krb ccn lightweight authentication access control for
play

KRB-CCN: Lightweight Authentication & Access Control for Private - PowerPoint PPT Presentation

Mar 16, 2023 •14 likes •604 views

KRB-CCN: Lightweight Authentication & Access Control for Private Content-Centric Networks Ivan O. Nunes and Gene Tsudik University of California Irvine {ivanoliv, gene.tsudik}@uci.edu ACNS 2018 1 Agenda CCN Overview

  1. KRB-CCN: Lightweight Authentication & Access Control for Private Content-Centric Networks Ivan O. Nunes and Gene Tsudik University of California Irvine {ivanoliv, gene.tsudik}@uci.edu ACNS 2018 1

  2. Agenda • CCN Overview – Authentication and AC in CCN • Kerberos • KRB-CCN – Design – Security – Implementation & Evaluation • Final Remarks ACNS 2018 2

  3. CCN Overview ACNS 2018 3

  4. Content-Centric Networking: • Named data, instead of host addresses: – /edu/uci/ics/ivan/krbccn-paper.pdf • Decouples Content from its location • Optional in-network caching: potentially better network utilization, lower latency... ACNS 2018 4

  5. Content-Centric Networking: • Network entities: – Producers: generate and publish contents under unique names ( owns a prefix ) – Consumers: issue “interests” for contents containing such contents names – Routers: forward interests and contents • May cache content ACNS 2018 5

  6. Content-Centric Networking: ACNS 2018 6

  7. Content-Centric Networking: ACNS 2018 7

  8. Content-Centric Networking: ACNS 2018 8

  9. Content-Centric Networking: ACNS 2018 9

  10. Content-Centric Networking: ACNS 2018 10

  11. Content-Centric Networking: ACNS 2018 11

  12. Content-Centric Networking: ACNS 2018 12

  13. Content-Centric Networking: Overview Routing: – Pending Interest Table (PIT) : • Table of pending interests and corresponding incoming interfaces • Used to route the content back to the requesting consumer ACNS 2018 13

  14. Content-Centric Networking: Overview Routing: – Pending Interest Table (PIT) : • Table of pending interests and corresponding incoming interfaces • Used to route the content back to the requesting consumer – Forwarding Interest Base (FIB) : • Table of name prefixes and corresponding outgoing interfaces • Used to route interests towards content producers (Longest Prefix Match of names) ACNS 2018 14

  15. CCN Security • The architecture demands that content is signed by its producer ACNS 2018 15

  16. CCN Security • The architecture demands that content is signed by its producer • Some IP-equivalent services have been proposed: – Anonymity networks, VPNs, TLS-like key exchange... ACNS 2018 16

  17. CCN Security • The architecture demands that content is signed by its producer • Some IP-equivalent services have been proposed: – Anonymity networks, VPNs, TLS-like key exchange... • Currently 2 flavors of AC: – CBAC: inability to decrypt unauthorized content – IBAC: inability to request (generate interests for) unauthorized content • must be used jointly with CBAC ACNS 2018 17

  18. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own ACNS 2018 18

  19. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy ACNS 2018 19

  20. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer ACNS 2018 20

  21. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer – Confidentiality: If consumer is authenticated by other means, e.g., passwords and biometrics, each producer would have to store and manage potentially sensitive state information ACNS 2018 21

  22. CCN Security • Issues with current approaches for AC: – Producer Overhead: Producers are responsible for handling consumer authentication and content AC on their own – Consumer Privacy: AC enforced by producers implies sacrificing consumer privacy – Policy Changes: It is difficult to react to policy changes, e.g., access revocation for a given consumer – Confidentiality: If consumer is authenticated by other means, e.g., passwords and biometrics, each producer would have to store and manage potentially sensitive state information • What else can we do? ACNS 2018 22

  23. Kerberos ACNS 2018 23

  24. Kerberos Overview • Since mid-1980s, Kerberos has been successfully and widely used for authentication and AC in IP-based private networks • Separate entities for authentication, AC, and services • Solves aforementioned issues of other approaches for authentication and AC in CCNs. • Suited for private networks (within autonomous system) ACNS 2018 24

  25. Kerberos Overview • Authentication and AC service for private networks and autonomous systems ACNS 2018 25

  26. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: ACNS 2018 26

  27. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: 1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication ACNS 2018 27

  28. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: 1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication 2 - Authorization Request: Generates an ST (“Service Ticket”) that serves as a “proof” of authorization ACNS 2018 28

  29. Kerberos Overview • Authentication and AC service for private networks and autonomous systems • 3 rounds: 1 - Authentication Request: Generates a TGT (Ticket-Granting Ticket) that serves as a “proof” of authentication 2 - Authorization Request: Generates an ST (“Service Ticket”) that serves as a “proof” of authorization 3 - Service Request: Execution/Access to the actual service/data (authenticated both ways). ACNS 2018 29

  30. KRB-CCN ACNS 2018 30

  31. KRB-CCN: Big Picture ACNS 2018 31

  32. Design • Parties: – TGT Producer (TGT-Prod) : • Verifies Identity Produces a TGT ACNS 2018 32

  33. Design • Authentication (Between Consumer and TGT-Prod ) ACNS 2018 33

  34. Design • Authentication (Between Consumer and TGT-Prod ) ACNS 2018 34

  35. Design • Authentication (Between Consumer and TGT-Prod ) ACNS 2018 35

  36. Design • Authentication (Between Consumer and TGT-Prod ) Encrypted using a Same key key shared between as in the TGT-Prod and token CGT-Prod ACNS 2018 36

  37. Design • Authentication (Between Consumer and TGT-Prod ) Encrypted using a Same key key shared between as in the TGT-Prod and token Someone else can CGT-Prod not decrypt the token ACNS 2018 37

  38. Design • Parties: – TGT Producer (TGT-Prod) : • Verifies Identity Produces a TGT – CGT Producer (CGT-Prod) : • Verifies TGT and AC Policy Produces a CGT ACNS 2018 38

  39. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* ACNS 2018 39

  40. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* ACNS 2018 40

  41. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer ACNS 2018 41

  42. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer From authentication phase: only UID has this key ACNS 2018 42

  43. Design • Authorization (Between Consumer and CGT-Prod ) Content’s name prefix, e.g.: edu/uci/ivan/* Kp shared between CGT-Prod and Content Producer From authentication phase: only UID has this key Someone else can ACNS 2018 43 not decrypt the token

  44. Design • Parties: – TGT Producer (TGT-Prod) : • Verifies Identity Produces a TGT – CGT Producer (CGT-Prod) : • Verifies TGT and AC Policy Produces a CGT – Content Producer : • Verifies CGT Produces Content/Service ACNS 2018 44

  45. Design • Content requests (Between Consumer and Producer ) ACNS 2018 45

  46. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! ACNS 2018 46

  47. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! ACNS 2018 47

  48. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! From authorization phase: only UID has this key ACNS 2018 48

  49. Design • Content requests (Between Consumer and Producer ) No UID, only CGT! From authorization phase: only UID has this key Someone else can not access content D! ACNS 2018 49

  50. Design • Content requests (Between Consumer and Producer ) Mutual Authentication Support ACNS 2018 50

Recommend

A Lightweight Statistical Authentication Protocol for Access Control in Wireless LANs Haoli Wang,

A Lightweight Statistical Authentication Protocol for Access Control in Wireless LANs Haoli Wang,

A Lightweight Statistical Authentication Protocol for Access Control in Wireless LANs Haoli Wang, Joel Cardo, Yong Guan ECE, Iowa State University ASWN 2004 Introduction Emergence of visitor networks Visitor Networks: LANs that are

671 views • 13 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We want to control how users can interact with information E.g., Users should only be able to view their own messages Users can only

465 views • 12 slides
Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction to Computer Security Announcements intermission OS security: access control Unix-style access control Stephen McCamant Multilevel and mandatory

656 views • 9 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is

Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is

I5020 Computer Security Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. User Authentication

862 views • 43 slides
CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web

CSE 510 Web Data Engineering Access Control Authentication & Authorization UB CSE 510 Web Data Engineering Access Control Mechanisms Declarative Authorization using Realms The expression of app security external to the app

540 views • 26 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication Introduction to Computer Security Basics of access control OS authentication and access control (combined lecture) Announcements, Ex. 1 debrief Stephen

440 views • 11 slides
ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.24k views • 66 slides
Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.15k views • 70 slides
Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

ECE590 Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.02k views • 70 slides
OPT : LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION

OPT : LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION

OPT : LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION Tiffany Hyun-Jin Kim , 1 Cris(na Basescu, 2 Limin Jia, 1 Soo Bum Lee, 3 Yih-Chun Hu, 4 and Adrian

502 views • 26 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton , Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview User: webdb User: httpd

446 views • 22 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Lecture 15 Access Control Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 15 Access Control Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 15 Access Control Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Authentication vs Authorization Authentication Who goes there? Restrictions on who (or what)

348 views • 21 slides
Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June

Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June

Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June 30th, 2005 (joint work with Susan Hohenberger and Ronald L. Rivest) Distributed Phishing Friends and Colleagues Jakobsson & Young 2005

335 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process with Smart Cards Roberto BARBERA (1)(2) , Vincenzo CIASCHINI (3) , Alberto FALZONE (4) , Giuseppe LA ROCCA (1)

456 views • 32 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal Reference monitor Challenges of a distributed system Autonomy : Path from principal to an object may be long and convoluted. Size : Usually much

304 views • 29 slides
Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE

Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE

Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE 422 Authentication vs Authorization Authentication Who goes there? Restrictions on who (or what) can access system Authorization Are

422 views • 20 slides

More recommend