Qiudong Xia,Peixuan He,Kaiping Xue,Jiangping Han,David S. L. Wei,Hao Yue,Jin Qin

DOI: https://doi.org/10.1109/globecom38437.2019.9014220

2019-01-01

Abstract:Information Centric Networking (ICN), a new paradigm of Internet infrastructure, aims to better accommodate users' rapid growing demand for content delivery and optimize bandwidth utilization. Although the in-network cache feature of ICN facilitates the dissemination of content to users, it also poses new challenges on access control for content and network resource. Moreover, it is common that the access privilege of content dynamically change over time. However, existing access control mechanisms in ICN cannot support the publication and distribution of such time-sensitive content. In this paper, we propose a time-sensitive, lightweight, and secure access control mechanism, called TSLS, to solve this problem. We introduce broadcast encryption combined with time tokens for content providers to protect content confidentiality, and only authorized users satisfying the time limitation have capability to decrypt and access the content. Besides, a fast lightweight challenge-response verification is implemented at the edge routers to block unauthorized request from injecting into the network. The responses of authorized users are forwarded to content providers for pre-distribute popular content at in-network caches in advance. Our security analysis shows that TSLS possesses the properties of data confidentiality, unforgeability, anonymity, and DoS/DDoS attacks resistance. Our simulation results indicate that our proposed TSLS is an efficient mechanism with low computation cost and network delay.

Kaiping Xue,Xiang Zhang,Qiudong Xia,David S. L. Wei,Hao Yue,Feng Wu

DOI: https://doi.org/10.1109/tnet.2019.2914189

2018-01-01

Abstract:Information centric networking (ICN) has been regarded as an ideal architecture for the next-generation network to handle users' increasing demand for content delivery with in-network cache. While making better use of network resources and providing better service delivery, an effective access control mechanism is needed due to the widely disseminated contents. However, in the existing solutions, making cache-enabled routers or content providers authenticate users' requests causes high computation overhead and unnecessary delay. Also, the straight-forward utilization of advanced encryption algorithms makes the system vulnerable to DoS attacks. Besides, privacy protection and service accountability are rarely taken into account in this scenario. In this paper, we propose SEAF, a secure, efficient, and accountable edge-based access control framework for ICN, in which authentication is performed at the network edge to block unauthorized requests at the very beginning. We adopt group signature to achieve anonymous authentication and use hash chain technique to reduce greatly the overhead when users make continuous requests for the same file. At the same time, we provide an efficient revocation method to make our framework more robust. Furthermore, the content providers can affirm the service amount received from the network and extract feedback information from the signatures and hash chains. By formal security analysis and the comparison with related works, we show that SEAF achieves the expected security goals and possesses more useful features. The experimental results also demonstrate that our design is efficient for routers and content providers and bring in only slight delay for users' content retrieval.

Qi Li,Ravi Sandhu,Xinwen Zhang,Mingwei Xu

DOI: https://doi.org/10.1109/tdsc.2015.2494049

2017-01-01

Abstract:Several Information Centric Network (ICN) architectures have been proposed as candidates for the future Internet, aiming to solve several salient problems in the current IP-based Internet architecture such as mobility, content dissemination and multi-path forwarding. In general, security and privacy are considered as essential requirements in ICN. However, existing ICN designs lack built-in privacy protection for content providers (CPs), e.g., any router in an Internet Service Provider in ICN can cache any content, which may result in information leakage. In this paper, we propose Mandatory Content Access Control (MCAC), a distributed information flow control mechanism to enable a content provider to control which network nodes can cache its contents. In MCAC, a CP defines different security labels for different contents, and content routers check these labels to decide if a content object should be cached. To ensure correct enforcement of MCAC, we also propose a design of a trusted architecture by extending existing mainstream router architectures. We evaluate the performance of MCAC in the NS-3 simulator. The simulation results show that enforcing MCAC in routers does not introduce significant overhead in content forwarding.

Yu Wang,Mingwei Xu,Zhen Feng,Qing Li,Qi Li

DOI: https://doi.org/10.1109/pccc.2014.7017094

2014-01-01

Abstract:Information-Centric Networking (ICN) has been proposed recently to improve the efficiency of content delivery in current IP networks. ICN employs data names, instead of host addresses, as routing and forwarding indicators. Content in the ICN carries only signature of the content provider but does not contain the identity of the content consumer by default. Such information is, however, essential for many of the web applications, such as email, online social networking, online game, e-commerce, and other session-based web services.In this paper, we propose a session-based access control (SAC) mechanism for ICN scenario to bridge the gap. Key distribution protocols are designed to protect the confidentiality of the content during information delivery. We also employ a dynamic naming scheme to enhance user privacy. According to security analysis, our access control mechanism can provide communication security and privacy protection for both sides of the session. Our design can be easily applied to session-based applications in ICN with negligible overhead.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Shengquan Liao,Chunming Wu,Qiang Yang,Ming Jiang

DOI: https://doi.org/10.4304/jnw.7.11.1837-1844

2012-01-01

Journal of Networks

Abstract:The information-centric network has been proposed for years. It received much attention in the research community until that the content-centric networking (CCN) became one of the fundamental components of Future Internet Architecture (FIA). Meanwhile, current CCN faces enormous technical challenges and one of the key issues is to properly design and evaluate the adaptive forwarding strategies. This paper aims to propose a high efficient routing protocol (ELRP) for the name resolving in CCN. The ELRP incorporates the merits of hierarchical structure, channel and rendezvous network. The demands of path latency are loosen in the proposed routing design, and other metrics, e.g. communication cost, load balancing and resource consumption, are also taken into the consideration. A collection of simulation experiments are carried out and the results show that ELRP can provide improved network performances in terms of these evaluation metrics. Such research outcome implies that a more comprehensive service can be deployed with improved network performance.

Danye Wu,Zhiwei Xu,Bo Chen,Yujun Zhang,Zhu Han

DOI: https://doi.org/10.1109/tcomm.2020.3026380

IF: 6.166

2021-01-01

IEEE Transactions on Communications

Abstract:By moving computing resources close to where they are needed (i.e., the network edges), edge computing can significantly reduce burden on the centric cloud data centers. However, extreme scale of on-line big data may impose a significant burden on the network backbones. Information-centric edge networking can address this challenge by incorporating in-network caching into edge networks. This however, opens a door for many new security issues and requires various security defenses. One of those is efficient access control design specifically for information-centric edge networking. In this work, we aim to design an efficient and secure access control scheme for information-centric edge networking. In our design, we propose the confidentiality-enhanced network coding which can ensure that, without having access to the authorization key, the attacker will not be able to obtain the original content. And thanks to the properties of confidentiality-enhanced network coding, highly efficient access control can be realized by encrypting only part of the encoding matrix. In addition, our design can allow efficiently revoking users. Security analysis and experimental evaluation on NS3 demonstrate that our scheme can successfully enforce access control in information-centric edge networking with a small overhead.

telecommunications,engineering, electrical & electronic

Bo Chen,Liang Liu,Huadong Ma

DOI: https://doi.org/10.1109/jiot.2020.2989361

IF: 10.6

2020-10-01

IEEE Internet of Things Journal

Abstract:Information-centric networking (ICN) is regarded as a promising architecture for Internet of Things (ICN-IoT) and access control is one of the critical problems to enable secure ICN-IoT. This article proposes high efficient access control (HAC), a high efficient access control system for ICN-IoT. Specifically, HAC enables access control via an elaborate designed hierarchical key tree (HKT) mechanism based on the hierarchical naming scheme of ICN. The proposed HKT contains the hierarchical authority information and allow users to locally derive the key according to their needs, thus greatly decreasing the overhead in IoT's many-to-many communication scenario. To ensure the security and efficiency of HKT, we further propose a level-oriented ciphertext policy attribute-based encryption (LOCP-ABE) algorithm such that users can only obtain the authority level according to their attributes, and also utilize the ICN's receiver-driven model and the in-network caching mechanism to speed up the distribution efficiency. Moreover, an attribute-based command verification mechanism is used to improve the efficiency of command verification for resource-constrained and isolated IoT edge. We evaluate the proposed HAC by theoretical security analysis and real-world experiments. The theoretical analysis proves that the proposed HAC is secure and experiment results show that HAC can greatly improve the access control efficiency in ICN-IoT compared with the state of the art.

computer science, information systems,telecommunications,engineering, electrical & electronic

Peixuan He,Kaiping Xue,Jiayu Yang,Qiudong Xia,Jianqing Liu,David S. L. Wei

DOI: https://doi.org/10.1109/tnsm.2021.3096428

2021-01-01

Abstract:To reduce the duplicated traffic and improve the performance of distributing massive volumes of multimedia contents, in-network caching has been proposed recently. However, as in-network content caching can be directly utilized to respond users’ requests, multimedia content retrieval is beyond content providers’ control and makes it hard for them to implement access control and service accounting. In this paper, we propose a Fine-grained Accountable and Space-Efficient access control scheme, called FASE, for multimedia content distribution. FASE allows content providers to be fully offline while making the best of in-network caching. In FASE, the attribute-based encryption at multimedia content provider side and access policy based authentication at the edge router side jointly ensure secure fine-grained access control. Our scheme is efficient in both space and time. By designing one time chameleon signature (OTCS), users can keep anonymous during the authentication, and their privileges can be conveniently revoked when needed. Besides, secure service accounting is implemented by letting edge routers collect service credentials generated during users’ request process. Through formal security analysis, we prove the security of our scheme. Simulation results demonstrate that our scheme is efficient with acceptable overhead.

Kai Lei,Zhongjie Wang

DOI: https://doi.org/10.1109/iccse.2012.6295245

2012-01-01

Abstract:Content-Centric Networking (CCN) is a predominant substitute of the current TCP/IP networking and it is proposed to be the next generation Internet foundation. The evident characteristic of this network architecture is caching and indexing contents by the inner nodes - the routers, so as to reduce the redundant transmission and thereby shorten the distance between user and content. In this paper, we propose and implement a user authentication scheme over CCN. We adopt the trust model based on certificate authority (CA) to provide the service of binding certificate with user's identity, and help user determine the authenticity and reliability of the publisher of the network content. Also the specialized CA we designed for CCN takes advantage of the decentralization characteristic and cache mechanism of CCN to distribute the certificates and certificate revocation list (CRL) into the network, and it reduces the load of the CA central server when retrieving and verifying certificates. Besides, we propose a timeline-based method to segment the CRL with certificate issue date, thereby making the retrieval of CRL more effective.

Kaiping Xue,Jiayu Yang,Qiudong Xia,David S. L. Wei,Jian Li,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tnsm.2021.3136547

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:As a new architecture of Internet infrastructure, Information-Centric Networking (ICN) is mainly designed to effectively handle the rapidly increasing user demand for content delivery through in-network caching. While facilitating the dissemination of content to users and making better use of the network resources, ICN is also vulnerable in that attackers can inject poisoned content into the network and isolate users from valid content sources. The introduction of signature verification in each router can effectively prevent this attack, but it also introduces great computation overhead. Existing schemes in ICN reduce verification overhead from a single routing perspective but do not consider integrating resources within ICN for collaborative content authentication and cyber self-defense. In this paper, we propose a collaborative, secure, and efficient content validation protection framework, named CSEVP, to implement a multi-router collaborative defense mechanism for ICN. On the one hand, we conduct content verification by probabilistically choosing one router involved in the transmission path to offload the computation overhead of content verification from a single router to multiple ones. On the other hand, we adopt bloom filters for routers to record and share verification results to further facilitate a more efficient content validity verification. The security and efficiency analysis shows that our proposed CSEVP can achieve efficient content validity verification among multiple routers with acceptable low communication and storage overhead.

Qikun Zhang,Yongjiao Li,Chuanyang Zheng,Liang Zhu,Junling Yuan,Sikang Hu

DOI: https://doi.org/10.1002/ett.4060

IF: 3.6

2020-08-06

Transactions on Emerging Telecommunications Technologies

Abstract:<p>Development of the Internet of things (IoT) is considered as one of the major events in modern manufacturing industry, and IoT devices are expected to create and exchange vast amounts of data, thereby bringing forth unprecedented challenges in terms of robust and vendor‐neutral data sharing. While access control is widely used to protect the security of data sharing, it still has some security flaws and limitations, such as privacy leakage, fixed access permissions, security vulnerabilities, and so on. Aiming at these problems, this article proposes a permission‐combination scalable access control (PCS‐AC) scheme, in which the methods of access permissions assignment, data encryption, and data access are given. In contrast to prior works, PCS‐AC differs in several significant ways: (1) it supports anonymous access and traceability. Anonymous access can prevent leakage of users' privacy. Traceability can track the illegally accessed entity when the resource is illegally accessed; (2) it supports scalable access to data resources. Users use a combination of attribute permissions to access data at different security levels; (3) it achieves high efficiency because the entity can quickly search ciphertext resources by plaintext keywords. After searching and downloading the ciphertext, decrypt it by group key to obtain the corresponding plaintext information. PCS‐AC is proven secure under the hardness assumption of Discrete Logarithm problem and Inverse Computational Diffe‐Hellman problem. The performance analysis shows that PCS‐AC has higher efficiency than the referred works.</p>

telecommunications

Benfeng Chen,Zhizhong Tan,Wenyong Wang,Yan Liu,Tai Io San,Mudi Xu,Lei Wang,Shan Chen,Sou Wang Fong,Jing Feng

DOI: https://doi.org/10.3390/app14135593

2024-06-27

Applied Sciences

Abstract:In the current context of rapid Internet of Things (IoT) and cloud computing technology development, the Single Packet Authorization (SPA) protocol faces increasing challenges, such as security threats from Distributed Denial of Service (DDoS) attacks. To address these issues, we propose the Advanced Network-Hiding Access Control (AHAC) framework, designed to enhance security by reducing network environment exposure and providing secure access methods. AHAC introduces an independent control surface as the access proxy service and combines it with a noise generation mechanism for encrypted access schemes, replacing the traditional RSA signature method used in SPA protocols. This framework significantly improves system security, reduces computational costs, and enhances key verification efficiency. The AHAC framework addresses several limitations inherent in SPA: users need to know the IP address of resources in advance, exposing the resource address to potential attacks; SPA’s one-way authentication mechanism is insufficient for multi-level authentication in dynamic environments; deploying the knocking module and protected resources on the same host can lead to resource exhaustion and service unavailability under heavy loads; and SPA often uses high-overhead encryption algorithms like RSA2048. To counter these limitations, AHAC separates the Port Knocking module from the access control module, supports mutual authentication, and implements an extensible two-way communication mechanism. It also employs ECC and ECDH algorithms, enhancing security while reducing computational costs. We conducted extensive experiments to validate AHAC’s performance, high availability, extensibility, and compatibility. The experiments compared AHAC with traditional SPA in terms of time cost and performance.

Computer Science,Engineering

Muhammad Bilal,Sangheon Pack

DOI: https://doi.org/10.1109/jsyst.2019.2931813

IF: 4.802

2020-06-01

IEEE Systems Journal

Abstract:The benefits of the ubiquitous caching in information centric networking (ICN) are profound; even though such features make ICN promising for content distribution, but it also introduces a challenge to content protection against the unauthorized access. The protection of a content against unauthorized access requires consumer authentication and involves the conventional end-to-end encryption. However, in ICN, such end-to-end encryption makes the content caching ineffective since encrypted contents stored in a cache are useless for any consumers except those who know the encryption key. For effective caching of encrypted contents in ICN, we propose a secure distribution of protected content (SDPC) scheme, which ensures that only authenticated consumers can access the content. SDPC is lightweight and allows consumers to verify the originality of the published content by using a symmetric key encryption. SDPC also provides protection against privacy leakage. The security of SDPC was proved with the Burrows–Abadi–Needham (BAN) logic and Scyther tool verification, and simulation results show that SDPC can reduce the content download delay.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Zuoqi Jiang,Jiangtao Luo,Fei Zhang,Chen He,Mengnan Wang,Yanyong Zhang

DOI: https://doi.org/10.1109/hoticn48464.2019.9063215

2019-01-01

Abstract:The current data-centric security architecture for the Information Centric Network (ICN) does not provide efficient user authentication mechanisms, thus causing undesirable issues such as interest flooding a ttacks (IFA). I no rder to address them, this paper proposes a pseudonym authentication scheme on network layer based on the system of identity-based cryptography (IBC). In the proposed approach, each consumer needs to be authenticated before sending Interest packets into the network. After successful authentication, the consumer will be assigned a temporary nickname to be used in later data request. During the procedure, IBC is adopted to protect real names of consumers and verify the interest origin. As a result, this approach can complete user authentication and protect his real identity simultaneously. The proposed approach is case studied in IFA depression and expected results are achieved.

Enkeleda Bardhi,Mauro Conti,Riccardo Lazzeretti,Eleonora Losiouk

2023-07-11

Abstract:Today Internet is experiencing a massive number of users with a continuously increasing need for data, which is the leading cause of introduced limitations among security and privacy issues. To overcome these limitations, a shift from host-centric to data-centric is proposed, and in this context, Information-Centric Networking (ICN) represents a promising solution. Nevertheless, unsettling the current Internet network layer, i.e., Internet Protocol (IP), with ICN is a challenging, expensive task since it requires worldwide coordination among Internet Service Providers (ISPs), backbone, and Autonomous Services (AS). Therefore, researchers foresee that the replacement process of the current Internet will transition through the coexistence of IP and ICN. In this perspective, novel architectures combine IP and ICN protocols. However, only a few of the proposed architectures place the security-by-design feature. Therefore, this article provides the first comprehensive Security and Privacy (SP) analysis of the state-of-the-art IP-ICN coexistence architectures by horizontally comparing the SP features among three deployment approaches, i.e., overlay, underlay, and hybrid, and vertically comparing among the ten considered SP features. Lastly, the article sheds light on the open issues and possible future directions for IP-ICN coexistence. Our analysis shows that most architectures fail to provide several SP features, including data and traffic flow confidentiality, availability, and anonymity of communication. Thus, this article shows the secure combination of current and future protocol stacks during the coexistence phase that the Internet will definitely walk across.

Cryptography and Security,Computers and Society,Networking and Internet Architecture

Daibo MAO,Qi LI,Yuan YANG

DOI: https://doi.org/10.3969/j.issn.2095-347X.2013.04.005

2013-01-01

Abstract:Several Information Centric Network(ICN) architectures have been proposed to solve several problems in the current IP-based Internet architecture such as mobility and multi-path forwarding.Among these schemes,security and privacy are considered as essential part in ICN.We analyze that existing ICN designs lack built-in privacy protection for content providers.For example,any router in an Internet Service Provider(ISP) in ICN can cache any content,which may incur information leakage.In this paper,we analyze the privacy leakage problem in ICN,and compare the features of the existing ICN security solutions.Finally,we discuss the key issues in designing privacy protection mechanisms in ICNs.

Kaiping Xue,Peixuan He,Jiayu Yang,Qiudong Xia,David S. L. Wei

DOI: https://doi.org/10.1109/tnet.2022.3155110

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:As one of the promising next generation network architectures, information centric networking (ICN) is highly anticipated to improve the bandwidth usage of the Internet and reduce duplicate traffic. Since contents in ICN are disseminated in the whole network, ICN is much more vulnerable and the issue of how to deliver contents securely has been intensively discussed. However, the scalability of the existing schemes is limited. A scalable scheme is expected to be able to achieve fine-grained access control and at the same time also support multiple content providers scenario with efficient key management at user side. Besides, different content providers may publish some identical contents and these contents may be cached in the same intermediate routers, which causes high data redundancy and in turn exerts an adverse impact on the performance of ICN. In this paper, we propose a Secure Content Delivery and Deduplication scheme, called SCD2, to achieve secure and efficient fine-grained access control in ICN with multiple content providers. We first propose a scalable key-policy attribute-based encryption (SKP-ABE) to provide fine-grained access control and allow different attribute authorities to share some public attributes to simplify the key management. Furthermore, based on SKP-ABE, we design a simple but effective mechanism to conduct content deduplication. Finally, we implement a prototype of SCD2 to test its performance and compare it with some existing schemes. The results show that SCD2 has lower storage overhead, a higher degree of deduplication, and better retrieval efficiency.

Kaiping Xue,Wei Meng,Shaohua Li,David S. L. Wei,Huancheng Zhou,Nenghai Yu

DOI: https://doi.org/10.1109/jiot.2019.2902907

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:Space information network (SIN) makes it possible for any object to be connected to the Internet anywhere, even in the areas with extreme conditions, where a cellular network is not easy to deploy. Access authentication is the key to secure users' access control in SIN, mainly to prevent illegal adversaries from getting access to SIN services. However, the highly complicated communication environment of SIN (e.g., exposed links, higher signal delay, etc.) poses a challenging issue in the design of a secure and efficient authentication scheme. Although some authentication schemes have been proposed for SIN, they are unsuitable for Internet of Things (IoT) in SIN due to the high signaling overhead and insufficient security properties. Therefore, in this paper, we design a provably secure and efficient authentication protocol, along with an efficient handover mechanism, for IoT in SIN. In our design, we introduce a new authentication system model, where the satellites are given the ability to authenticate users to avoid the online involvement of the network control center (NCC) when authenticating users, thereby reducing long authentication delay and avoiding a single point of bottleneck in NCC. Furthermore, the support of batch verification in our design can significantly enhance handover efficiency when a group of users switch to another satellite. Our further analysis shows that our scheme is secure against various attacks and can meet a variety of security requirements. In addition, performance evaluation shows the superiority of our scheme on both delay and handover efficiency compared with existing schemes.

Shehzad Ashraf Chaudhry,Khalid Yahya,Fadi Al-Turjman,Ming-Hour Yang

DOI: https://doi.org/10.1109/access.2020.3012121

IF: 3.9

2020-01-01

IEEE Access

Abstract:Among other security concerns, the reliable device to device direct communication is an important research aspect in sensor cloud system application of Internet of things (IoT). The access control mechanism can ensure the reliability through secure communication among two IoT devices without mediation of intermediate agent. Mainly, it requires twofold strategy involving the authentication of each other and session key establishment. Quite recently, in 2019, Das et al. proposed a certificate based lightweight access control and key agreement scheme for IoT devices (LACKA-IoT) to ensure smooth and secure access control and claimed LACKA-IoT to withstand the several attacks. Specifically, it is claimed that LACKA-IoT can resist device impersonation and man in middle attacks. However, the proof in this article refutes their claim and it is shown here, that LACKA-IoT is insecure against both device impersonation and man in middle attacks. An adversary just by using public parameters and by listening the communication channel can impersonate any device. Moreover, the same can also launch successful man in middle attack using public parameters and listened messages from public channel. An improved protocol iLACKA-IoT is then proposed in the paper. The iLACKA-IoT provides resistance against various types of threats and provides the required level of security, for evidence both formal validation through random or real (ROR) model as well as the informal validation through discussion on attack resilience is provided. The iLACKA-IoT is not only better in security but also provides performance efficiency as compared with LACKA-IoT and related schemes.