secure content delivery in information-centric networks: design, implementation, and analyses
If you can't read please download the document
DESCRIPTION
Secure Content Delivery in Information-Centric Networks: Design, Implementation, and Analyses. Computer Science Department New Mexico State University , USA. Nahid Majd. Satyajayant Misra. Reza Tourani. [email protected]. Agenda. Introduction and Motivation Models and Assumptions - PowerPoint PPT PresentationTRANSCRIPT
Slide 1
Secure Content Delivery in Information-Centric Networks: Design, Implementation, and AnalysesComputer Science DepartmentNew Mexico State University, USA
New Mexico State University, Las Cruces, NM, [email protected]
Satyajayant MisraReza TouraniNahid Majd1AgendaIntroduction and MotivationModels and AssumptionsDesign of FrameworkTestbed ResultsConclusion
New Mexico State University, Las Cruces, NM, USAHigh bandwidth video makes 51% of the Internet traffic today and would rise to 54% by 2016;Sum of all video traffic would become approximately 86% of global traffic;By 2014, mobile wireless devices will account for 61% of world Internet traffic.New Mexico State University, Las Cruces, NM, USAThe Cisco Visual Networking Index underlines the need for a high bandwidth content-centric Internet.
What does this traffic trend mean for the future of the Internet?
New Mexico State University, Las Cruces, NM, USABandwidth IntensiveIn the CoreAt the EdgeThrowing Money at the Problem: UnsustainableCurrent Solution: Place contents closer to the edge using CDNsA typical content delivery hierarchy in todays Internet.
New Mexico State University, Las Cruces, NM, USA
Content ProviderCDN NodesISP Nodes End UsersHowever, using CDNs does not solve the bandwidth bottleneck problem at the ISPs (the edge).
New Mexico State University, Las Cruces, NM, USAAt the EdgeCDNISPRedundant/Duplicate transmissions undermine network performanceSolution: In-network caching at the ISP-level.Same two routers reused, 6In-network caching at the ISPs will help reduce bandwidth requirement at the ISP level.
New Mexico State University, Las Cruces, NM, USAAt the EdgeCDNISPSame two routers reused, 7The important concern is, how do we ensurehigh availability of the cached data only to legitimate users?
New Mexico State University, Las Cruces, NM, USANeed for security and access only to authentic users (efficiency and high availability)Plain Data-caching alone is not enoughCaching does not automatically guarantee security nor AvailabilityLets look at a simplified example of how your content is delivered to your Netflix player from the Netflix server.
New Mexico State University, Las Cruces, NM, USA
Microsofts Individualization Server
Netflix Control Server
Netflixs Regular Webserver
Netflix License Server
Netflix Streaming Server (Akamai, etc.)Amazon EC2Your PlayerWhat happens when EC2 is NOT E enough?!?If the Cloud is down, then the service is down!
New Mexico State University, Las Cruces, NM, USALast happened in Oct22, 2012.
So near yet so far!!Content is next door, but is inaccessible.These conditions serve as the motivation for this work.
New Mexico State University, Las Cruces, NM, USAA practical security framework for trusted content delivery in ICNsFor legitimate users onlySecurityEfficiencyHigh AvailabilityBroadcast EncryptionIn-network cachingFor more than 20 million users; revocation of 1-2 million users; system re-initialization possible.Tested in a CCNx testbedWe use a Shamirs secret-sharing based broadcast encryption mechanism* for content security.
New Mexico State University, Las Cruces, NM, USA(n,t)-threshold secret sharing: Requires t+1 users to share secret to decrypt.n: total number of users; t: maximum revocation threshold
Server sends t shares, user adds one more to make t+1.* W. Tzeng and Z. Tzeng. A public-key traitor tracing scheme with revocation using dynamic shares. In Public Key Cryptography, pages 207224, 2001.The basic steps are split between the server and the client, with the operations being heavy on the server-side.
New Mexico State University, Las Cruces, NM, USAServer encrypts content using a symmetric keyIt generates n + t sharesGives each user one of the sharesEncrypts the key using t shares and makes it availableLegitimate user adds his share to create t+1 shares to decrypt the key * W. Tzeng and Z. Tzeng. A public-key traitor tracing scheme with revocation using dynamic shares. In Public Key Cryptography, pages 207224, 2001.Basic Steps in the frameworkThe framework has three basic protocols: First two performed at the server and the last one at the client.
New Mexico State University, Las Cruces, NM, USAPolynomials and shares generation at the server
Enabling block generation and encryption at the server
Secret Extraction at the mobile userBasic Protocols in the frameworkComputation at the (mobile) user needs to be minimalWe perform pre-computations at the server so user has to perform only O(t) computations to obtain secret key.CCN/NDN Architecture Details: User Registration, Chunk Creation, Packet Naming, Versioning, User Revocation
New Mexico State University, Las Cruces, NM, USA
Sequence Numbers: Sequential or RandomVersioning: Content and Enabling Block can have different numbers, versions can help with expiration.User Registration and Revocation: Messages transmitted as interests.We have addressed some of the questions pertaining to the handling of system dynamics in the framework.
New Mexico State University, Las Cruces, NM, USAHow to revoke a subscribed user at the end of the subscription?
Can we handle the case where the number of revoked user is more than t the system revocation threshold?
How do we handle new user(s) when the system reaches user capacity? The framework was implemented in a CCNx testbed to verify its feasibility for mobile users.
New Mexico State University, Las Cruces, NM, USACCNx-0.7 codebase.3 nodes: Intel Core i7, 8 GB RAM, 2.4 GHz. Code in C++, compiled with gcc 4.5.2.GNU multi-precision arithmetic library.24.1 MB video hosted using the ccnputfile command. n: 1 M to 20 M in increments of 5 M. t: 5 K to 40 K in increments of 5 K.Experiments were run over 100 runs.
We implemented two versions: No Server-side Pre-computation (SD) & Server-side Pre-computation (PSD).
New Mexico State University, Las Cruces, NM, USANo server-side pre-computation => No computation of the Lagrangian interpolation at the server, requiring O(t2) computations at the mobile device.
Server-side pre-computation => The Lagrangian interpolation variables are partially computed at the server; only O(t) computations at the mobile device.
Polynomial generation and user shares generation depended on the number of users in the system.
New Mexico State University, Las Cruces, NM, USA
Cost increases for large number of users, however, this part can be parallelized easily. The pre-computation at the server adds to the enabling block cost, however the overhead is still modest.
New Mexico State University, Las Cruces, NM, USA
Even in PSD, the addition of the enabling block to the content transmission adds only a 0.3% overhead for a 300 MB movie. The extraction at the user with PSD is far better than in SD, hence is recommended.
New Mexico State University, Las Cruces, NM, USA
Even when t is 1 million it takes 4.17 seconds (0.06% of a standard Netflix movie time) to extract using one 2.4 GHz processor.Conclusions: Our framework will scale to large number of mobile users
New Mexico State University, Las Cruces, NM, USALegitimate users can access content available close-by. Even when the CP is down!The framework is tailor-made for mobile users.
It is efficient to scale to several million usersTested for upto 20 million subscribers.Number of revoked users upto 1 million.
CCNx testbed implementation results show promise.
Thank You
New Mexico State University, Las Cruces, NM, [email protected] Mexico State University, Las Cruces, NM, USA