Access Control Enforcement Delegation for Information-Centric Networking Architectures
description
Transcript of Access Control Enforcement Delegation for Information-Centric Networking Architectures
Access Control Enforcement Delegation for Information-Centric Networking Architectures
N. Fotiou, G.F. Marias, G.C Polyzos
2
Problem Statement ICN architectures are expected to leverage
CDNs, content caching and replication What can be done?
Encrypt everything Give RPs access to “users management system” Deploy OAuth like solutions
3
A closer look at OAuth“Only my friends”
“Friends list of Consumer A”
4
Drawbacks RP has access to some information about Consumer RP has to implement access control policy enforcement RP has to understand the attributes provided by the
IdP User intervention makes implementation difficult
Many sites using Facebook, Microsoft and Google OAuth services1, as well as, Google ID 2, Facebook Connect 2, have already been found vulnerable to severe security attacks
1 Sun and Beznosov The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems, ACM CCS 2012
2 Wang et al. Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. IEEE Symposium on Security and Privacy (SP), 2012
5
An alternative approach
facebook.com/nikos/12fg
6
Benefits Consumer’s credentials are protected Minimum user intervention RP has no access to consumer’s personal
information RP does not have to implement any access
control policy Access control policies can be re-used
Even by users who do not know their content “Access Control Store”
Access control policies can be easily modified
7
An ICN based implementationfacebook.com/nikos/pics/ IMG32010234
May give a location hint, denote the principal/owner
Associated with an access control policy
Handled by a (set of ) dedicated network node(s)
Identifies uniquely the information object (globally or within the prefix)
Information identification
Prefix Suffix
Users can create prefix, advertise prefix/suffix pairs, request prefix/suffix pairs
8
An ICN based implementation The PURSUIT approach:
Prefix: Scope Identifier (SId) Suffix: Rendezvous Identifier (RId) SIds are managed by the Rendezvous node
Users can advertise data and subscribe to data Information flow:
Define access control policy: who can advertise, who can subscribe Provide Credentials
A subscriber has properly authenticated himself and requests item X
9
An ICN based implementationAction ICN Function O: Create access
control policy A1 RP: Create secret R1 C: Authenticate
O: Create a scope S1 in which all can advertise but only those who abide by A1 can subscribe
RP: Advertise R1 under S1
C: Subscribe to S1/R1
10
Conclusion We designed an access control enforcement
delegation mechanism that: Can be easily deployed/managed Offers better privacy Create opportunities for new applications
We implemented this mechanism using the functions of an ICN architecture No new message/function/protocol field was added
Thank you