Security & Privacy in Content-Centric Networking (CCN) · CCN Content object: Private Content (aka...
Transcript of Security & Privacy in Content-Centric Networking (CCN) · CCN Content object: Private Content (aka...
12/16/17
1
Security&PrivacyinContent-CentricNetworking
(CCN)
§ Security of Embedded Devices (ES/CPS/IoT) § Privacy-Agile Cryptographic Techniques
§ Cloud/DB apps § Genomic S&P § Input size-hiding
§ Privacy in Social Networks § Usable Security § Biometrics + De-authentication + Attacks § S&P in ICN/CCN/NDN
For more info see: sprout.ics.uci.edu
12/16/17
2
OUTLINE• Internet• CCNOverview• CCNSecurity&Privacy• AnonymousContentRetrieval• CachePrivacy• DenialofService• Network-LayerTrust• OtherTopics?
– AccessControl,Accounting,Fragmentation,NACKs
NEEDTOKNOW(forthistalk)
• Basicnetworking&Internetconcepts
• Networksecurityprinciples– Protocols
• Basicknowledgeofappliedcryptography– Basiccryptographicprimitives
12/16/17
3
5
• Tremendous,unexpected,unprecedentedandlong-lastingglobalsuccessstory
• 35-year-olddesign:architecturedefinedinRFC791/793(1981andearlier)
• Enablesanyhosttotalktoanyotherhosto Namesboxesandinterfaceso Supportsend-to-endconversationso ProvidesunreliablepacketdeliveryviaIPdatagramso CompensatesforsimplicityofIPviacomplexityof
TCP
6
• Helpedfacilitatetoday’srichglobal-scalecommunication
• But,wasnotdesignedforit
• Fundamentalcommunicationmodel:point-to-pointconversationbetweentwohosts(IPinterfaces)
• ThecentralabstractionisahostidentifiercorrespondingtoanIPaddress
12/16/17
4
7
• Last20years–profoundchangeinnatureofInternetcommunicationo Fromemail/ftp/telnetto…o Fromafewthousandsofusersto…o Fromstaticwirednodes(computers,terminals)to…o Fromfriendly,clubby,trustingambience,to…
• Massiveamountsofdataconstantlyproducedandconsumed• Web(esp.mediasharingandsocialnetworking),• Audio-/video-conferencing
• Notethat:• Emailandremoteloginarestillaround• Messagingtoo• Plus,there’sIoT…
KeyAspectsofInternetChange
• Multimediacontent• Mobility/Wireless-ness
àDelaysandDisruptions• DistributionScale• Cloud• IoT?
12/16/17
5
9
• S&PinthecurrentInternetarecertainlyNOTasuccessstory
• Retrofitted,incremental,bandaid-stylesolutions,e.g.:• SSH,• SSL/TLS(HTTPS),• IPSec+IKE+ISAKMP,• DNSSec,• sBGP,• AAA,etc.
• TargetedNSF-fundedprogram,2-tieredcompetition• Majorgoals:
• Designcomprehensivenext-generationInternetarchitectures• Accommodatecurrentandemergingcomm.paradigms• Securityandprivacyfromtheoutset(bydesign)
• Startedin2010• PhaseI:2010-2014• PhaseII:2014-2018
• Projects:• Nebula(PhaseI)• MobilityFirst(PhasesIanII)• XIA:eXpressiveInternetArchitecture(PhasesIandII)• NDN:Named-DataNetworking(PhasesIandII)• ChoiceNet(startedin2012,notstrictlyspeakingFIA)
12/16/17
6
CaveatAuditor!
• IwaspartoftheNDNFIAproject2010-2014• Work(ed)onS&PinNDN(andCCN)• WasfundedbytheNSF(‘till09/15)• Thus…takeeverythingwithagrainofsalt,drawyourownconclusions,andexplorefurther
Also:• IfocusonCCN=NDNandCCNx• ThereareotherICNefforts,e.g.,formobilenets
CCN=NDN+CCNx
12/16/17
7
Pointers
• Nameddatanetworkingproject(NDN),http://named-data.org• Content-centricnetworking(CCNx)project,http://www.ccnx.org• Intro:“Networkingnamedcontent”,ACMCoNEXT,2009
• IEEEInfocomNOMENWorkshop2012,2013• ACMICNWorkshop/Conference:2012-2013,2014-2017• VeryactiveIRTFICNResearchGroup(ICNRG)
https://trac.ietf.org/trac/irtf/wiki/icnrghttps://irtf.org/icnrg
• DagstuhlSeminarson:– GeneralICN(3total)– ICNSecurity&Privacy(2total),latest:http://www.dagstuhl.de/en/program/calendar/semhp/?semnr=16251
14
• Foralmost150years,communicationmeant:Awireconnectingtwodevices
• TheWebforeverchangedthat:Whatmattersiscontent,notthehostitcamefrom
12/16/17
8
15
Today’sInternet:acommunicationnetwork,usedasadistributionnetwork
Communication Distribution
Naming Endpoints Content
Memory Invisible, LimitedExplicit;
Storage = Wires
SecurityCommunication
processContent
16
12/16/17
9
17
18
Ca.2009 Ca.2013 Ca.mid-2016
NDN/CCNxsplit
CCNbirthatPARC
PARCsellsCCNxtoCISCOConvergenceeffortstarts
CCN/NDN NDN(NSF/UCLA)
CCNx(PARC)
12/16/17
10
19
20
ISP
ISP
12/16/17
11
21
ISP
ISP
22
• NameØ Human-readable,similartoURIØ Canbeconsideredasanetwork-layerURL
• Roles:Ø Consumer
Ø ProducerØ Router
• Objects:Ø ContentØ Interest
12/16/17
12
23
• Host• Interfaceaddress(IPaddress)• Datagram/Packet
• Router
24
Implicit Hash!
12/16/17
13
25
Consumer Producer Interest Interest Interest Interest
• Carries content name • No source/destination
address
• Named data (content) • Routed using state
26
Interest Incoming IF
/ccn/uci/content IF0
Interest: /ccn/uci/content Interest: /ccn/uci/content
IF0
IF1
IF2
IF3
/ccn/uci/content
Interest: /ndn/uci/content Every router has a: • PIT: Pending Interest Table • CS: Content Store (Cache) • FIB: Forwarding Information Base
, IF3
12/16/17
14
27
• Mainoperationisprefix-basedlongestmatchlookup,likeIP
• Interestsareforwardedaccordingtoroutingtable(FIB),butmultipointforwarding,broadcast,localfloodingareallokay
• Datafollowsinterestpathinreverse
(Cache)
(PIT)
28
• Routingbasedonnameprefixes+reachability,likeIP• CanreuseIProutingprotocols,e.g.,IS-IS,BGP
12/16/17
15
29
Security
• Now: secure the pipe • Data is authentic because it emanates from the right box (which is an
end-point of the right secure pipe)
• CCN: Integrity and trust are properties of content • Should be inferred from content itself
12/16/17
16
Securing Content: how?
Current SSL/TLS 3-way handshake model is not a good fit for CCN: – Secures channel, not data – Authentic content can come from anywhere – But, access control (and accounting) is difficult – After content retrieved from origin, it’s served by the
network (from caches) IPSec is also not a good fit for CCN…
Authenticity of Content
Content requested by a consumer can be retrieved from anywhere
• How can it be trusted? • How do we know who produced it? • How do we know it is the correct content?
12/16/17
17
Securing Content
• Integrity: is data intact and complete?
• Origin: who produced it?
• Correctness: is this (content) what consumer wants (based on interest)?
• Bonus feature: routers can choose to verify content (with caveats)
CCN Content object:
Private Content (aka Content Access Control)
Access to content can be restricted, e.g.:
• Encrypt once with a symmetric key • Distribute this key to authorized consumers using
“standard” techniques (pigeons?) • Access control on key rather than content
• This can make long-term secrecy problematic
Time permitting, we might come back to this topic…
12/16/17
18
Trust Model?
• All content is signed • Interests are not… • CCN is PKI-agnostic • Application-specific vs. network-layer trust
CCN: Privacy Benefits
• Interest has no source address/identifier • Content can be routed without knowing
consumer identity and/or location • One observed interest may correspond to
multiple consumers at various locations • Router caches reduce effectiveness of
observers close to producers
12/16/17
19
CCN: Privacy Challenges • Name privacy in interests
/CCN/us/wikipedia/STDs/herpes
• Name privacy in content
/CCN/zimbabwe/piratebay/XSOQW(#E@UED$%.mp3
• Signature privacy
• Leaks content publisher identity
• Classical privacy vs. security conflict
• Cache privacy
• Detectable hits/misses
CCN: Security Benefits
• Simplicity • All content is signed • No need for security handshakes in real time • A producer’s public key is a type of content
– Consumer first fetches producer’s PKC, then requests content (signed by that producer)
12/16/17
20
39
• Aproducer’spublickeyisatypeofcontent,i.e.,apublickeycertificate(PKC)• Reminder:aconsumerdoesn’tneedakey
• Containsauthorizednameprefixesunderwhichcontentcanbepublished
• Bindsthemtoapublickey • For example:
/ccn/cnn/usa/web/key /ccn/verisign/europe/key /ccn/us/ca/edu/uc/uci/cs/gene.tsudik/key
39
CCN: Security Challenges
• State in routers is both a blessing and a curse • Such state is a resource that can be abused • DoS attacks:
– Interest Flooding – Content Poisoning: proactive & reactive
• Covert Channels & Geo-location • Content Access Control • Trust management at the network layer
12/16/17
21
CCN:quickrecapPRODUCER• Announcesnameprefixes• Namesandsignscontentpackets• Injectscontentintothenetworkbyansweringinterests
CONSUMER• Generatesinterestpacketsreferringtocontentbyname• Receivescontent,verifiessignature,decryptsifnecessaryROUTER• Routesinterestsbasedon(hierarchical)nameprefixes–inherentlymulticast• RememberswhereInterestscamefrom(PIT),returnscontentalongsamepath• Optionallycachescontent(inCS)• Optionallyverifiescontentsignatures
(1)beforeforwarding,(2)beforecaching,or(3)wheneverithastime 41
Some Recent & Ongoing Work on CCN Security/Privacy
42
• Anonymouscontentretrieval:ANDaNA/AC3N• DoS/DDoS:
• Contentpoisoningcountermeasures• Interestfloodingmitigation
• PrivacyofRouter-SideCaching• Covertchannels&Geo-location• Securecontentfragmentation• NDNsecurityinnon-distributivesettings(e.g.,sensing,actuation)• Network-LayerTrustManagement• SecureContentDeletion• SecureAccounting• DataPrivacy• NetworkNames• PIT-lessCCNDesign• SecureContentDeletion• ContentAccessControl• NACKsandtheirSecurityImplications
12/16/17
22
Name Privacy and Anonymous Content
Retrieval in CCN
Why Name Privacy? CCN names are expressive and meaningful, but…• Leak information about requested content• Easy to filter/censor content, e.g., block everything like:
/CCN/cnn/world-news/russia
However:
• CCN names are opaque to the network
• Routers only need to know name component boundaries – “/”
• Names can carry binary data
12/16/17
23
ANDaNA: Anonymous Named Data
Networking Application
• Observers close to consumer should not learn what content is being requested
• Target: low-to-medium-volume interactive communication
• Producers might not be aware of ANDaNA
[DGTU-NDSS2012]
/OR1 /OR2
?/nytimes.com/today
ANDaNA
12/16/17
24
/OR1 /OR2
ANDaNA
/OR1 /OR2
?/nytimes.com/today
ANDaNA
12/16/17
25
/OR1 /OR2
?/nytimes.com/today
ANDaNA
/OR1 /OR2
?/nytimes.com/today
ANDaNA
12/16/17
26
/OR1 /OR2
ANDaNA
/OR1 /OR2
ANDaNA
12/16/17
27
/OR1 /OR2
ANDaNA
ANDaNA
Privacy with 2 hops comparable to Tor with 3 – Why? Lack of source address in interests – Anonymizing routers do not learn origin of traffic (only the
previous hop) – Lower overhead
12/16/17
28
Cache Privacy in
CCN
CCN Cache Privacy
• Router content caching is good for performance
• Better bandwidth utilization • Lower latency
• But… bad for privacy – Timing attacks – Cache harvesting attacks
12/16/17
29
• Who could the adversary be?
• Another host or router
• A malicious application on victim’s device
• Where could the adversary be?
• Near consumer, e.g., on the same LAN/WLAN segment
• Near producer (opposite sides of first hop router)
• In both places at once
Cache Privacy
Scenario 1: Victim=Consumer
Consumer Producer Interest Interest Interest Interest
Adversary
/CCN/org/wikileaks/2012/july/31
12/16/17
30
Scenario 2: Victim=Producer
Consumer Producer Interest Interest Interest Interest
Adversary
/CCN/org/wikileaks/2012/july/31
Scenario 3: Victims=Both
Alice Bob
Adversary Adversary Are Alice and Bob talking?
Recall: consumers must verify content signatures Therefore, Alice & Bob must first fetch each other’s PK
12/16/17
31
Countermeasures
• Do not cache content at all • Bad idea…
• Cache and delay • Which content? Who decides? • How long to delay?
Countermeasures • Two types of traffic:!
• Private!• Non-private!
• Who should dictate privacy?!• consumer, producer, router?!
• Two communication types:!• Low-latency (interactive) traffic!
• Use unpredictable content names!• Content distribution traffic; see paper for details (IEEE ICDCS’13)!
• Random delay!• Content-specific delay!
• Privacy bit in header of interests and/or content?!
12/16/17
32
DoS/DDoS in CCN
DoD/DDoS Resistance?
Some current DoS+DDoS attacks become irrelevant: • Content caching mitigates targeted DoS
• Content is not forwarded without prior PIT state set up by interest(s)
• Multiple interests for the same content are collapsed
• Only one copy of content per “interested” interface is returned
• Consumer can’t be “hosed” with unsolicited content >>> THIS IS AN IMPORTANT ADVANTAGE OF CCN!!!
12/16/17
33
DoS/DDoS • Attacks on infrastructure
• Loop-holing/black-holing
• Interest flooding
• Router resource exhaustion
• Attacks on consumers & router caches
• Content flooding
• Cache pollution
• Content/cache poisoning
Interest Flooding
Adversarygeneratesnumerousnon-sensicalinterests,e.g.:
/CCN/us/ca/uc/uci/cs/gene.tsudik/random-string
• Guaranteedtoreachtheproducer
• Consumespreciousrouterresources(PITentries)
• IFattackaffectsbothroutersandproducers
Anylegitimateproducerprefix
12/16/17
34
Interest Flooding Potentialcountermeasures:
1. Unilateralratelimiting/throttling
• Resourceallocationdeterminedbyrouterstate
2. Collaborativeratelimiting/throttling
• Routerspushbackattacksbyinteractingwithneighbors
Openproblem:sofar,nodeterministiccountermeasure!
Content Poisoning
1. Adversaryonthepathtoproducer(e.g.,arouter)– Interceptsgenuineinterest,replieswithfakecontent
– Contentsettlesinrouters
2. AdversaryNOTonthepathtoproducer– Anticipatesdemandforcontent
– Issuesowninterest(s),replieswithfakecontent
– Contentsettlesinrouters
12/16/17
35
Content Poisoning Potentialcountermeasures:
• Signatureverificationinrouters?
• Consumerfeedback?
• ASegressrouterverificationonly?
BTW:whatis“fake”content?
• Badsignature(failsverification),
• Badsigningkey
70
• CCNmainobjectiveiscontentdistribution• Facilitatedbycaches+PITsinrouters
• Consumermustverifycontentsignatures• But…howtoflushfakecontentfromroutercaches?• CCNallowsexclusionfiltersininterests(byhash)
o Canbeused,withverylimitedefficacyo ImmediateflushèDoSo Verifyingsignaturesèexpensive+anotherDoStype
• Consumerauthenticationcontradictsinterestopacity
12/16/17
36
71
• Aproducer’spublickeyisatypeofcontent,i.e.,apublickeycertificate(PKC)• Reminder:aconsumerdoesn’tneedakey
• Containsauthorizednameprefixesunderwhichcontentcanbepublished
• Bindsthemtoapublickey • For example:
/ccn/cnn/usa/web/key /ccn/verisign/europe/key /ccn/us/ca/edu/uc/uci/cs/gene.tsudik/key
71
72
Tworeasons:• Ambiguousinterests• Nounifiedtrustmodel:applicationsarediverse&dynamic
AXIOM:Network-layertrustandcontentpoisoningareinseparableRoutersshoulddominimalwork:
• Notverify/fetchpublickeys(exceptforrouting)• Dobounded,fixedamountofworkpercontent
• e.g.,verifyatmostonesignature
12/16/17
37
73
IKB:Aninterestmustreflectthetrustcontextoftheconsumer’sapplication,thusmakingit(easily)enforceableatthenetworklayer
IKB(CCN):Aninterestmustreflectthepublickeyofthecontentproducer
74
• MakePublisherPublicKeyDigest(PPKD)fieldmandatoryineveryinterest
• Consumersobtainandvalidatekeys,using• Pre-installedrootkeys• KeyNameService(KNS)• Globalsearch-basedservice
IKB(CCN):Aninterestmustreflectthepublickeyofthecontentproducer
12/16/17
38
75
• Producer:o Includespublickeyineachcontent’s
KeyLocator field
• Router:o MatchesKeyLocatordigesttoPPKDinPITo VerifiessignatureusingKeyLocator o Nofetching,storing,parsingofpublickeysàNote:PITentrycollapsingtakesPPKDintoaccount
76
CLAIM:AdherencetoIKBèsecurityagainstcontentpoisoning
• Assume:o AllnodesabidebyIKBo Consumernotmaliciouso Consumer-facingrouters–notmaliciouso Consumerßàfirst-hoprouterlinknotcompromised
12/16/17
39
77
• ConsumersendsinterestcontainingPPKD• Routerensuresthat:
o ValidcontentsignatureusingkeyinKeyLocatoro DigestofKeyLocatormatchesPPKDinPIT
• Consumer-facingrouternotmaliciousèonlypossibilityofpoisonedcontentisifahashcollisionoccurs
Whatifupstreammaliciousrouterssendfakecontent:• Consumer-facingrouterdetectsanddropsit
78
• Includekeysininterest:ü Savestoragex Requireschangestointerest&contentstructure
• OnlyASborderroutersimplementIKB
ü Betterperformancex PossibleattackswithinAS
But…detectablebyborderroutersNOTE:eachroutermustatleastdoaPPKDmatch
12/16/17
40
79
• Self-CertifyingName(SCN)o Hashofcontent(includingname)aslastcomponentof
name
• BenignconsumersuseSCNènetworkdelivers“valid”content
• Nosignatureverificationbyrouters:o Onlyonehashre-computation
• Howtogetcontenthashinthefirstplace?
80
Acatalogormanifest:o Anauthenticated(signed)datastructureo ContainsoneormoreSCN-s,nestingisarbitraryo Anyauthenticateddatastructure
o Hashchains,MHTs,skip-lists,etc.o Structureisapplication-specifico UseIKBtobootstrap(i.e.,fetchacatalog)
• SCNobtainedfromacatalog:ü Noaddl.signatureverificationbyrouters/consumersü Noneedforproducerstosignindividualcontent
12/16/17
41
81
82
CCNManifestSpecification(InternetDraft)
12/16/17
42
83
1. ContentDistribution,e.g.:
o Videostreaming:o OnebigcatalogcontainingSCNsofallsegmentso Or,hashchains(withdata),orMHT,etc.
o Foreexample,Webbrowsing:- HTMLfileasacatalog- ContainsSCNofsub-pages/components- Worksonlyforstaticcontent
84
2. InteractiveTraffic
o Contentgeneratedondemand(real-time),e.g.,audio/videoconferencing,
o Catalogsarenotviable
o ContentmustberequestedbysettingPPKDininterest
12/16/17
43
85
• ConsumerobtainshashHofcontentCfromP’scatalog• ConsumergeneratesinterestforC,referringtoH• But,CisnolongeravailableatP• Preceivesinterestand???
• Justdropsit:badforConsumeror:• GeneratesaNACK:routerswilldropitsinceaNACK’s
hashdoesn’tmatchHBottom-line:needtoaugmentiKBandinterestformattoallowforSCN-carryingintereststostillrefertoP’spublickeyThiscanbeusedasafallbackifSCNenforcementfails.
Some Recent & Ongoing Work in CCN Security/Privacy
86
• Anonymouscontentretrieval:ANDaNA/AC3N• DoS/DDoS:
• Contentpoisoningcountermeasures• Interestfloodingmitigation
• PrivacyofRouter-SideCaching• Covertchannels&Geo-location• Securecontentfragmentation• NDNsecurityinnon-distributivesettings(e.g.,sensing,actuation)• Network-LayerTrustManagement• SecureContentDeletion• SecureAccounting• DataPrivacy• NetworkNames• PIT-lessCCNDesign• SecureContentDeletion• ContentAccessControl• NACKsandtheirSecurityImplications
12/16/17
44
87