Privacy in Content-Oriented Networking: Threats and Countermeasures Abdelberi Chaabane Emiliano De Cristofaro Mohamed Ali Kaafar Ersin Uzun

What is Content-Oriented Networking? Content-oriented networking is a proposed network architecture to better accommodate the needs of modern systems and applications. Has potential for wide range of benefits, such as reduced congestion, improved delivery speed, simpler configuration of network devices, and security at the data level.

Content-Oriented Networking Content-Oriented Networking (CON) is an architecture designed to decouple contents from hosts, at the network layer, by relying on the publish/subscribe paradigm CON shifts identification from the host to content, so that it can be located anywhere in the network.

CON (Continued) Content in CON is self-contained, has a unique name, and can be retrieved by means of an interest for that name. It is also cached in any arbitrary location, and digitally signed to ensure the integrity and authenticity for the content.

In this paper, the authors discuss different attack scenarios that threaten privacy in CON For each attack, the authors describe the attackers capabilities and their impact on user privacy. They suggest several countermeasures and detail the strengths and weaknesses of each approach. The authors also highlight a number of open problems for further research.

CON CON has several building blocks: Named Content Content-based Routing Content Delivery In-network storage. These building blocks are used to develop a CON-based architecture such as DONA or CCN.

Named Content In CON, objects are always named to facilitate data dissemination and search The security model is now shifted to from host authentication to content authentication.

Content-Based Routing Content routing in CON relies on content rather than hosts The aim is to handle increased amounts of network traffic, and be more resilient to network bursts and user mobility

Content Delivery Content is efficiently delivered using multi-path routing and leveraging in-network caching Minimizes network bandwidth and delivery delay, as well as handle mobile users.

In-network Storage All CON components provide a caching capability. This is different from packet buffers in standard router’s In CON, cache size is expected to be several orders of magnitude larger.

Figure 1: An overview of the main CON features: content routing, caching, and content signature. Content is address by name (x).

CCN/CCNx CCNx is a CON instance, and it implements content-centric networking Whenver a router receives an interest for X, it performs a longest-prefix match lookup on it’s three main tables First it will look in it’s main cache (Content store) If that fails, it looks in the Pending Interest Table Else, it will look for the most suitable interface in the Forward Information Base, and then make an entry in the Pending Interest Table.

Privacy challenges on CON There are many challenges for privacy on CON, including: Cache privacy Content Privacy Name privacy Signature privacy In the next few slides, we will be going over the forms of attacks and counteremeasures

Cache Privacy Timing Attacks Protocol Attacks Measure the delay in retrieval to determine what router the content is stored in Protocol Attacks Attack the basic framework for CCNx If content Y has prefix X, can facilitate easy extraction without knowing Y’s filename

Countermeasures Wait before reply Collaborative Caching Delay all requests sent to router, this helps curb timing attacks. Collaborative Caching Have neighbor caches collaborate to create a distributed cache that serves a larger set of users This would create anonymity, making attackers think it is only one cache.

Countermeasures Probabilistic caching Make the caching procedure random can reduce the effectiveness of attacks. One possible approach could be the router deciding to cache based on position from the forwarding path, as well as available space in the cache. Since the decision is based on a router’s internal state, the attacker will not know it.

Content Privacy Monitoring and Censorship Since DPI (Deep Packet Inspection) can be used on unencrypted communications in a regular network, CON is more affected due to persistent caches in the network. This raises the issue of content privacy as DPI works just as well on CON.

Countermeasures Encryption (both Symmetric and Asymmetric) Broadcast encryption Send a message out to n receivers each with a different private key. Proxy re-encryption Cover files

Name Privacy In CCNx, content is named by the network and is routed based on content names, This creates a privacy threat, as the content names are not only visible, but are also expected to be related to the content in some way.

Bloom Filter

Signature Privacy One of the main goals of a CON is to decouple content from its location and allow retrieving from nearby caches. In order to trust fetched data, CCNx digitally signs the content to guarantee integrity Ordinary digital signatures may leak information about a user.

Countermeasure Confirmer signature Group signatures Use another undeniable signature delegated to a third party for verification. Group signatures Let the user hide in a group of signatures to provide signer-ambiguity Ephemeral Identities Let the user create a proxy identity, and use that to sign, protecting themselves

The potential of CON privacy In this section, the authors look at privacy in a CON through a few privacy related concepts: Anonymity Censoring Traceability Confidentiality

Anonymity In IP, an traditional way to obtain anonymity is through use of a trusted proxy In CON, anonymity is provided natively without the use of a third party. Essentially, a neighboring router in CON can be seen as a proxy.

Censoring In CON, content naming facilitates keyword filtering Since CON routers have larger computational and memory resources, content blocking can be carried more efficently, without use of dedicated hardware Since interests and data are not encrypted, an attacker just needs to modify the routing protocol so that any “unwanted” interest is dropped from the protocol.

Traceabliltiy In IP, most tracking can be done easily through party identifiers (IP addresses) In CON, it is hard to implement because CON, by design, removes party identifiers. Lack of traceability might improve user privacy, but raises security challenges. Makes attacks like DoS harder to trace an attacker

Confidentiality Today’s internet model runs on a “one-size-fits-all” model of trust Trust in CON is end-to-end, and does not depend on any physical or temporal frame. This modularity gives CON an advantage, as new trust management models can be employed at will.

Conclusion CON proposes a major transition away from the current Internet into a more content-based architecture. CON has the potential benefit of security by design, based on digital signatures that provide data authenticity and integrity. Further work will involve employing the proposed countermeasures and analyzing their feasibility.

Questions?