Access Control Enforcement Delegation for Information-Centric Networking Architectures N. Fotiou, G.F. Marias, G.C Polyzos.

Slides:



Advertisements
Similar presentations
Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
Advertisements

Identity Network Ideals – Heterogeneity & Co-existence
NRL Security Architecture: A Web Services-Based Solution
1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.
The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.
Windows Server ® 2008 Active Directory ® Domain Services Infrastructure Planning and Design Series Published: February 2008 Updated: July 2009.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Illustrating a Publish-Subscribe Internet Architecture Nikolaos Fotiou 1 George C. Polyzos 1 Dirk Trossen 2 Presenter: Konstantinos Katsaros 1 1 Athens.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Clouds on IT horizon Faculty of Maritime Studies University of Rijeka Sanja Mohorovičić INFuture 2009, Zagreb, 5 November 2009.
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
Identity Management Report By Jean Carreon and Marlon Gonzales.
World Class Standards WG8 presentation of current Subscription Management Activities TISPAN WG8 – 3GPP SA#5 Joint meeting Sophia Antipolis, May14th - 15.
Identity on Force.com & Benefits of SSO Nick Simha.
PRIVACY PRESERVING SOCIAL NETWORKING THROUGH DECENTRALIZATION AUTHORS: L.A. CUTILLO, REFIK MOLVA, THORSTEN STRUFE INSTRUCTOR DR. MOHAMMAD ASHIQUR RAHMAN.
ComNets Tutorial: Future Internet with Information Centric Networks Asanga Udugama (1), Carmelita Goerg (1) and Andreas Timm-Giel (2) (1) Communications.
2012.**.** Supporting reliability using reverse path in Publish/Subscribe Internet Takashima Daiki ParkLab, Waseda University, Japan 1/11.
IPSI –Information Providing System for Individual Every individual can get information they want from anywhere, at anytime Chulhyun Park
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Olof Nilsson.  Ex: Facebook, MySpace, LinkedIn ◦ Allows users to create web pages or profiles that provide information about themselves and are available.
Openid Connect
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Shibboleth: An Introduction
The Social Web: An Implementer's Guide Google I/O May 2009 Google Moderator:
1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.
Efficient information lookup for the Internet of Things G.F. Marias, N. Fotiou, G.C. Polyzos Mobile Multimedia Laboratory, Department of Informatics Athens.
University of British Columbia Towards Web 2.0 Content Sharing Beyond Walled Gardens San-Tsai Sun Supervisor: Kosta Beznosov Laboratory for Education and.
Privacy in ICN Nikos Fotiou and George Xylomenos Mobile Multimedia Laboratory Department of Informatics AUEB, Greece PURSUIT: Publish Subscribe Internet.
Payment in Identity Federations David J. Lutz Universitaet Stuttgart.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.
Adxstudio Portals Training
Information-Centric Networks Section # 10.3: Publish/Subscribe Instructor: George Xylomenos Department: Informatics.
Multiparty Access Control for Online Social Networks : Model and Mechanisms.
Security Mechanisms and Key Refresh for P2PSIP Overlays draft-birkos-p2psip-security-key-refresh-00 Konstantinos Birkos University of Patras, Greece
Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey Matei Ripeanu Karl Doering.
Chapter 7 – Confidentiality Using Symmetric Encryption.
AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.
Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.
P2P Networking: Freenet Adriane Lau November 9, 2004 MIE456F.
The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Protecting your search privacy A lesson plan created & presented by Maria Bernhey (MLS) Adjunct Information Literacy Instructor
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
TEMPLATE DESIGN © Automatic Classification of Parameters and Cookies Ali Reza Farid Amin 1, Gregor v. Bochmann 1, Guy-Vincent.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Speed Cash System. Purpose of the Project  online Banking Transaction Information.  keeping in view of the distributed client server computing technology,
Grid based telemedicine application
GEOSS Federated Single Sign-On
Protect Manage Optimize Why LastPass Enterprise? Protect Manage Optimize.
Stop Those Prying Eyes Getting to Your Data
Azure Active Directory - Business 2 Consumer
Considering issues regarding handling token
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
You Lu, Zhiyang Wang, Yu-Ting Yu, Mario Gerla
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Matthew Levy Azure AD B2B vs B2C Matthew Levy
SharePoint Online Authentication Patterns
Single Sign On Glen Dorton 1/18/2019.
Single Sign-On (SSO) Authentication
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Access Control Enforcement Delegation for Information-Centric Networking Architectures N. Fotiou, G.F. Marias, G.C Polyzos

Problem Statement  ICN architectures are expected to leverage CDNs, content caching and replication  What can be done?  Encrypt everything  Give RPs access to “users management system”  Deploy OAuth like solutions 2

A closer look at OAuth 3 “Only my friends” “Friends list of Consumer A”

Drawbacks  RP has access to some information about Consumer  RP has to implement access control policy enforcement  RP has to understand the attributes provided by the IdP  User intervention makes implementation difficult  Many sites using Facebook, Microsoft and Google OAuth services 1, as well as, Google ID 2, Facebook Connect 2, have already been found vulnerable to severe security attacks 1 Sun and Beznosov The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems, ACM CCS Wang et al. Signing me onto your accounts through Facebook and Google: a traffic- guided security study of commercially deployed single-sign-on web services. IEEE Symposium on Security and Privacy (SP),

An alternative approach 5 facebook.com/nikos/12fg

Benefits  Consumer’s credentials are protected  Minimum user intervention  RP has no access to consumer’s personal information  RP does not have to implement any access control policy  Access control policies can be re-used  Even by users who do not know their content  “Access Control Store”  Access control policies can be easily modified 6

An ICN based implementation facebook.com/nikos/pics/IMG  May give a location hint, denote the principal/owner  Associated with an access control policy  Handled by a (set of ) dedicated network node(s)  Identifies uniquely the information object (globally or within the prefix) Information identification PrefixSuffix 7 Users can create prefix, advertise prefix/suffix pairs, request prefix/suffix pairs

An ICN based implementation  The PURSUIT approach:  Prefix: Scope Identifier (SId)  Suffix: Rendezvous Identifier (RId)  SIds are managed by the Rendezvous node  Users can advertise data and subscribe to data  Information flow: 8 Define access control policy: who can advertise, who can subscribe Provide Credentials A subscriber has properly authenticated himself and requests item X

An ICN based implementation Action ICN Function 9  O: Create access control policy A1  RP: Create secret R1  C: Authenticate  O: Create a scope S1 in which all can advertise but only those who abide by A1 can subscribe  RP: Advertise R1 under S1  C: Subscribe to S1/R1

Conclusion 10  We designed an access control enforcement delegation mechanism that:  Can be easily deployed/managed  Offers better privacy  Create opportunities for new applications  We implemented this mechanism using the functions of an ICN architecture  No new message/function/protocol field was added

Thank you