Skip to main content
SpringerLink
Log in

Distributed access control for information-centric networking architectures using verifiable credentials

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Information-Centric Networking (ICN) is an emerging paradigm that allows users to retrieve content items securely, independently of their location. Therefore, an item may be stored in a location outside the administrative realm of its owner (e.g., cache, CDN node). In this paper, we propose a solution that allows these 3rd party storage nodes to verify that a user is authorized to access a a particular content item. We consider an SDN-based ICN deployment and we leverage Verifiable Credentials to build chains of trust, as well as to express users’ capabilities. With our solution, users can prove authorization using a single message that can be integrated into a content request. Additionally, verifying entities do not have to store any secret. Our solutions support delegation, and it is lightweight.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Data Availability

Data sharing not applicable to this article as no datasets were generated or analyzed during the current study.

Notes

  1. At the time this paper was written, the W3C group that develops LD-Proofs decided to rename them to “Data Integrity”. The related draft can be found at: https://w3c-ccg.github.io/data-integrity-spec/.

  2. Interested readers can find more details in [30].

  3. Using an encryption scheme such as Hybrid Public Key Encryption [3].

  4. https://github.com/mattrglobal/jsonld-signatures-bbs.

  5. Even in the case of revocation lists a producer stores them for performance reason and not as a security precaution. Moreover, a revocation list is “pulled” by a producer when it is needed, as opposed to access control lists which must be proactively “pushed” by the content owners.

References

  1. Akinyele, J., Garman, C., Miers, I., Pagano, M., Rushanan, M., Green, M., Rubin, A.: Charm: a framework for rapidly prototyping cryptosystems. J. Cryptogr. Eng. 3(2), 111–128 (2013)

    Article  Google Scholar 

  2. Andrei, S.: W3c verifiable credentials implementation guidelines 1.0 (2019)

  3. Barnes, R., Bhargavan, K., Lipp, B., Wood, C.: Hybrid Public Key Encryption. RFC 9180, IETF (2022). https://www.rfc-editor.org/rfc/rfc9180.txt

  4. Bernardini, C., Marchal, S., Asghar, M.R., Crispo, B.: Privicn: privacy-preserving content retrieval in information-centric networking. Comput. Netw. 149, 13–28 (2019)

    Article  Google Scholar 

  5. Birgisson, A., Politz, J.G., Úlfar Erlingsson, Taly, A., Vrable, M., Lentczner, M.: Macaroons: cookies with contextual caveats for decentralized authorization in the cloud. In: Network and Distributed System Security Symposium (2014)

  6. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 164–173 (1996)

  7. Blaze, M., Ioannidis, J., Keromytis, A.D.: Experience with the keynote trust management system: Applications and future directions. In: Nixon, P., Terzis, S. (eds.) Trust Management, pp. 284–300. Springer, Berlin, Heidelberg (2003)

    Chapter  MATH  Google Scholar 

  8. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)

    Article  MATH  Google Scholar 

  9. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Annual International Cryptology Conference, pp. 41–55. Springer, Heidelberg (2004)

  10. Fett, D. et al.: OAuth 2.0 Demonstrating of Proof-of-Possession at the Application Layer (DPoP). Rfc draft (2020). https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

  11. Fotiou, N., Marias, G.F., Polyzos, G.C.: Access control enforcement delegation for information-centric networking architectures. SIGCOMM Comput. Commun. Rev. 42(4), 497–502 (2012)

    Article  Google Scholar 

  12. Fotiou, N., Polyzos, G.C.: Enabling NAME-based security and trust. In: Jensen, C.D., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) Trust Management IX, IFIP Advances in Information and Communication Technology, Vol. 454, pp. 47–59. Springer International Publishing (2015)

  13. Fotiou, N., Polyzos, G.C.: Securing content sharing over icn. In: Proceedings of the 3rd ACM Conference on Information-Centric Networking, ACM-ICN ’16, pp. 176–185. ACM, New York (2016)

  14. Fotiou, N., Siris, V.A., Xylomenos, G., Polyzos, G.C., Katsaros, K.V., Petropoulos, G.: Edge-icn and its application to the internet of things. In: 2017 IFIP Networking Conference (IFIP Networking) and Workshops, pp. 1–6 (2017). https://doi.org/10.23919/IFIPNetworking.2017.8264880

  15. Ghodsi, A., Koponen, T., Rajahalme, J., Sarolahti, P., Shenker, S.: Naming in content-oriented architectures. In: Proceedings of the ACM SIGCOMM Workshop on Information-Centric Networking, ICN ’11, pp. 1–6. Association for Computing Machinery, New York

  16. Gilbert, C., Upatising, L.: Formal analysis of browserid/mozilla persona (2013)

  17. Green, M., Ateniese, G.: Identity-Based Proxy Re-encryption, pp. 288–306. Springer, Berlin Heidelberg (2007)

    MATH  Google Scholar 

  18. Group, W.C.C.: BBS+ signatures 2020 (2020). https://w3c-ccg.github.io/ldp-bbs2020/

  19. Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: Nox: towards an operating system for networks. SIGCOMM Comput. Commun. Rev. 38(3), 105–110 (2008)

    Article  Google Scholar 

  20. Hamdane, B., Serhrouchni, A., Fadlallah, A., Fatmi, S.G.E.: Named-data security scheme for named data networking. In: 2012 Third International Conference on The Network of the Future (NOF), pp. 1–6 (2012)

  21. Ion, M., Zhang, J., Schooler, E.M.: Toward content-centric privacy in icn: Attribute-based encryption and routing. In: Proceedings of the ACM SIGCOMM Workshop on Information-centric Networking, pp. 39–40 (2013)

  22. Jones, M.: JSON Web Key (JWK). RFC 7517, IETF (2015). https://tools.ietf.org/html/rfc7517

  23. Lantz, B., Heller, B., McKeown, N.: A network in a laptop: Rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, Hotnets-IX, pp. 19:1–19:6. ACM, New York (2010)

  24. Li, B., Verleker, A.P., Huang, D., Wang, Z., Zhu, Y.: Attribute-based access control for icn naming scheme. In: Proc. IEEE Conference on Communications and Network Security, pp. 391–399 (2014)

  25. Longley, D., Sporny, M.: Revocation list 2020. Draft Community Group Report, W3C (2021). https://w3c-ccg.github.io/vc-status-rl-2020/

  26. Sporny, M. et al.: Json-ld 1.0 (2014). https://www.w3.org/TR/json-ld/

  27. Sporny, M. et al.: Verifiable credentials data model 1.0 (2019). https://www.w3.org/TR/verifiable-claims-data-model/

  28. Nour, B., Khelifi, H., Hussain, R., Mastorakis, S., Moungla, H.: Access control mechanisms in named data networks: a comprehensive survey. ACM Comput. Surv. 54, 3 (2021)

    Google Scholar 

  29. Pfaff, B., Pettit, J., Koponen, T., Jackson, E., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., Amidon, K., Casado, M.: The design and implementation of open vswitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), pp. 117–130. USENIX Association, Oakland (2015)

  30. Reed, M.J., Al-Naday, M., Thomos, N., Trossen, D., Petropoulos, G., Spirou, S.: Stateless multicast switching in software defined networks. In: 2016 IEEE International Conference on Communications (ICC), pp. 1–7 (2016). https://doi.org/10.1109/ICC.2016.7511036

  31. Tourani, R., Misra, S., Mick, T., Panwar, G.: Security, privacy, and access control in information-centric networking: a survey. IEEE Commun. Surv. Tutor. 20(1) (2018)

  32. W3C Credentials Community Group: Linked data cryptographic suite registry (2019). https://w3c-ccg.github.io/ld-cryptosuite-registry

  33. Whitehead, A., Lodder, M., Looker, T., Kalos, V.: The bbs signature scheme. Rfc draft (2022). https://identity.foundation/bbs-signature/draft-bbs-signatures.html

  34. Wood, C.A., Uzun, E.: Flexible end-to-end content security in ccn. In: 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC), pp. 858–865 (2014)

  35. Xylomenos, G., Ververidis, C.N., Siris, V.A., Fotiou, N., Tsilopoulos, C., Vasilakos, X., Katsaros, K.V., Polyzos, G.C.: A survey of information-centric networking research. IEEE Commun. Surv. Tutor. 16(2), 1024–1049 (2014)

    Article  Google Scholar 

  36. Yu, Y., Afanasyev, A., Clark, D., claffy, k., Jacobson, V., Zhang, L.: Schematizing trust in named data networking. In: Proceedings of the 2nd ACM Conference on Information-Centric Networking, pp. 177–186. Association for Computing Machinery, New York (2015)

  37. Zhang, X., Chang, K., Xiong, H., Wen, Y., Shi, G., Wang, G.: Towards name-based trust and security for content-centric network. In: Network Protocols (ICNP), 2011 19th IEEE International Conference on, pp. 1–6 (2011)

  38. Zhang, Z., Yu, Y., Afanasyev, A., Burke, J., Zhang, L.: Nac: Name-based access control in named data networking. In: Proceedings of the 4th ACM Conference on Information-Centric Networking, ICN ’17, pp. 186–187. ACM (2017)

Download references

Acknowledgements

The Deanship of Scientific Research (DSR) at King Abdulaziz University, Jeddah, Saudi Arabia has funded this project, under grant no. (RG-13-611-42).

Author information

Authors and Affiliations

  1. Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah, Saudi Arabia

    Bander Alzahrani, Aiiad Albeshri & Khalid Alsubhi

  2. Department of Informatics, Athens University of Economics and Business, Athens, Greece

    Nikos Fotiou

  3. The National Center of Genomics Technologies and Bioinformatics, King Abdulaziz City for Science and Technology, 11442, Riyadh, Saudi Arabia

    Abdullah Almuhaimeed

Authors
  1. Bander Alzahrani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nikos Fotiou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aiiad Albeshri
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Abdullah Almuhaimeed
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Khalid Alsubhi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bander Alzahrani.

Ethics declarations

Conflict of interest

The authors declare that they have no known conflicts of interests or personal relationships that could have appeared to influence the work reported in this paper.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alzahrani, B., Fotiou, N., Albeshri, A. et al. Distributed access control for information-centric networking architectures using verifiable credentials. Int. J. Inf. Secur. 22, 467–478 (2023). https://doi.org/10.1007/s10207-022-00649-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-022-00649-9

Keywords

Search

Navigation