130 likes | 298 Views
Access Control Enforcement Delegation for Information-Centric Networking Architectures. N. Fotiou , G.F. Marias, G.C Polyzos. Problem Statement. ICN architectures are expected to leverage CDNs, content caching and replication What can be done? Encrypt everything
E N D
Access Control Enforcement Delegation for Information-Centric Networking Architectures N. Fotiou, G.F. Marias, G.C Polyzos
Problem Statement • ICN architectures are expected to leverage CDNs, content caching and replication • What can be done? • Encrypt everything • Give RPs access to “users management system” • Deploy OAuth like solutions
A closer look at OAuth “Only my friends” “Friends list of Consumer A”
Drawbacks • RP has access to some information about Consumer • RP has to implement access control policy enforcement • RP has to understand the attributes provided by the IdP • User intervention makes implementation difficult • Many sites using Facebook, Microsoft and Google OAuth services1, as well as, Google ID 2, Facebook Connect 2, have already been found vulnerable to severe security attacks 1 Sun and Beznosov The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems, ACM CCS 2012 2 Wang et al. Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. IEEE Symposium on Security and Privacy (SP), 2012
An alternative approach facebook.com/nikos/12fg
Benefits • Consumer’s credentials are protected • Minimum user intervention • RP has no access to consumer’s personal information • RP does not have to implement any access control policy • Access control policies can be re-used • Even by users who do not know their content • “Access Control Store” • Access control policies can be easily modified
An ICN based implementation Information identification facebook.com/nikos/pics/ IMG32010234 • May give a location hint, denote the principal/owner • Associated with an access control policy • Handled by a (set of ) dedicated network node(s) • Identifies uniquely the information object (globally or within the prefix) Prefix Suffix Users can create prefix, advertise prefix/suffix pairs, request prefix/suffix pairs
An ICN based implementation • The PURSUIT approach: • Prefix: Scope Identifier (SId) • Suffix: Rendezvous Identifier (RId) • SIds are managed by the Rendezvous node • Users can advertise data and subscribe to data • Information flow: Define access control policy: who can advertise, who can subscribe Provide Credentials A subscriber has properly authenticated himself and requests item X
An ICN based implementation Action ICN Function • O: Create access control policy A1 • RP: Create secret R1 • C: Authenticate • O: Create a scope S1 in which all can advertise but only those who abide by A1 can subscribe • RP: Advertise R1 under S1 • C: Subscribe to S1/R1
Conclusion • We designed an access control enforcement delegation mechanism that: • Can be easily deployed/managed • Offers better privacy • Create opportunities for new applications • We implemented this mechanism using the functions of an ICN architecture • No new message/function/protocol field was added
Thank you fotiou@aueb.gr