An Accountable Access Control Scheme for Hierarchical Content in Named Data Networks with Revocation

Abstract

This paper presents a novel encryption-based access control scheme to address the access control issues in Named Data Networking (NDN). Though there have been several recent works proposing access control schemes, they are not suitable for many large scale real-world applications where content is often organized in a hierarchical manner (such as movies in Netflix) for efficient service provision. This paper uses a cryptographic technique, referred to as Role-Based Encryption, to introduce inheritance property for achieving access control over hierarchical contents. The proposed scheme encrypts the hierarchical content in such a way that any consumer who pays a higher level of subscription and is able to access (decrypt) contents in the higher part of the hierarchy is also able to access (decrypt) the content in the lower part of the hierarchy using their decryption keys. Additionally, our scheme provides many essential features such as authentication of the consumers at the very beginning before forwarding their requests into the network, accountability of the Internet Service Provider, consumers’ privilege revocations, etc. In addition, we present a formal security analysis of the proposed scheme showing that the scheme is provably secure against Chosen Plaintext Attack. Moreover, we describe the performance analysis showing that our scheme achieves better results than existing schemes in terms of functionality, computation, storage, and communication overhead. Our network simulations show that the main delay in our scheme is due to cryptographic operations, which are more efficient and hence our scheme is better than the existing schemes.

Appendices

Appendix A Security Model

The security model of the proposed scheme is defined by the Semantic Security against Chosen Plaintext Attacks (IND-CPA) under Selective-ID model⁷. IND-CPA is illustrated using the following security game between a challenger \(\mathcal {C}\) and an adversary \(\mathcal {A}\).

• Init Adversary \(\mathcal {A}\) submits a challenged category \(r_i\) and identity \(\mathtt {ID_u}\) to the challenger \(\mathcal {C}\).

• Setup Challenger \(\mathcal {C}\) runs Content Provider Setup phase to generate system parameters and master secret. It also generates proxy re-encryption keys and a private key for the adversary \(\mathcal {A}\). Challenger \(\mathcal {C}\) sends the system parameters, proxy re-encryption keys and private key to the adversary \(\mathcal {A}\).

• Phase 1 Adversary \(\mathcal {A}\) sends an identity of a category \(r^*_x\notin \mathbb {A}_{r_i}\) and a validity period \(\mathtt {VP^*_{ID_u}}\). Challenger \(\mathcal {C}\) runs Consumer Registration phase and generates secret key \(\mathtt {SK^{r^*_x}_{ID_u}}\) and public key \(\mathtt {Pub^{r^*_x}_{ID_u}}\). Challenger \(\mathcal {C}\) sends these keys to the adversary \(\mathcal {A}\). Adversary \(\mathcal {A}\) can ask for the secret and public keys for polynomially many times.

• Challenge After the Phase 1 is over, the adversary \(\mathcal {A}\) sends two equal length messages \(\mathtt {K_0}\) and \(\mathtt {K_1}\) to the challenger \(\mathcal {C}\). The challenger \(\mathcal {C}\) flips a random coin \(\mu \in \{0, 1\}\) and encrypts \(\mathtt {K_\mu }\) by initiating Content Publication phase. Challenger \(\mathcal {C}\) sends the ciphertext of \(\mathtt {K_\mu }\) to the adversary \(\mathcal {A}\).

• Phase 2 Same as Phase 1.

• Guess Adversary \(\mathcal {A}\) outputs a guess \(\mu '\) of \(\mu \). The advantage of wining the game for the adversary \(\mathcal {A}\) is \(\mathtt {Adv^{IND-CPA}}= |Pr[\mu '= \mu ]- \frac{1}{2}|\).

Definition 1

The proposed scheme is semantically secure against Chosen Plaintext Attack if \(\mathtt {Adv^{IND-CPA}}\) is negligible for any polynomial time adversary \(\mathcal {A}\).

Remark 1

In Phase 1, the adversary \(\mathcal {A}\) is also allowed to send queries for re-encryption of the ciphertexts and signature generation. In our security game, the simulator \(\mathcal {B}\) gives all the proxy re-encryption keys to the adversary \(\mathcal {A}\) in the Setup phase. As such, the adversary \(\mathcal {A}\) can answer the re-encryption queries. Similarly, as the private key is also given to the adversary \(\mathcal {A}\), the adversary can also answer all the signature generation queries. Therefore, we do not include re-encryption and signature generation oracles in Phase 1. We observe that the adversary \(\mathcal {A}\) has at least the same capability as the NDN routers.

Appendix B Security Proof

Proof

In this proof, we construct a PPT simulator \(\mathcal {B}\) to break our proposed scheme with an advantage \(\frac{\epsilon }{2}\) with the help of an adversary \(\mathcal {A}\).

The DBDH challenger \(\mathcal {C}\) chooses random numbers \((a, b, c, z)\in \mathbb {Z}_q^*\) and computes \(A= g^a, B= g^b, C= g^c\). It flips a random coin \(l\in \{0, 1\}\). If \(l= 0\), the challenger \(\mathcal {C}\) computes \(Z\,=\, \hat{e}(g, g)^{abc}\); otherwise it computes \(Z\,=\, \hat{e}(g, g)^z\). The challenger \(\mathcal {C}\) sends the tuple \(\langle {g, A, B, C, Z}\rangle \) to a simulator \(\mathcal {B}\) and asks the simulator \(\mathcal {B}\) to output l. Now the simulator acts as the challenger in the rest of the security game.

Init– Adversary \(\mathcal {A}\) submits a challenged category \(r_i\) and identity \(\mathtt {ID_u}\) to the simulator \(\mathcal {B}\).

Setup– Simulator \(\mathcal {B}\) chooses random numbers \((x, \mathbbm {sk}, \varrho , \big \{[\mathbbm {sk_i}]_{\forall i\in \mathbb {U}_{_j}}, \mathbbm {t}_{r_j}\big \}_{\forall r_j\in \varPsi })\in \mathbb {Z}_q^*\). The simulator sets \(\eta = x- ab\cdot \mathbbm {sk}\) and computes the following parameters:

$$\begin{aligned} \hat{e}(g, g)^{ab}&\,=\,\hat{e}(A, B); \hat{e}(g, g)^{\eta }\,=\,\hat{e}(g, g)^x\cdot \hat{e}(A, B)^{-\mathbbm {sk}}; \Big \{\mathtt {PK_{r_j}}= C^{\prod _{\forall r_y\in \mathbb {A}_{r_j}\setminus \{r_r\}}\mathbbm {t}_{r_y}}\Big \}_{\forall r_j\in \mathbb {A}_{r_i}}\\\Big \{\mathtt {PK_{r_j}}&= g^{\prod _{\forall r_y\in \mathbb {A}_{r_j}\setminus \{r_r\}}\mathbbm {t}_{r_y}}\Big \}_{\forall r_j\in (\varPsi \setminus \mathbb {A}_{r_i})}; \Big \{\mathtt {PKey_{r_j}^{r_w}}= \prod _{\forall r_y\in \mathbb {A}_{r_j}\setminus \{r_w, r_r\}}\mathbbm {t}_{r_y}\Big \}_{\forall r_j\in \varPsi } \end{aligned}$$

Moreover, the simulator \(\mathcal {B}\) computes \(\Big \{\mathtt {Acc_{r_j}}\,=\, \hat{e}\left( H(r^*_x), g\right) ^{\prod _{\forall i\in \mathbb {U}_{r_j}} \mathbbm {sk_i}}\Big \}_{\forall r_j \in \mathbb {A}_{r_i}}\) and \(\Big \{\mathtt {Acc_{r_j}}\,=\, \hat{e}\left( H(r^*_x), g\right) ^{\mathbbm {sk}\prod _{\forall i\in \mathbb {U}_{r_j}} \mathbbm {sk_i}}\Big \}_{\forall r_j \in (\varPsi \setminus \mathbb {A}_{r_i})}\). Simulator \(\mathcal {B}\) sends the tuple \(\Big <q, \mathbb {G}, \mathbb {G}_T, \hat{e}, g, H, H_1, \hat{e}(g, g)^{ab}, \hat{e}(g, g)^{\eta }, \mathbb {PK}_{r_j}= \{\mathtt {PK_{r_j}}, \mathbb {A}_{r_j}, r_j\}_{\forall r_j\in \varPsi }\Big>\), proxy re-encryption keys \(\{\mathtt {PKey_{r_j}^{r_w}}\}_{\forall r_j\in \varPsi }\), and also \(\mathbbm {sk}\) (i.e., private key) to the adversary \(\mathcal {A}\). It keeps other parameters by itself.

Phase 1– Adversary \(\mathcal {A}\) submits a category \(r^*_x\) such that \(r^*_x\notin \mathbb {A}_{r_i}\) and validity period \(\mathtt {VP^*_{ID_u}}\) to the simulator \(\mathcal {B}\). The simulator \(\mathcal {B}\) computes a pair of secret keys \(\mathtt {RK^1_{ID_u, r^*_x}}, \mathtt {RK^2_{ID_u, r^*_x}}\), another pair of public keys \(\mathtt {Pub1^{r^*_x}_{ID_u}}, \mathtt {Pub2^{r^*_x}_{ID_u}}\) and a witness public key \(\mathtt {PubWit^{r^*_x}_{ID_u}}\), where

$$\begin{aligned} \mathtt {RK^1_{ID_u, r^*_x}}=&g^{\frac{ab\cdot \mathbbm {sk}+ \eta }{\mathbbm {t_{r^*_x}}}}= g^{\frac{x}{\mathbbm {t_{r^*_x}}}}; \mathtt {RK^2_{ID_u, r^*_x}}= g^{\frac{ab\cdot \mathbbm {sk}+ \eta }{\prod _{\forall r_j\in \mathbb {A}_{r^*_x}\setminus \{r_r\}}\frac{\mathbbm {t_{r_j}}}{\mathbbm {t_{r_r}}}}}= g^{\frac{x}{\prod _{\forall r_j\in \mathbb {A}_{r^*_x}\setminus \{r_r\}}\frac{\mathbbm {t_{r_j}}}{\mathbbm {t_{r_r}}}}}\\ \mathtt {Pub1^{r^*_x}_{ID_u}}=&H(r^*_x)^{\frac{1}{\mathbbm {sk}+ \varrho \cdot H_1(\mathtt {VP^*_{ID_u}})}}; \mathtt {Pub2^{r^*_x}_{ID_u}}\,=\, \hat{e}\left( H(r^*_x), g\right) ^{\frac{\varrho }{\mathbbm {sk}+ \varrho \cdot H_1(\mathtt {VP^*_{ID_u}})}}\\ \mathtt {PubWit^{r^*_x}_{ID_u}}\,=\,&\hat{e}\left( H(r^*_x, g)\right) ^{\prod _{\forall i\in \mathbb {U}_{r^*_x}}\mathbbm {sk_i}} \end{aligned}$$

Simulator \(\mathcal {B}\) sends the pair of secret keys \(\mathtt {RK^1_{ID_u, r^*_x}}, \mathtt {RK^2_{ID_u, r^*_x}}\), public keys \(\mathtt {Pub1^{r^*_x}_{ID_u}}, \mathtt {Pub2^{r^*_x}_{ID_u}}\) and public witness key \(\mathtt {PubWit^{r^*_x}_{ID_u}}\) to the adversary \(\mathcal {A}\).

Challenge– When the adversary \(\mathcal {A}\) decides that Phase 1 is over, it submits two equal length messages \(\mathtt {K_0}\) and \(\mathtt {K_1}\) to the simulator \(\mathcal {B}\). The simulator chooses a random number \(r\in \mathbb {Z}_q^*\) and flips a random binary coin \(\mu \). It then encrypts \(\mathtt {K_\mu }\) using the challenged category \(r_i\) and generates a ciphertext \(\mathbb {CT}_{\mu }= \langle {C_1 , C_2, C_3, C_{r_i}}\rangle \), where

$$\begin{aligned} C_1\,=\,&\mathtt {K_\mu }\cdot Z\\ C_2\,=\,&\hat{e}(g, g)^{\eta \cdot (c+ r)}\\ \,=\,&\hat{e}(g, g)^{[x- ab\cdot \mathbbm {sk}](c+ r)}\\ \,=\,&\hat{e}(g, g)^{x(c+ r)}\cdot \hat{e}(g, g)^{-ab(c+ r)\cdot \mathbbm {sk}}\,=\, \hat{e}(g, C)^{x}\cdot \hat{e}(g, g)^{x\cdot r}\cdot Z^{-\mathbbm {sk}}\cdot \hat{e}(A, B)^{-r\cdot \mathbbm {sk}}\\C_3\,=\,&\hat{e}(g, g)^{abr}\,=\, \hat{e}(A, B)^r; C_{r_i}= g^{(c+ r)\cdot \prod _{\forall r_j\in \mathbb {A}_{r_i}\setminus \{r_r\}}\mathbbm {t}_{r_j}}= (C\cdot g^r)^{\prod _{\forall r_j\in \mathbb {A}_{r_i}\setminus \{r_r\}}\mathbbm {t}_{r_j}}\\ \end{aligned}$$

Phase 2– Same as Phase 1.

Guess – The adversary \(\mathcal {A}\) guesses a bit \(\mu '\) and sends to the simulator \(\mathcal {B}\). If \(\mu '=\mu \) then the adversary \(\mathcal {A}\) wins CPA game; otherwise it fails. If \(\mu '= \mu \), simulator \(\mathcal {B}\) answers “DBDH” in the game (i.e. outputs \(l= 0\)); otherwise \(\mathcal {B}\) answers “random” (i.e. outputs \(l= 1\)).

If \(Z= \hat{e}(g, g)^{z}\); then \(C_1\) is completely random from the view of the adversary \(\mathcal {A}\). So, the received ciphertext \(\mathbb {CT}_\mu \) is not compliant to the game (i.e. invalid ciphertext). Therefore, the adversary \(\mathcal {A}\) chooses \(\mu '\) randomly. Hence, probability of the adversary \(\mathcal {A}\) for outputting \(\mu '= \mu \) is \(\frac{1}{2}\).

If \(Z= \hat{e}(g, g)^{abc}\), then adversary \(\mathcal {A}\) receives a valid ciphertext. The adversary \(\mathcal {A}\) wins the CPA game with non-negligible advantage \(\epsilon \) (according to Theorem 1). So, the probability of outputting \(\mu '= \mu \) for the adversary \(\mathcal {A}\) is \(\frac{1}{2}+ \epsilon \), where probability \(\epsilon \) is for guessing that the received ciphertext is valid and probability \(\frac{1}{2}\) is for guessing whether the valid ciphertext \(\mathbb {CT}_\mu \) is related to \(\mathtt {K_0}\) or \(\mathtt {K_1}\).

Therefore, the overall advantage \(\mathtt {Adv^{IND-CPA}}\) of the simulator \(\mathcal {B}\) is \(\frac{1}{2}(\frac{1}{2}+ \epsilon + \frac{1}{2})- \frac{1}{2}= \frac{\epsilon }{2}\).