to collude.
 With t+1 being the order of thousands that is unlikely.
 To counter longstanding threats of content privacy, r can be renewed at regular
intervals and content re-encrypted.
16
Implementation Results in CCNx
• The framework is implemented in the CCNx-0.7 testbed. The
multimedia content was hosted (ccnputfile) in the content store of the
server. The rest of the nodes were clients, which sent out the interest to
the server using ccnsimplecat
• They implemented the Polynomial Generation protocol, the Enabling
Blocking Generation and Encryption protocol, and the Secret
Extraction protocol.
17
Implementation Results in CCNx
• Figure (a) shows the time taken
by the server to generate a
polynomial (pt(x)) of a certain
degree, including generating its
random coefficients ({a0, . . . ,
at}), and then evaluating pt(x) at
n+t points.
• The X-axis represents different
values for t and the Y -axis
represents the time in
thousands of seconds.
• The polynomial generation
procedure is the most time
consuming component of the
framework.
18
Implementation Results in CCNx
• Figure (b) shows the size of the
enabling block in the PSD
(with pre-computation of t
Lagrangian coefficients at the
server) and SD(without precomputation) cases.
• It is desirable to have smaller
enabling block size to reduce
network overhead
• But refer to figure (3), PSD
reduce the extraction time at
the client significantly; PSD
adds less than 0.3% overhead
for a two-hour movie.
19
Implementation Results in CCNx
• Figure(c) presents a
comparative analysis of the
secret key extraction time in
PSD and SD.
20
Conclusion
• In this paper, they present an efficient framework for secure
and high availability content delivery in ICNs.
• They sketch the protocols, present the architecture details
and experimental results demonstrating the framework’s
practicality.
• In future, study in-depth application of the framework to
other ICN architectures and optimize and implement their
protocols on smartphones and a larger testbed.
21
Download