Canary: a Scalable Content Integrity Verifying Protocol for ICN

The per-packet signature mechanism in NDN is a basic mechanism to provide in-network security. Consumers can validate provenance and integrity with the public key-based signature attached with each Data packet. However, the creation and validation processes of signature cause significant performance bottlenecks in both of consumers and producers. The embedded manifest mechanism was proposed to ease the signing overhead for streaming data producers; a signed manifest packet being composed of digests of subsequent Data packets is inserted per bundle of Data packet while each Data packet has only its digest as SignatureInfo. For a large file, the embedded manifest mechanism still needs producers to sign multiple manifest packets. The basic idea of proposed mechanism, Canary, is to enable per-segment provenance and data integrity validation with only one signing operation of producers even for a large file by exploiting the properties of Merkle tree.