Mobile sessions in content-centric networks

Content-centric networking (CCN) is a network architecture for transferring named data from producers to consumers upon request. This shifts security from that of a connection or channel to the content itself. There remains, however, many critical uses for the traditional client-server communication model with secure sessions. For instance, in many CCN applications, producers need a way to transfer key material or secret information to consumers. Not only does caching this content fail to serve multiple consumers, encrypting it under long-term, static keys does not afford them any forward secrecy. Consequently, there is a real and present need for a CCN-friendly protocol whose security properties meet or exceed similar transport security protocols in IP networks. In this paper, we present the design and implementation of the CCNx Key Exchange Protocol — CCNxKE — the first protocol design for bootstrapping encrypted service-centric sessions in CCN. We compare our design to that of existing IP-based transport security protocols to highlight important differences, discuss several important use cases for CCNxKE and secure sessions in CCN, and present a preliminary performance assessment. Our experiments indicate that session encryption adds, on average, a 30% data transfer latency compared to unencrypted traffic using our prototype implementation.

[1]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[2]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[3]  Christopher A. Wood,et al.  Flexible end-to-end content security in CCN , 2014, 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC).

[4]  Abhijit Choudhury,et al.  AES Galois Counter Mode (GCM) Cipher Suites for TLS , 2008, RFC.

[5]  Marc Mosko,et al.  Secure off-path replication in content-centric networks , 2017, 2017 IEEE International Conference on Communications (ICC).

[6]  Ersin Uzun,et al.  An encryption-based access control framework for content-centric networking , 2015, 2015 IFIP Networking Conference (IFIP Networking).

[7]  Martin Thomson,et al.  Using Transport Layer Security (TLS) to Secure QUIC , 2016 .

[8]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[9]  Van Jacobson,et al.  Networking named content , 2009, CoNEXT '09.

[10]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[11]  Ryan Hamilton,et al.  QUIC: A UDP-Based Secure and Reliable Transport for HTTP/2 , 2016 .

[12]  Satyajayant Misra,et al.  Secure content delivery in information-centric networks: design, implementation, and analyses , 2013, ICN '13.

[13]  Marc E. Mosko,et al.  CCNx Messages in TLV Format , 2018 .

[14]  Gene Tsudik,et al.  Interest-Based Access Control for Content Centric Networks , 2015, ICN.

[15]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[16]  Michael Backes,et al.  Preventing Side-Channel Leaks in Web Traffic: A Formal Approach , 2013, NDSS.

[17]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[18]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[19]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[20]  Christopher A. Wood,et al.  File-Like ICN Collection (FLIC) , 2017 .

[21]  Gene Tsudik,et al.  (The Futility of) Data Privacy in Content-Centric Networking , 2016, WPES@CCS.

[22]  Stephen T. Kent,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[23]  Jianqing Zhang,et al.  Toward content-centric privacy in ICN: attribute-based encryption and routing , 2013, SIGCOMM 2013.

[24]  Lixia Zhang Name-Based Access Control , 2015 .

[25]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.