CDNI URI Signing (draft-leung-cdni-uri-signing-01) CDNI Working Group IETF 85 Atlanta, Georgia November 8, 2012 Kent Leung

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
B. Davie, L. Peterson et al. draft-davie-cdni-framework-00.txt.
CDNI Footprint Advertisement draft-previdi-cdni-footprint-advertisement-00 Stefano Previdi Francois Le Faucheur Allan Guillou Jan Medved IETF-82 Taipei,
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Chapter 8 Web Security.
SNMP Simple Network Management Protocol
CDN Interconnect (CDNI) Problem Space: Drivers and Enablers Nabil Bitar (Verizon) Francois Le Faucheur (Cisco) Benjamin Niven-Jenkins (Velocix/ALU) IETF80-Prague.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
Cryptography 101 Frank Hecker
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
Remotely authenticating against the Service Framework.
Secure Electronic Transaction (SET)
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Cryptography, Authentication and Digital Signatures
Chapter 8 Cookies And Security JavaScript, Third Edition.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Cryptography and Network Security (CS435) Part Twelve (Electronic Mail Security)
CDN Interconnection Problem Statement draft-jenkins-cdni-problem-statement-02 Ben Niven-Jenkins Francois Le Faucheur Nabil Bitar.
New Cryptographic Techniques for Active Networks Sandra Murphy Trusted Information Systems March 16, 1999.
CDNI Requirements (draft-lefaucheur-cdni-requirements-02) CDNI Working Group IETF 81 Quebec City, Canada July 28, 2011 Kent Leung Yiu.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
CDNI Metadata Interface (draft-ma-cdni-metadata-01) Kevin J. Ma
S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME – original Internet RFC822 was text only – MIME provided.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
CDNI Requirements draft-lefaucheur-cdni-requirements-01 Mohamed Boucadair Christian Jacquenet
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.
26/07/2011 IETF 81 CDNI WG - draft-xiaoyan-cdni-requestrouting-01 1 CDNI WG draft-xiaoyan-cdni-requestrouting-01 IETF81 - Quebec Xiaoyan He
BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012.
CDN Interconnect Metadata draft-ietf-cdni-metadata-00 Ben Niven-Jenkins David Ferguson Grant Watson.
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
CDNI Video Publisher Use cases (draft-ma-cdni-publisher-use-cases-00) Kevin J. Ma
Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Draft-fieau-https-delivery-delegation-02 A CDNi Use case Lurk BoF Frédéric Fieau Orange Emile Stephan, Benoît Gaussen IETF 95 – Buenos Aires.
Cryptography CSS 329 Lecture 13:SSL.
Multicast in Information-Centric Networking March 2012.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
VNF Package Integrity and Authenticity – Public key based
Francois Le Faucheur– CDNI Work Scope Recap Francois Le Faucheur–
Cryptography and Network Security
draft-ietf-simple-message-sessions-00 Ben Campbell
Information Security message M one-way hash fingerprint f = H(M)
S/MIME T ANANDHAN.
Internet Networking recitation #12
Information Security message M one-way hash fingerprint f = H(M)
OAuth Design Team Call 11th February 2013.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
PKI (Public Key Infrastructure)
Presentation transcript:

CDNI URI Signing (draft-leung-cdni-uri-signing-01) CDNI Working Group IETF 85 Atlanta, Georgia November 8, 2012 Kent Leung Francois Le Faucheur Matt

Background URI Signing provides content access authorization: URI is embedded with information that can be validated to ensure the request has legitimate access to the content; symmetric or asymmetric keys used A signed URI is provided by the CSP (i.e. URI signer) to the user out of band (e.g. web site navigation) When the user selects the URI, the HTTP request is sent to the CDN. CDN validates the signed URI before delivering the content. BUT … there are no standards today

Multi-CDN Environment URI Signing in CDNI: When the user selects the URI (i.e. signed URI from CSP), the HTTP request is sent to the Upstream CDN which assigns the Downstream CDN HTTP request is sent to the Downstream CDN, which validates the signed URI before delivering the content

Goal Standardize the URI Signing method with defined attributes and extensible algorithm Enhance CDNI Interfaces HTTP-based request routing – Hop by hop, URI re-signed DNS-based request routing – Signed URI (to uCDN) is received by dCDN Note: DNS-based request routing using symmetric key is problematic when Delivering CDN does not have trust relationship with the CSP.

Attribute Conveyance URI Syntax (RFC 3986) foo://example.com:8042/over/there?name=ferret#nose \_/ \______________/\________/ \_________/ \__/ | | | | | scheme authority path query fragment Two parts in the query component of URI: A.Attributes that convey authorization restrictions (e.g. source IP address and time period) B.Message digest that confirms the integrity and authenticity of the URI provided by the URI creator.

Authorization Attributes (Keywords) Version (VER) - An integer used for identifying the version of URI signing method with its set of capabilities. Expiry Time (ET) - Time in seconds when URL expires since midnight 1/1/1970 UTC (i.e. UNIX epoch). Client IP (CIP) - IP address of the client in a dotted decimal format. Key Owner (KO) - Identifier of secret key owner in an integer format. Key ID (KN) - A number that is used as an index to the key used to validate the URI signature. Hash Function (HF) - A string used for identifying the hash algorithm (e.g. "MD5", "SHA1"). Algorithm (ALG) - An integer used for identifying the algorithm to compute the URI signature. Client ID (CID) - Identifier of the client such as IMSI, MSISDN, MEID, MAC address, etc. (Ed: Is this attribute needed?)

Signing and Validation Attributes and their values in URI are needed to enforce distribution policy; IANA assigned attribute keywords specified in the query string for the URI Signing function only when URI Signing is used and only in the context of CDNI Algorithm dictates entire URI or URI without scheme part is protected by message digest; extensible to other methods

CDNI Interfaces (Work in Progress) Capabilities Advertisement URI Signing support and its version CDNI Metadata for URI Signing support CDNI Metadata Content access control indication Type of access control. Specifically, access to content is subject to URL signature validation Key (i.e. public key or shared key) along with its key index (i.e. Key Owner and Key ID) and type (asymmetric or symmetric) used for validating URI signature List of Downstream CDN authorized for key distribution (i.e. trust relationship between CSP and CDNs) Algorithm for HMAC to be used for validation. CDNI Logging URI signature validation events (e.g. invalid client IP address, expired signed URI, incorrect URI signature, successful validation) Delivery log with confirmation of access control enforcement (i.e Delivery CDN enforced URI Signing before content delivery)

Issues Tracking Fix URI signing and validation for public key Remove Client ID (CID) attribute or introduce IMSI, MSISDN, MEID, MAC address, etc. as separate attributes CDNI Metadata Interface contains URI Signing required indication means Downstream CDN ensures URI must be signed and validated before content delivery; otherwise, Downstream does not perform validation regardless if URI is signed or not Specify MUST/SHOULD/MAY in text URI signing and validation steps are used as reference for operational logic and not specific implementation sequence Flexible URI signing work item CDNI Interfaces’ work items

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.