1 / 11

Access Control Enforcement Delegation for Information-Centric Networking Architectures

Access Control Enforcement Delegation for Information-Centric Networking Architectures. N. Fotiou , G.F. Marias, G.C Polyzos. Problem Statement. ICN architectures are expected to leverage CDNs, content caching and replication What can be done? Encrypt everything

sezja
Download Presentation

Access Control Enforcement Delegation for Information-Centric Networking Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Enforcement Delegation for Information-Centric Networking Architectures N. Fotiou, G.F. Marias, G.C Polyzos

  2. Problem Statement • ICN architectures are expected to leverage CDNs, content caching and replication • What can be done? • Encrypt everything • Give RPs access to “users management system” • Deploy OAuth like solutions

  3. A closer look at OAuth “Only my friends” “Friends list of Consumer A”

  4. Drawbacks • RP has access to some information about Consumer • RP has to implement access control policy enforcement • RP has to understand the attributes provided by the IdP • User intervention makes implementation difficult • Many sites using Facebook, Microsoft and Google OAuth services1, as well as, Google ID 2, Facebook Connect 2, have already been found vulnerable to severe security attacks 1 Sun and Beznosov The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems, ACM CCS 2012 2 Wang et al. Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. IEEE Symposium on Security and Privacy (SP), 2012

  5. An alternative approach facebook.com/nikos/12fg

  6. Benefits • Consumer’s credentials are protected • Minimum user intervention • RP has no access to consumer’s personal information • RP does not have to implement any access control policy • Access control policies can be re-used • Even by users who do not know their content • “Access Control Store” • Access control policies can be easily modified

  7. An ICN based implementation Information identification facebook.com/nikos/pics/ IMG32010234 • May give a location hint, denote the principal/owner • Associated with an access control policy • Handled by a (set of ) dedicated network node(s) • Identifies uniquely the information object (globally or within the prefix) Prefix Suffix Users can create prefix, advertise prefix/suffix pairs, request prefix/suffix pairs

  8. An ICN based implementation • The PURSUIT approach: • Prefix: Scope Identifier (SId) • Suffix: Rendezvous Identifier (RId) • SIds are managed by the Rendezvous node • Users can advertise data and subscribe to data • Information flow: Define access control policy: who can advertise, who can subscribe Provide Credentials A subscriber has properly authenticated himself and requests item X

  9. An ICN based implementation Action ICN Function • O: Create access control policy A1 • RP: Create secret R1 • C: Authenticate • O: Create a scope S1 in which all can advertise but only those who abide by A1 can subscribe • RP: Advertise R1 under S1 • C: Subscribe to S1/R1

  10. Conclusion • We designed an access control enforcement delegation mechanism that: • Can be easily deployed/managed • Offers better privacy • Create opportunities for new applications • We implemented this mechanism using the functions of an ICN architecture • No new message/function/protocol field was added

  11. Thank you fotiou@aueb.gr

More Related