Sanjeev Kaushik Ramani
Alexander Afanasyev
ABSTRACT
Named Data Networking (NDN) relies on public key signing to ensure integrity and authenticity for all data packets fetched in the network. One of the considerations for reliability of such signing is limiting the scope (what the key can sign) and time (how long the key can sign) of the public keys and their certificates, usually referred to as "least privilege principle." Traditionally, the public key certificates are issued for relative long periods of times measured in months or years; which requires considerations for certificate revocation, e.g, when the private key is lost or compromised. However, if the validity periods can be reduced to days or hours, the complex (and sometimes semi-broken) revocation mechanisms can be completely eliminated. This poster proposes such a mechanism---CertCoalesce certificates---to efficiently manage virtually unlimited pools of short-term certificates with limited networking, storage, and computational overheads. Specifically, a single certificate request with a "primary" key can be used to bootstrap the process of creating an unlimited number of short-term certificates for derivative private/public keys. Moreover, such certificates can be issued asynchronously---periodically pre-provisioned or upon request with an Interest---terminating issuance of future certificates when necessary. Moreover, CertCoalesce design owing to the underlying elliptic curve cryptography ensures that a compromised key from the pool of keys will not reveal information about other keys/certificates in the pool.
Supplemental Material
- [n.d.]. National Institute of Standards and Technology. Recommended elliptic curves for federal government use. https://csrc.nist.gov/projects/cryptographic-standards-and-guidelinesGoogle Scholar
- [n.d.]. Security Credential Management System Proof-of-Concept. https://wiki.campllc.org/display/SCP/SCP1%3A+Butterfly+KeysGoogle Scholar
- Alex Afanasyev, Jeff Burke, Tamer Refaei, Lan Wang, Beichuan Zhang, and Lixia Zhang. 2018. A brief introduction to Named Data Networking. In Proc. of MILCOM.Google ScholarDigital Library
- Steven D Galbraith and Pierrick Gaudry. 2016. Recent progress on the elliptic curve discrete logarithm problem. Designs, Codes and Cryptography 78, 1 (2016), 51--72.Google ScholarDigital Library
- NDN Team. 2020. NDN Certificate Format Version 2.0. Online: http://named-data.net/doc/ndn-cxx/current/specs/certificate-format.html.Google Scholar
- Sanjeev Kaushik Ramani, Reza Tourani, George Torres, Satyajayant Misra, and Alexander Afanasyev. 2019. NDN-ABS: Attribute-Based Signature Scheme for Named Data Networking. In Proceedings of the 6th ACM Conference on Information-Centric Networking. 123--133.Google ScholarDigital Library
- Lixia Zhang, Alexander Afanasyev, Jeffrey Burke, Van Jacobson, Patrick Crowley, Christos Papadopoulos, Lan Wang, Beichuan Zhang, et al. 2014. Named data networking. ACM SIGCOMM Computer Communication Review 44, 3 (2014), 66--73.Google ScholarDigital Library
- Zhiyi Zhang, Yingdi Yu, Alex Afanasyev, and Lixia Zhang. 2017. NDN Certificate Management Protocol (NDNCERT). Technical Report NDN-0050. NDN.Google Scholar
Index Terms
- CertCoalesce: Efficient Certificate Pool for NDN-Based Systems
Recommendations
NDN-ABS: Attribute-Based Signature Scheme for Named Data Networking
ICN '19: Proceedings of the 6th ACM Conference on Information-Centric NetworkingThe Named Data Networking architecture mandates cryptographic signatures of packets at the network layer. Traditional RSA and ECDSA public key signatures require obtaining signer's NDN certificate (and, if needed, the next-level certificates of the ...
CertRevoke: a certificate revocation framework for named data networking
ICN '22: Proceedings of the 9th ACM Conference on Information-Centric NetworkingNamed Data Networking (NDN) secures network communications by requiring all data packets to be signed upon production. This requirement makes usable and efficient NDN certificate issuance and revocation essential for NDN operations. In this paper, we ...
Liberalising Deployment of Internet of Things Devices and Services in Large Scale Environments
There is an ongoing enormous expansion of Internet of Things devices and services in everyday life, notably in novel large scale urban environments called Smart Cities. There, availability and uses of Internet of Things by end users and businesses is ...
Comments