named data networking of secure things•point-to-point communication model •cloud dependency...
TRANSCRIPT
NamedDataNetworkingofSecureThings
AlexAfanasyevFloridaInternationalUniversity
1
Today’sIoT overTCP/IP
• Point-to-pointcommunicationmodel• Clouddependency• Withfocusondevicesthatareassociatedwitha“things”,not“things”themselves
2
1.1.1.1à Heatercontrollerà Livingroomheater1.1.2.1à Lightssensorà Lightsinkidsbedroom1.1.3.2à Lightscontrollerà Lightsingarage
IoT Apps and Services
Link Layer (Ethernet/WiFi/Bluetooth/802.15.4/…)with optional adaptation sub-layer
IP
TCP, UDP, …
DHCP, …
CoAPHTTP
TLS DTLS
DNS
DNSSEC
ComplexityandSemanticMismatchforIP/IoT
• App:“Livingroomfrontalviewfeed”• Network:
– Requeststream(HTTP/CoAP)– Connecttocamera(TCP/IP)
• +– Lookupmapping“Livingroom”->cameraURI– ConnecttoAlexHome.com (cloud?)service– DNSlookupIPofAlexHome.com service– DHCPtoassignIPaddressestoalldevices
3
NDNAlignmentwithIoT Applications
• Namethe“things”andoperationson“things”– “temperatureintheroom”,“humidityonthesecondfloor”– “bloodpressure”,“bodytemperature”– “max/min/avg pHofsoilinspecificpointofUSsoilgrid”
• Securedatadirectly• Request-responsesemanticswithname-basedforwardingandin-networkcache
– Makeuseofadhocandbroadcast-stylecommunications– Makeuseofanyintermittentconnectivity– Independenceofcommunicationtechnology
4
Application-Defined,SemanticallyMeaningfulNamesforAllDataPackets
5
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
Rawframesofvideofeed
Commandstoaprojector /_thisRoom/Projector/SHOW/…datacollection,…
livevideo,filetransfer,…
NDN
stream,filechunking,…
Ethernet,WiFi,…
CSMA,Sonet,…
copper,fiber,radio,… Cryptographickeys /UCLA/Faculty/HSEAS/CS/Alex/BoelterHall/KEY/_id=42
Videoframeanalysis /FUN:/SLAM/(/…/ARFeed/…)/…
Parkinglotinformation /UCLA/Parking/LOT8/Info/…
Bootstrapping,discovery,andauto-config• NoIPaddressallocations/managementneeded
6
Built-inidentity
• natureofIoT device• config interface
EnablingTrust
• out-of-bandPIN• apre-scannedbarcode
Operate
/local/discovery/lighting/serial=123456
../lights/ON ../lights/OFF
/MyHome/Bedroom/lights/...
Data-CentricSecurityofNDN
7
Data-CentricSecrecy
Data-CentricAuthenticity
Data KeySignedby
Authenticity
Confidentiality
Availability
Data-CentricSecurityofNDN:Built-InForEveryDataPacket
• IntheInternetyousecureyourpath..• ..buttheservermaystillbehacked!
• InNDNyousignthedatawithadigitalsignature..
• ..sotheusersknowwhentheygetbaddata!
• Datasecuredinmotionandatrest
8
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
AuthenticationofNDNData
9
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
KeyLocator: /UCLA/…/KEY
/UCLA…/KEY
KeyLocator: /UCLA/…/KEY
Signedby
Signedby
KeyPrivilegeSeparation
10
AframefromacamerainstalledintheRoyceHall Aforgedframe
/UCLA/Camera/…/Campus/RoyceHall/Camera/KEY
/Somebody.com/KEY
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
/UCLA/Campus/RoyceHall/ARFeed/FrontView/mp4/_frame=12/_chunk=20
Name-BasedConfinementofKey’sPower
11
/UCLA/Campus/RoyceHall/ARFeed/…/mp4/_f=…/_s=…
/UCLA/Cameras/_id=…/RoyceHall/…/KEY/_id=…
Canonlybesignedby
ARFeed datatobevalid,mustbesignedwitha“Camera”keyunderthesame
namehierarchy
FlexibleConfinementthroughNamespaceDesign
12
/UCLA/Faculty/HSEAS/CS/Alex/KEY/_id=42 Localtrustanchor
Campus
RoyceHall
WoodenCenter
ARFeed
SLAM
Info
Camera
SoundRecorder
Thermometer
2017-05-28
2017-06-01
2017-06-02
/UCLA/…/KEY/_id=12
signs
TrustSchema:Name-BasedDefinitionofTrustModel
• Aformallanguagetoformallydescribetrustmodel– Schematizedataandkeynamerelationships
13
DataRule
Key3RuleKey2Rule
Localtrustanchor(s)
Key1Rule
InterestRule
<>
token*
[func]
token?
(:group:token)
<CONST>
AnExampleofTrustSchemaforSmartCampus
14
(:Prefix:<>*)(:Location:<>?)<ARFeed>[View]<mp4><frame><chunk>Camera(Prefix,Location,View)
Faculty(Prefix,Location)(:Prefix:<>*)<Cameras>[cam-id](:Location:<>?)<View>[View]<KEY>[key-id]
LocalAnchor(Prefix)(:Prefix:<>*)<Faculty>[user](:Location:<>?)<KEY>[key-id]
/UCLA/KEY/_id=1
GeneralTrustModel
TrustModelSpecializationforUCLAcampus
TrustSchemaasanAutomationTool
15
Authenticator
signed data
public keys
... requests for public keys
Trust anchor
CameraVideoFeed
User
TPM
Signer
unsigned data
signed data
private key operations
NDN Key Management
Protocol
Trust anchor
CameraVideoFeed
User
• Data-CentricSecrecy• Name-BasedConfidentialityandAccessControl
16
ConfidentialityandAccessControlRequirements
• Data-centricity– Confidential“end-to-end”(app-to-app),inmotionoratrest
• Flexiblecontrols– Grantingaccesstopublish/readatfinegranularities– Changeablepoliciesatanytime
• Asynchrony– Notightcouplingbetweendistributeddataproductionandaccessgranting
• Scalability– Manageablenumberofencryption/decryptionkeys
• Multi-party– Seamlesscoordinationofcontrolamongdistributeddataproducersandconsumers
17
Consumer (public) keys
Namespace publishing (public, encryption) keys
Untrusted in-network and managed storage
Secured content keys
X
X
Secured access keys
18
Name-BasedAccessControl(NAC)
Rotating content keys (symmetric)
Rotating content keys (symmetric)
Rotating content keys (symmetric)
Producers
/FIU/Parking/PG-4/Level1/Sensor
/FIU/Parking/PG-4/Level2/Sensor
/FIU/Parking/PG-6/Level1/Sensor
/FIU/Parking/PG-4/Level1/Sensor/CKEY/1
/FIU/Parking/PG-6/Level2/Sensor/CKEY/42
s Consumer (private) key(s)
s Consumer (private) key(s)
s Consumer (private) key(s)
s Consumer (private) key(s)
Consumers
/FIU/Faculty/CIS/Alex/KEY/1/FIU/Faculty/CIS/Endadul/KEY/1
Publish and access policies
Data Owner (/FIU/Parking)
Namespace access (private, decryption) keys
/FIU/Parking/DKEY/1 /ENCRYPTED-BY/FIU/Faculty/CIS/Alex
/FIU/Parking/PG-4/Level1/Sensor/CKEY/1 /ENCRYPTED-BY/FIU/Parking
NACwithAttribute-BasedEncryption
IoToverICNTutorial@ACMICN2017 19
Activity sensor
Pulse sensor
Untrusted Storage
Defines policy“(UCLA or FIU) and student”
{ UCLA, professor }
{ UCLA, student }
{ FIU, student }
Verify credentials (out-of-band) and provide decryption keys for the
attested attributes
UCLA
student professor
officier FIU
Attribute Authority
math…
Data Owner
ControlGranularity
• Namingconventionstoleveragehierarchicalscopesforreadandwriteaccess
• Basedondatatype– PG-4vsPG-6– Level1vsLevel2
• Basedondataattributes– Time– Location
20
/FIU
/Parking
/PG-4
/Level1 /Level2
/Info /Info /CMD
/PG-6
Access for all data under /FIU/ParkingOnly for /FIU/Parking/PG-4 Only for /FIU/Parking/PG-6
/2017-06-18 /2017-06-19 …
IoToverICNTutorial@ACMICN2017
TakeawayPoints
• NDN:anenablerforboostingsecure,reliable,yetsimpleedgenetworking• Keyidea:lettingnetworkandapplicationssharethesamenamespace– Enablingadhoc,DTNcommunicationviaestablishednamespace– Integratingnetworking,storage,processingvianameddata– Directlysecuringdata– Leveragingnamesofdataandkeys
• Todefinetrustschemafordistributedauthenticationandauthorization• Todefinegroupsandaccesspermissionsindistributed(decentralized)way
21