A clean-slate security vision for future networks: Simultaneously ensuring information security and establishing smart in-network services using the example of blind packet forwarding

To solve many of the challenges identified in Future Network debates, there are approaches, which suggest that a network should be service-oriented, flexibly and dynamically orchestrated from atomic smart in-network services. In these approaches in-network services require access to various control data signalled in different ways to utilise the complete functionality of the orchestrated network. The diversity and amount of required control data rises progressively so that the communication endpoints have to allow more and more access to information about themselves. To ensure information confidentiality and integrity for two communicating end points, the de facto method applied so far is end-to-end encryption of information transferred between the two end points. However, in-network services have then no longer access to the encrypted control data and they cannot accomplish their tasks anymore. Thus, we can either ensure information security or establish smart in-network services. Our paper focuses on this dilemma and introduces an approach where we redesign the smart in-network services to blind but still smart ones that can still correctly process masked control data by using a new kind of cryptographic algorithms. The feasibility of our approach is demonstrated by redesigning the packet forwarding service to a blind one. Additionally, we present our prototype implementation of the blind packet forwarding and evaluate it.

[1]  Min-Shiang Hwang,et al.  A Study of Public Key Encryption with Keyword Search , 2013, Int. J. Netw. Secur..

[2]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[3]  Christian Henke,et al.  Network functional composition: State of the art , 2010, 2010 Australasian Telecommunication Networks and Applications Conference.

[4]  Klara Nahrstedt,et al.  Secure Interdomain Routing Registry , 2008, IEEE Transactions on Information Forensics and Security.

[5]  Refik Molva,et al.  Privacy and confidentiality in context-based and epidemic forwarding , 2010, Comput. Commun..

[6]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[7]  Jie Wu,et al.  An Efficient Privacy Preserving Keyword Search Scheme in Cloud Computing , 2009, 2009 International Conference on Computational Science and Engineering.

[8]  Angelos D. Keromytis,et al.  SSARES: Secure Searchable Automated Remote Email Storage , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[9]  Tilman Wolf In-network services for customization in next-generation networks , 2010, IEEE Network.

[10]  Michael Menth,et al.  Global Locator, Local Locator, and Identifier Split (GLI-Split) , 2013, Future Internet.