Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency...
Transcript of Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency...
![Page 1: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/1.jpg)
NamedDataNetworkingofSecureThings
AlexAfanasyevFloridaInternationalUniversity
1
![Page 2: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/2.jpg)
Today’sIoT overTCP/IP
• Point-to-pointcommunicationmodel• Clouddependency• Withfocusondevicesthatareassociatedwitha“things”,not“things”themselves
2
1.1.1.1à Heatercontrollerà Livingroomheater1.1.2.1à Lightssensorà Lightsinkidsbedroom1.1.3.2à Lightscontrollerà Lightsingarage
![Page 3: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/3.jpg)
IoT Apps and Services
Link Layer (Ethernet/WiFi/Bluetooth/802.15.4/…)with optional adaptation sub-layer
IP
TCP, UDP, …
DHCP, …
CoAPHTTP
TLS DTLS
DNS
DNSSEC
ComplexityandSemanticMismatchforIP/IoT
• App:“Livingroomfrontalviewfeed”• Network:
– Requeststream(HTTP/CoAP)– Connecttocamera(TCP/IP)
• +– Lookupmapping“Livingroom”->cameraURI– ConnecttoAlexHome.com (cloud?)service– DNSlookupIPofAlexHome.com service– DHCPtoassignIPaddressestoalldevices
3
![Page 4: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/4.jpg)
NDNAlignmentwithIoT Applications
• Namethe“things”andoperationson“things”– “temperatureintheroom”,“humidityonthesecondfloor”– “bloodpressure”,“bodytemperature”– “max/min/avg pHofsoilinspecificpointofUSsoilgrid”
• Securedatadirectly• Request-responsesemanticswithname-basedforwardingandin-networkcache
– Makeuseofadhocandbroadcast-stylecommunications– Makeuseofanyintermittentconnectivity– Independenceofcommunicationtechnology
4
![Page 5: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/5.jpg)
Application-Defined,SemanticallyMeaningfulNamesforAllDataPackets
5
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
Rawframesofvideofeed
Commandstoaprojector /_thisRoom/Projector/SHOW/…datacollection,…
livevideo,filetransfer,…
NDN
stream,filechunking,…
Ethernet,WiFi,…
CSMA,Sonet,…
copper,fiber,radio,… Cryptographickeys /UCLA/Faculty/HSEAS/CS/Alex/BoelterHall/KEY/_id=42
Videoframeanalysis /FUN:/SLAM/(/…/ARFeed/…)/…
Parkinglotinformation /UCLA/Parking/LOT8/Info/…
![Page 6: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/6.jpg)
Bootstrapping,discovery,andauto-config• NoIPaddressallocations/managementneeded
6
Built-inidentity
• natureofIoT device• config interface
EnablingTrust
• out-of-bandPIN• apre-scannedbarcode
Operate
/local/discovery/lighting/serial=123456
../lights/ON ../lights/OFF
/MyHome/Bedroom/lights/...
![Page 7: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/7.jpg)
Data-CentricSecurityofNDN
7
Data-CentricSecrecy
Data-CentricAuthenticity
Data KeySignedby
Authenticity
Confidentiality
Availability
![Page 8: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/8.jpg)
Data-CentricSecurityofNDN:Built-InForEveryDataPacket
• IntheInternetyousecureyourpath..• ..buttheservermaystillbehacked!
• InNDNyousignthedatawithadigitalsignature..
• ..sotheusersknowwhentheygetbaddata!
• Datasecuredinmotionandatrest
8
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
![Page 9: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/9.jpg)
AuthenticationofNDNData
9
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
KeyLocator: /UCLA/…/KEY
/UCLA…/KEY
KeyLocator: /UCLA/…/KEY
Signedby
Signedby
![Page 10: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/10.jpg)
KeyPrivilegeSeparation
10
AframefromacamerainstalledintheRoyceHall Aforgedframe
/UCLA/Camera/…/Campus/RoyceHall/Camera/KEY
/Somebody.com/KEY
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
![Page 11: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/11.jpg)
Name-BasedConfinementofKey’sPower
11
/UCLA/Campus/RoyceHall/ARFeed/…/mp4/_f=…/_s=…
/UCLA/Cameras/_id=…/RoyceHall/…/KEY/_id=…
Canonlybesignedby
ARFeed datatobevalid,mustbesignedwitha“Camera”keyunderthesame
namehierarchy
![Page 12: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/12.jpg)
FlexibleConfinementthroughNamespaceDesign
12
/UCLA/Faculty/HSEAS/CS/Alex/KEY/_id=42 Localtrustanchor
Campus
RoyceHall
WoodenCenter
ARFeed
SLAM
Info
Camera
SoundRecorder
Thermometer
2017-05-28
2017-06-01
2017-06-02
/UCLA/…/KEY/_id=12
signs
![Page 13: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/13.jpg)
TrustSchema:Name-BasedDefinitionofTrustModel
• Aformallanguagetoformallydescribetrustmodel– Schematizedataandkeynamerelationships
13
DataRule
Key3RuleKey2Rule
Localtrustanchor(s)
Key1Rule
InterestRule
<>
token*
[func]
token?
(:group:token)
<CONST>
![Page 14: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/14.jpg)
AnExampleofTrustSchemaforSmartCampus
14
(:Prefix:<>*)(:Location:<>?)<ARFeed>[View]<mp4><frame><chunk>Camera(Prefix,Location,View)
Faculty(Prefix,Location)(:Prefix:<>*)<Cameras>[cam-id](:Location:<>?)<View>[View]<KEY>[key-id]
LocalAnchor(Prefix)(:Prefix:<>*)<Faculty>[user](:Location:<>?)<KEY>[key-id]
/UCLA/KEY/_id=1
GeneralTrustModel
TrustModelSpecializationforUCLAcampus
![Page 15: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/15.jpg)
TrustSchemaasanAutomationTool
15
Authenticator
signed data
public keys
... requests for public keys
Trust anchor
CameraVideoFeed
User
TPM
Signer
unsigned data
signed data
private key operations
NDN Key Management
Protocol
Trust anchor
CameraVideoFeed
User
![Page 16: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/16.jpg)
• Data-CentricSecrecy• Name-BasedConfidentialityandAccessControl
16
![Page 17: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/17.jpg)
ConfidentialityandAccessControlRequirements
• Data-centricity– Confidential“end-to-end”(app-to-app),inmotionoratrest
• Flexiblecontrols– Grantingaccesstopublish/readatfinegranularities– Changeablepoliciesatanytime
• Asynchrony– Notightcouplingbetweendistributeddataproductionandaccessgranting
• Scalability– Manageablenumberofencryption/decryptionkeys
• Multi-party– Seamlesscoordinationofcontrolamongdistributeddataproducersandconsumers
17
![Page 18: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/18.jpg)
Consumer (public) keys
Namespace publishing (public, encryption) keys
Untrusted in-network and managed storage
Secured content keys
X
X
Secured access keys
18
Name-BasedAccessControl(NAC)
Rotating content keys (symmetric)
Rotating content keys (symmetric)
Rotating content keys (symmetric)
Producers
/FIU/Parking/PG-4/Level1/Sensor
/FIU/Parking/PG-4/Level2/Sensor
/FIU/Parking/PG-6/Level1/Sensor
/FIU/Parking/PG-4/Level1/Sensor/CKEY/1
/FIU/Parking/PG-6/Level2/Sensor/CKEY/42
s Consumer (private) key(s)
s Consumer (private) key(s)
s Consumer (private) key(s)
s Consumer (private) key(s)
Consumers
/FIU/Faculty/CIS/Alex/KEY/1/FIU/Faculty/CIS/Endadul/KEY/1
Publish and access policies
Data Owner (/FIU/Parking)
Namespace access (private, decryption) keys
/FIU/Parking/DKEY/1 /ENCRYPTED-BY/FIU/Faculty/CIS/Alex
/FIU/Parking/PG-4/Level1/Sensor/CKEY/1 /ENCRYPTED-BY/FIU/Parking
![Page 19: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/19.jpg)
NACwithAttribute-BasedEncryption
IoToverICNTutorial@ACMICN2017 19
Activity sensor
Pulse sensor
Untrusted Storage
Defines policy“(UCLA or FIU) and student”
{ UCLA, professor }
{ UCLA, student }
{ FIU, student }
Verify credentials (out-of-band) and provide decryption keys for the
attested attributes
UCLA
student professor
officier FIU
Attribute Authority
math…
Data Owner
![Page 20: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/20.jpg)
ControlGranularity
• Namingconventionstoleveragehierarchicalscopesforreadandwriteaccess
• Basedondatatype– PG-4vsPG-6– Level1vsLevel2
• Basedondataattributes– Time– Location
20
/FIU
/Parking
/PG-4
/Level1 /Level2
/Info /Info /CMD
/PG-6
Access for all data under /FIU/ParkingOnly for /FIU/Parking/PG-4 Only for /FIU/Parking/PG-6
/2017-06-18 /2017-06-19 …
IoToverICNTutorial@ACMICN2017
![Page 21: Named Data Networking of Secure Things•Point-to-point communication model •Cloud dependency •With focus on devices that are associated with a “things”, not “things” themselves](https://reader034.fdocuments.in/reader034/viewer/2022042308/5ed48dbe3d6f7d64f90679e9/html5/thumbnails/21.jpg)
TakeawayPoints
• NDN:anenablerforboostingsecure,reliable,yetsimpleedgenetworking• Keyidea:lettingnetworkandapplicationssharethesamenamespace– Enablingadhoc,DTNcommunicationviaestablishednamespace– Integratingnetworking,storage,processingvianameddata– Directlysecuringdata– Leveragingnamesofdataandkeys
• Todefinetrustschemafordistributedauthenticationandauthorization• Todefinegroupsandaccesspermissionsindistributed(decentralized)way
21