Access Control Enforcement Delegation for Information-Centric Networking Architectures N. Fotiou, G.F. Marias, G.C Polyzos
Problem Statement ICN architectures are expected to leverage CDNs, content caching and replication What can be done? Encrypt everything Give RPs access to “users management system” Deploy OAuth like solutions 2
A closer look at OAuth 3 “Only my friends” “Friends list of Consumer A”
Drawbacks RP has access to some information about Consumer RP has to implement access control policy enforcement RP has to understand the attributes provided by the IdP User intervention makes implementation difficult Many sites using Facebook, Microsoft and Google OAuth services 1, as well as, Google ID 2, Facebook Connect 2, have already been found vulnerable to severe security attacks 1 Sun and Beznosov The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems, ACM CCS Wang et al. Signing me onto your accounts through Facebook and Google: a traffic- guided security study of commercially deployed single-sign-on web services. IEEE Symposium on Security and Privacy (SP),
An alternative approach 5 facebook.com/nikos/12fg
Benefits Consumer’s credentials are protected Minimum user intervention RP has no access to consumer’s personal information RP does not have to implement any access control policy Access control policies can be re-used Even by users who do not know their content “Access Control Store” Access control policies can be easily modified 6
An ICN based implementation facebook.com/nikos/pics/IMG May give a location hint, denote the principal/owner Associated with an access control policy Handled by a (set of ) dedicated network node(s) Identifies uniquely the information object (globally or within the prefix) Information identification PrefixSuffix 7 Users can create prefix, advertise prefix/suffix pairs, request prefix/suffix pairs
An ICN based implementation The PURSUIT approach: Prefix: Scope Identifier (SId) Suffix: Rendezvous Identifier (RId) SIds are managed by the Rendezvous node Users can advertise data and subscribe to data Information flow: 8 Define access control policy: who can advertise, who can subscribe Provide Credentials A subscriber has properly authenticated himself and requests item X
An ICN based implementation Action ICN Function 9 O: Create access control policy A1 RP: Create secret R1 C: Authenticate O: Create a scope S1 in which all can advertise but only those who abide by A1 can subscribe RP: Advertise R1 under S1 C: Subscribe to S1/R1
Conclusion 10 We designed an access control enforcement delegation mechanism that: Can be easily deployed/managed Offers better privacy Create opportunities for new applications We implemented this mechanism using the functions of an ICN architecture No new message/function/protocol field was added
Thank you