Secure Distribution of Protected Content in Information-Centric Networking

07/26/2019 ∙ by Muhammad Bilal, et al. ∙ IEEE Korea University 1

The benefits of the ubiquitous caching in ICN are profound, such features make ICN promising for content distribution, but it also introduces a challenge to content protection against the unauthorized access. The protection of a content against unauthorized access requires consumer authentication and involves the conventional end-to-end encryption. However, in information-centric networking (ICN), such end-to-end encryption makes the content caching ineffective since encrypted contents stored in a cache are useless for any consumers except those who know the encryption key. For effective caching of encrypted contents in ICN, we propose a secure distribution of protected content (SDPC) scheme, which ensures that only authenticated consumers can access the content. SDPC is lightweight and allows consumers to verify the originality of the published content by using a symmetric key encryption. SDPC also provides protection against privacy leakage. The security of SDPC was proved with the BAN logic and Scyther tool verification, and simulation results show that SDPC can reduce the content download delay.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 2

page 4

page 6

page 10

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Since the earliest time of the Internet, its underlying architecture has been based on packet-switching and host-to-host communications. The TCP/IP layered architecture employs the same view and provides an abstract host-to-host communication model to communication applications. It decouples what to communicate from how the communication is done. This basic design feature of the TCP/IP architecture was far-reaching, allowing the Internet to grow for almost four decades while adopting various features and yet maintaining high efficiency. However, in the recent past there has been a profound increase in Internet connectivity, and with the emergence of new Internet applications, the Internet semantics have changed from host centric to content centric. To satisfy the needs of emerging internet applications, the current TCP/IP Internet architecture has adopted several application layer solutions known as over-the-top (OTT) applications, such as content delivery network (CDN), web caching, and peer-to-peer networking [1, 2]. With the addition of numerous applications, the gap between the basic semantics of the current Internet architecture and its usage is bound to increase; in fact, the additions of new OTT applications are leading us towards a very complex Internet architecture, and are introducing challenges to achieving efficiency, security, and privacy at acceptable economical cost.

Further, Internet trends are shifting away from browsing information to online consuming and sharing all types of content, including user-generated contents. Hence, the most promising characteristic of the future Internet is ubiquitous content delivery. What is being communicated is becoming more important than who is communicating. In this perspective, information-centric networking (ICN) has emerged as a promising architecture for the Future Internet; recently, the ICN support for 5G use cases were specified by NGMN. ICN represents a paradigm shift from host-centric to content-centric services and from source-driven to receiver-driven approaches. In the ICN paradigm the network is in charge of doing the mapping between the requested content and where it can be found. To do so, a network level naming is used for identifying content objects, independent of their locations [3, 4, 5]. This means that the ICN architecture decouples contents from the host at the network level and supports a temporary storage of contents at in-network caches.

In ICN, in-network caching is an integral part of the ICN service framework [6][7]. The benefits of the ubiquitous caching in ICN are profound, but it also introduces a challenge to content security; especially, the protection of a private or confidential content is a challenging task. The ICN enabled cache routers can store the content segments for future use; hence, the content is temporarily cached in few intermediate cache routers while it is being delivered to a consumer. If content requests traverse a cache router that holds a temporarily cached copy of that particular content segment, then the request is entertained locally without being routed towards the publisher. However, in ICN the publisher has no control over the content after injecting it in the network; in particular, if a private or confidential content is protected insecurely, then any unauthorized consumer can acquire it from intermediate caches. Traditionally, the protection of the content against unauthorized access requires consumer authentication and involves the conventional end-to-end encryption. Consequently, when the content is encrypted with the authorized user’s key, the in-network caching becomes ineffective in ICN.

In Figure 1, a publisher publishes two content objects and . Further, two consumers and subscribe to access these protected contents and . Furthermore, the object is published without encrypting, scrambling, or hashing the content name, while the object is published with encrypting, scrambling or hashing the content name to ensure its privacy. Assume that the consumer sent an interest packet encapsulating the access authorization information. In reply, based on the subscription information, if is a valid subscriber, the publisher encrypts the requested content segment with a consumer specific key and sends it to the consumer . Based on the semantics of ICN and cache replacement schemes, the intermediate cache router stores the encrypted content segment for future use. Now lets suppose, the consumer requests the same content. If the meta-data of the encrypted stored packet is available to , as in case of , then the intermediate cache router will reply with the cached content to the consumer . However, cannot decrypt the content segment as it was solely intended for and thus the payload is encrypted with the key known to and . Contrarily, if the meta-data of the encrypted stored packet is unavailable to , as in case of , the interest packet will be forwarded to the publisher.

Figure 1: Ineffective caching in ICN with end-to-end encryption.

This issue can be solved by encrypting each content segment with a key known to all subscribers. In this regard, this issue can be viewed as a group key agreement problem. However, even in the presence of a perfect key distribution protocol, the assurance of backward and forward secrecy requires complex operations since the publisher in ICN has no control over the content after injecting it in the network. Moreover, in conventional group key agreement protocols [8, 9], the hosts share a cryptographic key for secure communications, which are not well-suited for the content centric ICN paradigm.

For example, if an authorized consumer unsubscribes from the service, then to ensure the forward secrecy it is necessary to make sure that leaving consumer don’t have access to future keys for the group; hence, the shared key should be updated. From this point onward, the publisher would encrypt new version of content with updated group keys. To access the content which is already disseminated in network caches, the authorized consumers need to keep both keys for effective cache utilization. As shown in Figure 1(b), at time , the publisher publishes object and shared the encryption key with all authorized consumers , and . Let’s assume at time consumer unsubscribe with publisher . The publisher will issue a new key . Further assume that before unsubscribe event the copies of segment and were already disseminated in ICN core network; now if a consumer or request object , it may get and from cache router encrypted with and rest of the segments from publishers encrypted with . Similarly, if a new authorized consumer subscribes for the service, then to ensure the backward secrecy the shared key should be updated, and previous group members need to keep both keys for effective cache utilization. Imagine a highly dynamic group where the consumers subscribe or unsubscribe very frequently, it will trigger numerous leave and join events, which will invoke group key agreement protocols each time. For effective caching, all consumers would keep record of multiple keys. Moreover, an extra decision operation is required to select a proper key; associating a time stamp can solve the problem at the cost of group member synchronization. Hence, the conventional group key management cannot handle the access control problem in ICN for ensuring the effective caching.

In our proposed scheme, we shifted the central target of keying process from hosts to data itself, i.e., the segments of the published content are encrypted with symmetric cryptographic keys that are unique to each segment and versions. The solution is to encrypt each content segment with a uniquely assigned key known to all subscribers; which raises three fundamental questions. How does one ensure that only an authenticated subscribed consumer can access the content? How can the consumer verify the originality of the content; that is, do we still need self-certifying? Finally, and most importantly, how can encryption keys be distributed among all of the consumers for each content segment? We answered all these questions in this work.

Specifically, we propose a secure distribution of protected content (SDPC) scheme, which consists of two protocol suites, 1) the keying protocol suite and 2) the subscription and content access protocol suite. The keying protocol suite enables the consumer and publisher to share a chain of secret keys required to decrypt the segments of the published content, while the subscription and content access protocol suite ensures that only authorized consumers receive the secret key generation information.

The remainder of this paper is organized as follows. In Sections II and III, we summarize the related works and present the system model, respectively. Section IV describes SDPC with detailed discussions. Section V presents an inclusive security analysis. In Section VI, we present the performance analysis of SDPC. Finally, we provide concluding remarks in Section VII.

Figure 2: Illustration of a) system model and b) naming scheme used in SDPC.

Ii Related Works

Most existing access control schemes for secure contents are application specific or lack security strength. For example, in [10], the authors presented a scheme for protected contents using network coding as encryption. However, the scheme requires a private connection between the publisher and consumer to obtain the decoding matrix and missing data blocks. In [11], the authors presented a security framework for the copyrighted video streaming in ICN based on linear random coding. It is proven that the linear random coding alone improves the performance of ICN [12]. However in [11], each video was encrypted with a large number of symmetric encryption keys, such that each video frame was encrypted with a unique symmetric encryption key. Since only authorized users who possessed the set of all keys could decrypt the video content, the distribution of a large number of keys for each video content can be an extra communication overhead.

In earlier work [13], the authors proposed a content access control scheme for ICN enabled wireless edge. The proposed one is an extension of  [14]

, which employs the public-key based algorithm and shamir’s secret sharing as a building block, named AccConF. To obtain a unique interpolating polynomial of shamir’s scheme, AccConF espoused Lagrangian Interpolation technique. The calculation of Lagrangian Interpolation is a computationally expensive process. To reduce the client-side computational burden the publisher piggy backs an enabling block with each content, which encapsulates partially solved Lagrangian coefficients.

In work by  [15], an access control realized by a flexible secure content distribution architecture, which combins the proxy re-encryption and identity-based encryption mechanisms. The publisher generates a symmetric key and encrypt the content before dissemination. To access the content from in-network cache or directly from publisher, a consumer first sends a request to publisher to acquires the symmetric encryption key. Upon receiving the key request, the publisher validates and verifies the authenticity of consumer, and sends the symmetric key encapsulated in response message encrypted with consumer’s identity. The proposed scheme eliminated the asymmetric encryption, but it is not clear that how the consumer’s private identity could be known to the content provider.

In other work  [16], author proposed a content access control scheme based on proxy re-encryption. In proxy re-encryption the content is re-encrypted by an intermediate node. In proposed scheme the edge routers perform the content re-encryption. Upon receiving a content request, the publisher encrypts the data and a randomly generated key k1, using its public key. Upon receiving the content request, edge router generates a random key k2 encrypted by the publisher’s public key and signed by the edge router. Edge router sends the encrypted k2 to publisher and appends the encrypted k2 with the content and dispatch it towards consumer. Meanwhile, the publisher verifies the authenticity of consumer, and generates the content decryption key K using K1, K2 and public key. Upon receiving K the consumer can decrypt the content.

In other work [17], the authors proposed a distributed information flow control mechanism (named MCAC) to enable secure access control for the published content. In MCAC, the requests and content objects are labeled with {, , ,

}. These labels classify the contents based on the security and privacy requirements, where the h-level signifies the highest protection level and enforces non-caching policy, the n-level enforces the 1-level caching policy, the d-level permits multi-level caching policy, and the p-level supports all reading policy. To administer the MCAC information flow, the intermediate routers require to implement a trust computing base (TCB), consists of three modules; trust storage module (TSM), trust labeling module (TLM), and trust enforcement module (TEM). TSM governs the process of cryptographic session key establishment between participating routers and other nodes. The session keys are used to attain the h-level security by encrypting highly confidential

labeled contents. TLM checks the label value and instructs the operating system accordingly to take further actions. TEM performs the content forwarding process and is responsible for content reclassification, i.e., TEM can re-labels a content to the h-level if it was at the n-level to hide the content based on privacy policy of the publisher. MCAC does not provide any mechanism to authenticate participating entities, which makes MCAC vulnerable to various attack. Moreover, to enforce the h-level security and privacy protection, all MCAC enabled routers need to establish a cryptographic session key and need to encrypt/decrypt all the communication between routers, which severely effects the performance of MCAC111 To verify the protocol claims, we implemented MCAC in an automated security protocol analysis tool, Scyther [21], and also discussed its performance in Sections V and VI..

In another study [18], the authors presented an access control scheme for the encrypted content in ICN, which is based on the efficient unidirectional proxy re-encryption (EU-PRE) proposed by [19]. The proposed scheme, named efficient unidirectional re-encryption (EU-RE), simplifies EU-PRE by eliminating the need of proxies in the re-encryption operation. However, the EU-RE scheme is still based on asymmetric cryptography, which is not suitable for several resource constraint applications such as, IoT and sensor networks. Moreover, the authors made an assumption that the content provider behaves correctly, i.e., it does not distribute any private content or decryption rights to unauthorized users. However, this assumption falsifies the protocol claims defined in [20], which means EU-RE is weak against several attacks.222To verify the protocol claims, we implemented EU-RE in an automated security protocol analysis tool, Scyther [21], and presented the results in Section V.

Iii System model

The system model used throughout this work is shown in Figure 2(a). For concrete discussion and better understanding, in the rest of the article, we present SDPC for a particular ICN architecture, i.e., named data networking (NDN) [3]. However, SDPC can be adopted for other ICN architectures without changing the core idea.

In NDN core networks, we introduce a new entity, designated subscription manager . The subscription manager can be a module installed on the publisher or it could be an independent entity in the network. In this work we assume that subscription manager is an independent entity associated with multiple publishers. We also assume that there is a secret number associated with each valid subscriber (or consumer) , which is registered with the subscription manager . The registration could be made offline or online using a smart mechanism. The subscription manger stores the secret number in a hash table, which is a part of registration database, as shown in Figure 2(a). Note that being registered does not mean the consumer is entitled to access a certain protected content. When a registered consumer is interested in a protected content, the consumer should first subscribe to the protected content, for instance, subscribing to a movie channel. In the first step, the consumer sends an interest request for the protected content along with the subscription request, and the publisher routes the request towards the subscription manager . After that, the subscription manager authenticates the consumer and in response the publisher sends the encryption key generation information . Using as a seed for a secure hash function, the consumer and the publisher can generate a chain of keys. Then, the publisher uses these keys to encrypt the segments of the published content; likewise, after acquiring the consumer generates the same keys to decrypt the segments of the published content.

To acquire , the first interest packet sent by a consumer should reach the publisher. To avoid any cache hit, it is important the name of the content should be unique between the consumer and the publisher, yet it should identify the requested object. As shown in Figure 2(b), the name of the segment , ”korea.ac.kr/fil/test.doc/_v1/_s0”, is a variable length and in a human readable form. However, to achieve the name uniqueness the consumer inserts the hash of the secret number , and encrypts the content name with . Then, the name of the segment becomes ”korea.ac.kr/fil//”. In this naming scheme the insertion of digest and encryption of naming part provides a consumer-publisher specific unique name and as a result the interest packet always reaches the publisher without any cache hit. Note that the usage of consumer name space is restricted for acquiring only, this gives provides prevention against DoS attacks.

After acquiring the consumer can access the rest of the segments by using a shared authoritative name space. The name for each segment includes a hash digest , and the object name is encrypted with a uniquely assigned key , which is generated using for each segment of an object . For example, the name for segment of object is given by ”korea.ac.kr/ fil//”. With the insertion of and encryption of the naming part with keys generated using , this naming scheme provides a shared authoritative name space for all authorized consumers and thus it enables an effective content caching. Moreover, this naming scheme ensures the privacy, because the content name is invisible to outsider without any knowledge of , , and cryptographic keys and .

Let’s suppose Figure 2(a), a consumer sends an interest packet utilizing the proposed naming scheme. Then, the packet will reach publisher without any cache hit. Let us say that protected content object is composed of segments of ; further, the intermediate cache routers and have the copies of the protected content segments, represented by and . If the consumer is a valid subscriber, the publisher sends the encryption key generation information to the consumer. After receiving the key generation information, the consumer can decrypt the content segments, which may be delivered directly from the intermediate cache router.

Iv Secure Distribution of Protected Content

SDPC consists of two protocol suites: 1) the keying protocol suite and 2) the subscription and content access protocol suite. The keying protocol suite is comprised of a key generation protocol and a key agreement protocol for content protection. Likewise, the subscription and content access protocol further includes three protocols, one dealing with the consumer subscription and the other two dealing with access to the protected contents published by different publishers.

Iv-a Keying Protocol Suite

In the keying protocol suite, the key generation protocol generates a commitment key using an irreversible function similar to the ones used in [22] [23]. The commitment key is further used to drive multiple keys; for instance, a chain of content segment encryption keys, a ticket encryption key, and a consumer associated symmetric key are derived from the commitment key.

The key generation mechanism for the content protection is shown in Figure 3(a). First, the publisher divides a large content into equal sized segments. For each protected content object , the publisher generates a unique commitment key generator by using an irreversible one-way hash function , where is the time of publishing and represents the content name and version333Each version of content object is encrypted with a separate chain of keys. It empowers the publisher to control version-based access.. After that, the publisher generates a chain of key generators of the length by using an irreversible one-way function . Each generator in the chain is used by a function at a specific index location in the chain to derive a content segment encryption key. For instance, at index , the function generates the key used for encrypting the th segment of the content object , where is the public key of the publisher. The use of , in symmetric key generation process, implicitly ensures the originality of the content, i.e., the content are still self-certifying with out use of expensive asymmetric encryption. For instance, very efficient public key algorithms, such as ECC [24], are almost three thousand times slower than symmetric key algorithms [25] such as RC5 [26]. The symmetric keys generated as a result of the SDPC keying protocol have the size of 256 bits. Hence, in the subsequent section on the authentication protocols, any symmetric encryption algorithms supporting the 256-bit key can be used, e.g., RC5/6 [26], Rijndael [27], and Twofish [28].

Iv-B Subscription and Content Access Protocol suite

When a consumer wants to subscribe to the protected content, the consumer gains an initial access using a subscription protocol (SubP). After SubP, the consumer can use a ticket to access multiple protected contents published by the publishers or managed by a third party.

Figure 3: The SDPC protocol suite: (a) symmetric keys generation and admission with reference to segment number of protected content and (b) message exchange for SubP, APSub, and APSub3.

Iv-B1 Initial Access and Subscription Protocol (SubP)

If a consumer wants to subscribe to the protected content (e.g., subscribing for a movie channel), first generates an encryption key , where is the public key of the publisher and is a secret number shared with the subscription manager . SubP continues as follows:

  1. As shown in 1 at Figure 3(b), injects a subscription interest packet and the NDN core network forwards it to the publisher . The interest packet encloses that is encrypted with the generated encryption key .

  2. Upon receiving the request from , forwards the request in conjunction with its identity and the challenge to the subscription manager . Note that cannot decrypt the part of the interest packet which is encrypted with key and registration number remains invisible to the publisher.

  3. retrieves the profile of from the database. If is a legitimate consumer, generates the keys and , and sends to , where is the time of issuing the session key . The message M3 includes a ticket , a challenge for , and a challenge response for . After that, verifies the challenge response and stores to use it as a message authentication in M5 and M6. In addition, retrieves the profile and the session key from the ticket. Since ticket is encrypted with the public key of , the consumer cannot decrypt it, but can use it to subscribe to other contents published by , without contacting the subscription manager .

  4. forwards to along with , which is required to decrypt the segments of the published content and also used as a content object identifier. After verification of a challenge , accepts and generates a key chain to decrypt the protected content. The generated key chain involves the public key of , hence, the content is also self-certifying.

  5. sends the challenge response to for the confirmation of a successful protocol run. After challenge confirmation, may optionally register in its own database. If does not receive any challenge response within a certain period of time, marks as a stolen ticket.

In SubP, secure exchanges of , , and ensure the message authentication between the consumer and the subscription manger, between the subscription manger and the publisher, and between the publisher and subscription manger, respectively. Likewise, the message authentication between the consumer and publisher is established by the session key encryption and .

Iv-C Content Access Protocols

Iv-C1 Access Protocol after Subscription (APSub)

When the consumer wishes to access some other protected contents published by the publisher , sends an interest request for the protected content along with the ticket and APSub continues as follows.

  1. As shown in 2 at Figure 3(b), injects a subscription interest packet, enclosing . The NDN core network forwards it to the publisher . The publisher decrypts the ticket and verifies the sender’s identity by retrieving . If the value does not match, will ignore the request and otherwise proceed as follows.

  2. sends a challenge response along with the new challenge encrypted with the session key . also send , which is required to decrypt the segments of the published content.

  3. sends a challenge response . If does not receive the challenge response within a certain period of time, marks as a stolen ticket.

In APSub, the secure exchange of ensures the message authentication between the consumer and the publisher.

Iv-C2 Access Protocol after Subscription involving a Third Party (APSub3)

Assume a consumer subscribed with , which means it shares a session key with and holds a encrypted with public key of . Now if wishes to access the protected contents published by a third-party content publisher , APSub3 continues as follows.

  1. As depicted in 3 at Figure 3(b), injects a subscription interest packet enclosing and the packet is forwarded to the publisher .

  2. Upon receiving the request from , forwards the request in conjunction with its identity and the challenge to . Note that cannot decrypt in the interest packet that is encrypted with the key , which a shared session key between and , which ensures the third-party content distributor cannot misuse the consumer secure information, such as profile and secret share number.

  3. retrieves the profile from , and if is a legitimate consumer, generates the key , and sends to . The message M3 also includes the key , a challenge for , and the challenge response for , which are encrypted with the public key . After that, the publisher verifies the challenge response and stores . Note that the ticket is encrypted with the public key of . Therefore, and third-party publisher cannot decrypt it. Also, is inaccessible to , which ensures that the third-party content distributor cannot misuse the protected content.

  4. forwards to . After the verification of the challenge , generates and sends the challenge response to . Now can generate a key chain to decrypt the protected published content. Since the key chain is generated using the public key of , the content is also self-certifying.

  5. sends the challenge response to for the confirmation of a successful protocol run.

  6. After the challenge confirmation, closes the protocol run. If does not receive any challenge response within a certain period of time, marks as a stolen ticket.

In SubP3, secure exchanges of , , and ensure the message authentication between the consumer and the subscription manger, between the subscription manger and the third-party publisher, and between the third-party publisher and subscription manger, respectively. Likewise, the message authentication between the consumer and the third-party publisher is established by a temporary session key and .

V Security Analysis

This section presents an inclusive security analysis, formal analysis using BAN logic [29], and Scyther implementation results [21].

V-a Naming based Attacks

In NDN the objects are identified by a human readable naming system, which can lead to watchlist and sniffing attacks [30, 31, 32].

In watchlist, an attacker who has control over communication links and cache routers, can delete or filter the content based on a predefined list of content objects. With the use of SDPC, the content is encrypted and invisible to the attacker. Recall that in NDN it is not obligation that a content object must carry an explicit content name, rather it can carry an implicit content identifier computed from the corresponding interest. This solution hides the object from the attacker. Let us reconsider the example in Figure 2(b). The first interest packet carries the name ”korea.ac.kr/fil/ / ” beside the insertion of hash digest , the object name is encrypted with . After acquiring the name for _s1 is then given by ”korea.ac.kr/fil/ / ”. The attacker cannot get , , , and , and thus launching watchlist attack is not possible. Moreover, it completely hides the object name from the attacker, which ensures the privacy of the consumer.

Contrarily, in a sniffing attack the intruder does not have any list of pre-defined contents, rather it monitors the network and filters or eliminates the data if it contains some specified keywords. Such sniffing attack is not possible in SDPC, because the data is encrypted with the secret keys.

V-B DDoS Attacks

The in-network caching makes NDN intrinsically resilient against distributed denial of service (DDoS) attacks [33, 34]. DDoS is a malicious attempt to disturb normal traffic to a server, for instance, multiple compromised systems send fake interest packets to a content publisher. Once the content is disseminated across network caches, the DDoS attack against a publisher depletes due to the on-path cache hits. However, assume somehow an attacker manages to flood all interests to a targeted publisher. With the use of SDPC, the total burden after a successful DDoS attack on the targeted publisher will remain insignificant. This is because the subscription manager keeps the record of registered nodes in the hash table, which entries represent session keys. Thus, in case of suspicion, the subscription manger in SDPC can identify fake requests by a hash table lookup with the complexity .

V-C Time Analysis Attack

In NDN any cache node can store content segments. An intruder can guess that a particular content was requested by a user in particular vicinity by observing the request response time of a cached or uncached content. With the use of SDPC the payload is encrypted with one of the key derived from and the name of an object is identified by the digest and encrypted fields. Since the intruder cannot acquire on time, it cannot create a valid request to launch a time analysis attack.

V-D Unauthorized Access

SDPC allows the caches to store encrypted contents and to use a naming scheme unrecognizable to intruders. An intruder can access the content only after acquiring . Since the delivery of in SDPC is achieved by handshake messages, where each message exchange contains an explicate (nonce challenge) or implicit (encryption key derived from nonce) message authentication; further each message is encrypted with , for unauthorized access an intruder needs to acquire .

V-E Traffic Monitoring Attack

In traffic monitoring attack [35], an intruder targets a consumer and tries to identity the requested contents. To launch a traffic monitoring attack the intruder takes control of edge router and observes all the requests send by the target consumer. However, in SDPC the content name is encrypted, which hides the object name from the attacker, consequently the traffic monitoring cannot reveal the identity of requested contents.

V-F Formal Analysis using BAN Logic

BAN logic [29] is widely used for the formal analysis of security protocols, till recently[38] [39] . To verify the security of the SDPC protocol suite, it is sufficient to demonstrate the security of SubP since the rest protocols are extensions of SubP. The BAN logic analysis shows that SDPC is safe against large number of attacks. A detailed formal analysis of SDPC using BAN logic can be found in Appendix-I or at [40] .

V-G Scyther Implementation Results

Although BAN logic provides a foundation for the formal analysis of security protocols, a few attacks can be undetectable even with BAN logic [36]. However, the critical analysis of BAN-logic in [36] is based on usage of asymmetric cryptography, whereas SDPC utilizes symmetric cryptography. Furthermore, [36] argue that BAN-logic methodology is faulty because it is assumed that physical security and administration do not suffer from the loss of messages by the underlying communication facility or because of host crashes. Owing to replication of contents across the network, in ICN this assumption has minor effect. Still, for the additional proof of the strength of the SDPC protocol suite, we implemented SDPC, EU-RE [18], and MCAC [17] in an automated security protocol analysis tool, Scyther [21].

We considered four claims: 1) aliveness, 2) weak agreement, 3) non-injective agreement, and 4) non-injective synchronization [20]. These four claims are proven to be true for SDPC by using BAN logic. In Scyther, a protocol is modeled as an exchange of messages among different participating roles. For instance, in NDN-SDPC, the consumer and publisher are in the roles of initiator (I) and responder (R), respectively, whereas the subscription manger is in the role of a server (S). In EU-RE, the publisher acts both as a responder and as a server (R_S), whereas in MCAC the consumer and publisher are in the roles of I and R, respectively, whereas the 3rd party authenticator has the role of S. The Scyther tool integrates the authentication properties into the protocol specification as a claim event. We tested SDPC, MCAC, and EU-RE by employing the claims mentioned earlier, with the parameter settings given in Table I.

Parameter Settings
Number of runs 1 to 3
Matching type Find all types of flaws
Search pruning Find all attacks
Number of patterns per claim 10
Table I: Scyther tool parameter settings.
Claims MCAC [17] MCAC [17] auth. EU-RE [18] NDN-SDPC
Aliveness N N N Y Y Y Y Y Y Y Y
Weak Agreement N N N Y Y Y N Y Y Y Y
Non-injective Agreement N N N Y Y Y N Y Y Y Y
Non-injective Synchronization N N N Y Y Y N Y Y Y Y
N = Protocol claim is not fulfilled; Y = Protocol claim is fulfilled
Table II: Scyther results for SDPC, MCAC, and EU-RE.

The Scyther results are shown in Table II. It is clear that SubP qualifies all of the protocol claims and no attacks were found. Consequently, for a large number of systems and scenarios, SDPC guarantees safety against a large number of known attacks such as impersonating, man-in-middle, and replay attacks. However, in EU-RE, the author made an assumption that the content provider behaves correctly, i.e., it does not distribute any private contents or decryption rights to unauthorized users, this assumption falsifies the protocol claims, which means EU-RE is weak against several attacks. The Scyther implementation shows that initiator fails to confirm claims 2, 3, and 4.

In MCAC, the TCB along with encrypted communication between routers provide strong security against man-in-middle attack; however, during the bootstrapping, the session key establishment is conducted by the Diffie-Hellman (DH) key distribution algorithm  [37] without using a proper authentication procedure. Since the DH algorithm does not inherently provide authentication, it can be secure only if it is properly integrated with another authentication protocol. This weak link in MCAC makes it vulnerable to several attacks, even a man-in-middle attack could be possible if an intruder tempered the session key distribution procedure during bootstrapping process. Therefore, from Scyther implementation results, it can be seen that MCAC fails to qualify a signal claim; further, if we assume the DH key exchange protocol is integrated with an authentication protocol or bootstrap process is hidden from the intruder, then MCAC qualifies all the claims. The inclusion of the authentication process causes the extra processing burden only during the bootstrap process and can be ignored for the next steps in the protocol.

Vi Performance Evaluation

We consider a scale-free network of 200 cache nodes generated using the Barabási–Albert (BA) model, as shown in Figure 4, which connects the publisher and the consumer space. Each cache router has a static request routing table. Further, we assume five content publishers in the network. Each publisher has 100,000 secure content items, and a Zipf-distribution with a popularity distribution exponent is used to determine the population of content items in the entire network.

Figure 4: Network setup for performance evaluation.

To ensure quick dissemination of the contents in the network, the publishers are connected to the cache routers with the highest betweenness centrality score, it helps to bringing system in steady state in short time. Furthermore, 25 gateway cache routers are connected to the consumer space with a large number of consumers. At any given time, 400 500 consumers are subscribed with each publisher and thus the total number of consumers subscribed to five publishers varies between 2,000 and 2,500. The size of each content item is 1GB, which is divided into 10 segments, and the link capacity between two cache routers is 1 Gbps, Finally, least frequently and recently used (LFRU) [7] is used in the experiment as a content replacement scheme.

We implemented the network setup, as described above, in MATLAB and compared the performance of NDN-SDPC against MCAC, EU-RE, and native NDN for two scenarios, 1) using end-to-end encryption, which makes the caching ineffective, as discussed in Figure 1, and 2) enabling the caching with a conventional way of a shared group key [8][9]. In the scenario 2, the shared group key enables in-network caching, but the shared group key is unfeasible because the authorized consumers need to keep a large number of keys for effective cache utilization in highly dynamic environments. Moreover, extra decision operations are required to select a proper key and to determine the timing of key deletion. For simplicity, in the scenario 2, we only consider the computational and message complexity required to ensure backward and forward secrecy. The processing required to select an appropriate key on the consumer side is ignored. Further, the scenario 2 is simulated for different levels of dynamicity in the consumer space, by considering 5, 15, and 25 leave and join requests per unit time; representing cases 1, 2, and 3, respectively. This comparison is made in terms of average download time444The average download time is defined as the ratio of the total number of requests observed on all 25 cache routers to the time taken to receive all the requested contents at the gateway routers., publisher load555The publisher load is defined as the percentage of interests reached at publisher. High the publisher load implies low cache hit., and timeout interest ratio666The timeout interest ratio is defined as the percentage of interests timed out and re-transmitted..

Figure 5: Average download delay at gateway-cache router.

Figure 5

shows the comparison of the average download time observed when each of the 25 gateway cache routers receives the requests that are generated by a Poisson distribution with a rate

req/s. The results are considered for different cache sizes of 200 MB to 100 GB; further, in case of MCAC, it is considered that 20% of contents are labelled as the h-level and 80% as the d-level.777The existence of different levels of content impacts the overall performance of MCAC, as shown in Figure 6. From Figure 5, it can be seen that NDN with SDPC outperforms EU-RE and native NDN both in the scenarios 1 and 2. The performance of NDN in the scenario 2 degrades further with the increase in dynamicity of the consumer space. The performance results of EU-RE are interesting, for smaller cache size [200MB-1GB], the performance of EU-RE is very close to NDN-SDPC, and it outperforms native NDN both in the scenarios 1 and 2. However, the performance gap increases with the increase of the cache size, and it falls down below NDN in the scenario 2 with case 3. In Eu-RE, the key revocation and content version are not correlated, and this can be one of the reason of such performance degradation. For a large cache size, MCAC performs better than EU-RE and NDN in scenario 2 with cases 2 and 3; however, NDN-SDPC and NDN in scenario 2 with case 1 outperform the MCAC. As discussed earlier, MCAC enforces intermediate routers to implement TCB, which includes several operations and encryption/decryption process for the h-level and the n-level secure content, these extra operations introduce processing delay at intermediate routers, the performance of MCAC further decreases with increasing the number of h-level contents.

Figure 6: Average download delay for different numbers of h-level contents.

Figure 6 shows the comparison of average download time comparison between NDN, NDN-SDPC and MCAC, for different numbers of h-level contents ranging from 0 to 100% of total traffic, with the fixed 1GB cache size. From Figure 6, it is clear that performance of MCAC degrades with increasing number of h-level content. The performance degradation of MCAC with increasing the number of the h-level contents is quite obvious, because h-level contents require no caching policy; hence, all interest packets traverse to the publisher.

Figure 7: Publisher load for different cache sizes.

Figure 7 shows the comparison of publisher load. We considered the case-3 level dynamicity of consumer space for EU-RE, MCAC, and NDN-SDPC. From Figure 7, it is evident that in NDN-SDPC the publisher load is 12 to 20% lower than EU-RE; however, publisher load at MCAC is almost same as NDN-SDPC, but MCAC’s load increases with increasing number of h-level contents. This also implies that NDN-SDPC has higher cache hit ratio.

Figure 8: Timeout interest ratio for different cache sizes.

Similarly, from Figure 8, it can be seen that EU-RE, NDN-SDPC and MCAC, with small numbers of h-level contents, suffer with lower number of time out interest packets. However, NDN-SDPC and MCAC with 20% of h-level contents suffer 35 to 50% less than EU-RE; however, this performance metric also shows that performance of MCAC reduces with increasing number of h-level contents. This also implies that in comparison to EU-RE and MCAC, the NDN-SDPC provides better cache diversity.

Vii Conclusion

For effective caching and access control of the protected content in ICN, we proposed a secure distribution of protected content (SDPC). The SDPC’s keying protocol suite empowers the publisher and consumer to generate multiple symmetric encryption keys with the exchange of a single commitment key. Moreover, SDPC’s subscription and content access protocol suite ensures that only authenticated users can acquire the respective key generation information for the requested content. Another important aspect of proposed scheme is the hybrid naming scheme, which provide privacy protection and deters the time analysis attack. The commitment key in SDPC is generated with the publisher’s public key, along with other secret credentials, and thus allows the consumer to implicitly verify the originality of the published content. In other words, self-certifying is achieved with the symmetric key cryptography, which makes SDPC free from the expensive computation overhead problem incurred in public key algorithms [24]. Consequently, we believe that the adaptation of SDPC can make NDN more feasible for resource-limited networks such as Internet of things (IoT), which is one of our future works.

Appendix A BAN logic Analysis

Three basic objects of BAN logic are principals, formula/statements, and encryption keys. The principals and the protocol participants are represented by symbols and , respectively. The formula/statements are symbolized by and , and represents the content of the message exchanged. The encryption keys are symbolized by . The logical notations of BAN-logic analysis are given in Table III, and Some primary BAN-logic postulates used in the analysis of SDPC are summarized in Table IV.

Notation Description
believes , or would be enabled to believe ; in conclusion, can take as true.
received a message and can see the contents of the message and is capable of repeating
has sent a message including the statement . However, the freshness of message is unknown.
controls and should be trusted for formula/statement .
is fresh, i.e., never sent by any principal before.
and shares a key for secure communications and is only known to , .
The statement is encrypted by key .
It stand for combined with . is anticipated to be secret and its implicit or explicit presence proves the identity of a principal who completes .
Table III: Logical notations of BAN-logic.
Rule Postulate
Message meaning rules
Nonce verification rule
Jurisdiction rule
Freshness rule
Believe rule
Session key rule
Table IV: Primary BAN-logic postulates.

The SubP protocol should achieve the following four goals that state that both the consumer and the publisher trust the encryption key for the secure exchange of :

  • G1:

  • G2:

  • G3:

  • G4:

To verify the above-mentioned goals, the first step of BAN logic is to convert the subject protocol in its idealized form. The idealization is a process to represent each message exchange in its intended semantics. In other words, the idealization is a process of converting each message exchange into a logical formula by using BAN symbols and notations. The idealizations of SubP are given below.

  • M1:

  • M2:

  • M3:

  • M4:

  • M5:

  • M6:

In an idealized protocol narration of SubP, the messages clearly show all the assertions. Using these assertions, all the implicit assumptions can be explicit. Then, the initial assumptions of SubP are given below.

  • A1:

  • A2:

  • A3:

  • A4:

  • A5:

  • A6:

  • A7:

  • A8:

  • A9:

  • A10:

  • A11:

  • A12:

Let us analyze SDPC to show that and share a session key. From M1, we have

(1)

A6 and the message meaning rule infer that

(2)

A1 and the freshness conjuncatenation comprehend that

(3)

Also, (2), (3), and the nonce verification rule deduce that

(4)

Then, (4) and the believe rule infer that

(5)

From A2, (5), and the jurisdiction rule, it can be concluded

(6)

This belief confirms that has received a message from a legitimate . A2, A1, (3), and the freshness conjuncatenation comprehend that

(7)

According to the nonce freshness, (7) proves that confirmed that is recently alive and running the protocol. Further, from (4) and (7), has guaranteed that the has been running the protocol, apparently with . This also proves that and agree on the nonce values corresponding to all the nonce in M1 and M2. These three proven claims are known as aliveness, weak agreement, and non-injective agreement and defined in [20, 21].

From M3, we have

(8)

A7, (8), and nonce verification rule deduce that

(9)

In addition, A3, (9), and the freshness conjuncatenation comprehend that

(10)

(9), (10), and the nonce verification rule infer that

(11)

(11) and the believe rule comprehend that

(12)

The logic belief proves that is confident and believes that is issued by ; moreover, the freshness of the key from (10) also suggests that is alive and running the protocol with and . Further, from (9), (10), and (11), has guaranteed that has been running the protocol, apparently with . This also proves that and are also agree on the nonce values corresponding to all the nonce in M3. This concludes that and also satisfy the liveness, weak agreement, and non-injective agreement. Consequently, (11), (12), and the jurisdiction rule conclude G1, i.e.,

(13)

From M4, we have

(14)

(14), A5, and the message meaning rule comprehend that

(15)

Then, (Eq15), A4, and the freshness conjuncatenation rule infer that

(16)

(15), (16), and the nonce verification rule deduce that

(17)

Then, (17) and the believe rule infer that

(18)

The logic belief proves that is confident and believes that is issued by ; moreover, the freshness of the key from (16) also suggests that is alive and running the protocol with . Further, from (15), (16) and (17), has guaranteed that has been running the protocol, apparently with and . This also proves that and are also agree on the nonce values corresponding to all the nonce in M4. This concludes that and also satisfies the liveness, weak agreement, and non-injective agreement. Conseuqently, (17), (18) and the jurisdiction rule conclude G2, i.e.,

(19)

From M5, we have

(20)

(13), (19), (20), and the meaning rule comprehend G3, i.e.,

(21)

From M6, we have

(22)

(13), (19), (21) and nonce verification rule deduce G4 of

(23)

The logic belief proves that is confident and also believes that is issued by . Moreover, (5), (11), and (17) prove that all communicating partners are confident that their communication partners exactly follow their roles in the protocol and exchange the intended messages in the intended order. This proven claim is known as non-injective synchronization and defined in [20].

References

  • [1] C. Ge, Z. Sun, and N. Wang, ”A Survey of Power-Saving Techniques on Data Centers and Content Delivery Networks,” IEEE Communications Surveys and Tutorials, vol. 15, no. 3, 3rd Quarter 2013, pp. 1334-1354.
  • [2] A. Malatras, ”State-of-the-Art Survey on P2P Overlay Networks in Pervasive Computing Environments,” Journal of Network and Computer Applications, vol. 55, Sept. 2015, pp. 1-23.
  • [3] V. Jacobson, D. Smetters, J. Thornton, M. Plass, N, Briggs, and R. Braynard, ”Networking Named Content,” in Proc. ACM CoNEXT’09, Rome, Italy, Dec. 2009.
  • [4] B. Ahlgren, C. Dannewitz, C. Imbrenda, D. Kutscher, and B. Ohlman, ”A Survey of Information-Centric Networking,” IEEE Communications Magazine, vol. 50, no. 7, July 2012, pp. 26-36.
  • [5] G. Zhang, Y. Li, and T. Lin, ”Caching in Information Centric Networking: A Survey,” Computer Networks, vol. 57, no. 16, Nov. 2013, pp. 3128-3141.
  • [6] H. Jin,D. Xu, C. Zhao, and D. Liang, ”Information-Centric Mobile Caching Network Frameworks and Caching Optimization: A Survey,” EURASIP Journal on Wireless Communications and Networking, 2017: 33. doi:10.1186/s13638-017-0806-6.
  • [7] M. Bilal and S. Kang, ”A Cache Management Scheme for Efficient Content Eviction and Replication in Cache Networks,” IEEE Access, vol. 5, Feb. 2017, pp. 1692-1701.
  • [8] M. Bilal and S. Kang, ”A Secure Key Agreement Protocol for Dynamic Group,” Cluster Comput., vol. 20, no. 3, Sep. 2017, pp. 2779–2792.
  • [9] Q. Zhang, Y. Gan, and Q. Zhang, ”A Dynamic and Cross-Domain Authentication Asymmetric Group Key Agreement in Telemedicine Application,” IEEE Access, vol. 6, Jan. 2018, pp. 24064-24074.
  • [10] E. Cho, J. Shin, J. Choi, T. Kwon, and Y. Choi, ”A Tradeoff between Caching Efficiency and Data Protection for Video Services in CCN,” in Proc. NDSS SENT’14, San Diego, USA, Feb. 2014.
  • [11] T. Xiaobin, J. Liguo, Z. Zifei, and Y. Pei, ”Copyright Protection Scheme for Information-Centric Networking Base on the Linear Network Coding,” in Proc. CCC’16, Chengdu, China, July 2016.
  • [12] M. Bilal and S. Kang, ”Network-Coding Approach for Information-Centric Networking,” IEEE Systems Journal, August 2018, doi: 10.1109/JSYST.2018.2862913.
  • [13] S. Misra, R. Tourani, F. Natividad, T. Mick, N. Majd, and H. Huang, ”AccConF: An Access Control Framework for Leveraging In-Network Cached Data in the ICN-Enabled Wireless Edge,” IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 1, Jan. 2019, pp. 5-17.
  • [14] S. Misra, R. Tourani, and N. Majd, ”Secure Content Delivery in Information-Centric Networks: Design Implementation and Analyses”, in Proc. ACM SIGCOMM’13 ICN Workshop, Hong Kong, China, August 2013.
  • [15] C. Wood and E. Uzun, ”Flexible End-to-End Content Security in CCN”, in Proc. IEEE CCNC’14, Las Vegas, United States, January 2014.
  • [16] Q. Zheng, G. Wang, R. Ravindran, and A. Azgin ”Achieving Secure and Scalable Data Access Control in Information-Centric Networking”, in Proc. IEEE ICC’15, London, UK, June 2015.
  • [17] Q. Li, R. Sandhu, X. Zhang, and M. Xu, ”Mandatory Content Access Control for Privacy Protection in Information Centric Networks,” IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 5, Sept. 2017, pp. 494-506.
  • [18] E. Mannes, C. Maziero, L. Lassance, and F. Borges, ”Optimized Access Control Enforcement Over Encrypted Content in Information-Centric Networks,” in Proc. ISCC’15, Larnaca, Cyprus, July 2015.
  • [19] S. Chow, J. Weng, Y. Yang, and R. Deng, “Efficient Unidirectional Proxy Re-encryption,” in Proc. AFRICACRYPT’10, Stellenbosch, South Africa, May 2010.
  • [20] C. Cremers, S Mauw, and E. Vink, ”Injective Synchronisation: An Extension of the Authentication Hierarchy,” Theoretical Computer Science, vol. 367, no. 1-2, Nov. 2006, pp. 1396-161.
  • [21] C. Cremers and S. Mauw, ”Security Properties,” Springer Operational Semantics and Verification of Security Protocols, ISBN 978-3-540-78636-8, 2012.
  • [22] M. Bilal and S. Kang, ”Time-Assisted Authentication Protocol,” Int J Commun Syst., vol. 30, no. 15, October 2017.
  • [23] M. Bilal and S. Kang, S. Kim, and J. Park, ”Method and Apparatus for Providing Time-Assisted Authentication Protocol,” U.S. Patent US20170134369A1, May 11, 2017.
  • [24] K. Koyama, U. Maurer, T. Okamoto, and S. Vanstone, ”New Public-Key Schemes Based on Elliptic Curves over the Ring Zn,” in Proc. CRYPTO’91, Santa Barbara, United States, August 1991.
  • [25] Y. Wong, G. Attebury, and B. Ramamurthy, ”A Survey of Security Issues In Wireless Sensor Networks,” IEEE Communication Surveys and Tutorial, vol. 8, no. 2, 2nd Quarter 2006, pp. 2-23.
  • [26] R. Rivest, ”The RC5 Encryption Algorithm,” in Proc. FSE’94, Dec. 1994.
  • [27] J. Daemen and R. Vincent, ”AES Proposal: Rijndael. National Institute of Standards and Technology,” Available online: http://csrc.nist.gov/archive/aes/rijndael/Rijndaelammended.pdf.
  • [28] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, and C. Hal, ”Twofish: A 128-Bit Block Cipher,” Available online: https://www.schneier.com/academic/paperfiles/paper-twofishpaper.pdf.
  • [29] M. Burrows and R. Abadi, ”A Logic of Authentication,” ACM Trans. Comput. Syst, vol. 8, no. 1, Feb. 1990, pp. 18–36.
  • [30] M. Jakobsson and S. Stamm, ”Web Camouflage: Protecting Your Clients from Browser-Sniffing Attacks,” IEEE Security & Privacy, vol. 5, no. 6, Nov. 2017, pp. 16-24.
  • [31] E. AbdAllah, H. Hassanein, and M. Zulkernine, ”A Survey of Security Attacks in Information-Centric Networking,” IEEE Commun. Surveys Tuts., vol. 17, no. 3, 3rd Quart. 2015, pp. 1441-1454.
  • [32] R. Klump and M. Kwiatkowski, ”Distributed IP Watchlist Generation for Intrusion Detection in the Electrical Smart Grid,” Critical Infrastructure Protection IV, vol. 342, March 2010, pp. 113-126.
  • [33] K. Wang, Y. Zhao, S. Liu, and X. Tong, ”On the Urgency of Implementing Interest NACK into CCN: from the Perspective of Countering Advanced Interest Flooding Attacks,” IET Networks, vol. 7, no. 3, May 2018, pp. 136-140.
  • [34] Y. Xin, Y. Li, W. Wang, W. Li, and X. Chen, ”A Novel Interest Flooding Attacks Detection and Countermeasure Scheme in NDN,” in Proc. IEEE Globecom’16, Washington, D.C., United States, Dec. 2016.
  • [35] T. Lauinger, N. Laoutaris, P. Rodriguez, T. Strufe, E. Biersack, and E. Kirda, ”Privacy Risks in Named Data Networking: What Is the Cost of Performance,” ACM SIGCOMM Computer Communication Review, vol. 42, no. 5, October 2012, pp. 54–57.
  • [36] D. Nessett, ”A Critique of the Burrows, Abadi and Needham logic,” ACM SIGOPS Operating Systems Review, vol. 24, no. 2, April 1990, pp. 35-38.
  • [37] R. Merkle, ”Secure Communications over Insecure Channels,” Commun. ACM, vol. 21, no. 4, April 1978, pp. 294-299.
  • [38] M. Frash, M. Turkanovic, S. Kumari, and M. Holbl, ”An Efficient User Authentication and Key Agreement Scheme for Heterogeneous Wireless Sensor Network Tailored for the Internet of Things Environment,” Ad Hoc Networks, vol. 36, no. 1, January 2016, pp. 152-176.
  • [39] K. Mahmood, S. Chaudhry, H. Naqvi, S. Kumari, X. Li, and A. Sanaiah, ”An Elliptic Curve Cryptography based Lightweight Authentication Scheme for Smart Grid Communication,” Future Generation Computer Systems, vol. 81, April 2018, pp. 557-565.
  • [40] M. Bilal and S. Pack, ”Appendix: Secure Distribution of Protected Content in Information-Centric Networking,” Available online, doi:10.13140/RG.2.2.21166.36164/1.
  • [41] M. Bilal, S. Kang, and S. Pack, ”Effective Caching for the Secure Content Distribution in Information-Centric Networking,” in Proc. IEEE VTC’18 Spring RAFNET Workshop, Porto, Portugal, June 2018.