Ruidong Li,Hitoshi Asaeda,Jie Li,Xiaoming Fu

DOI: https://doi.org/10.1016/j.dcan.2017.06.001

IF: 6.348

2017-01-01

Digital Communications and Networks

Abstract:Big data has a strong demand for a network infrastructure with the capability to support data sharing and retrieval efficiently. Information-centric networking (ICN) is an emerging approach to satisfy this demand, where big data is cached ubiquitously in the network and retrieved using data names. However, existing authentication and authorization schemes rely mostly on centralized servers to provide certification and mediation services for data retrieval. This causes considerable traffic overhead for the secure distributed sharing of data. To solve this problem, we employ identity-based cryptography (IBC) to propose a Distributed Authentication and Authorization Scheme (DAAS), where an identity-based signature (IBS) is used to achieve distributed verifications of the identities of publishers and users. Moreover, Ciphertext-Policy Attribute-based encryption (CP-ABE) is used to enable the distributed and fine-grained authorization. DAAS consists of three phases: initialization, secure data publication, and secure data retrieval, which seamlessly integrate authentication and authorization with the interest/data communication paradigm in ICN. In particular, we propose trustworthy registration and Network Operator and Authority Manifest (NOAM) dissemination to provide initial secure registration and enable efficient authentication for global data retrieval. Meanwhile, Attribute Manifest (AM) distribution coupled with automatic attribute update is proposed to reduce the cost of attribute retrieval. We examine the performance of the proposed DAAS, which shows that it can achieve a lower bandwidth cost than existing schemes.

Bing Li,Maode Ma,Yonghe Zhang,Feiyu Lai

DOI: https://doi.org/10.1109/HotICN57539.2022.10036170

2022-01-01

Abstract:Named Data Networking (NDN) has been viewed as a promising future Internet architecture. It requires a new access control scheme to prevent the injection of unauthorized data request. In this paper, an access control supported by information service entity (ACISE) is proposed for NDN networks. A trust entity, named the information service entity (ISE), is deployed in each domain for the registration of the consumer and the edge router. The identity-based cryptography (IBC) is used to generate a private key for the authorized consumer at the ISE and to calculate a signature encapsulated in the Interest packet at the consumer. Therefore, the edge router could support the access control by the signature verification of the Interest packets so that no Interest packet from unauthorized consumer could be forwarded or replied. Moreover, shared keys are negotiated between authorized consumers and their edge routers. The subsequent Interest packets would be verified by the message authentication code (MAC) instead of the signature. The simulation results have shown that the ACISE scheme would achieve a similar response delay to the original NDN scheme when the NDN is under no attacks. However, the ACISE scheme is immune to the cache pollution attacks so that it could maintain a much smaller response delay compared to the other schemes when the NDN network is under the attacks.

Syed Sajid Ullah,Insaf Ullah,Hizbullah Khattak,Muhammad Asghar Khan,Muhammad Adnan,Saddam Hussain,Noor Ul Amin,Muazzam A. Khan Khattak

DOI: https://doi.org/10.1109/ACCESS.2020.2995080

IF: 3.9

2020-01-01

IEEE Access

Abstract:Named Data Networking (NDN) is one of the future envisioned networking paradigm used to provide fast and efficient content dissemination with interest-based content retrieval, name-based routing and in-network content caching. On the one hand, this new breed of future Internet architecture is becoming a key technology for data dissemination in the IoT networks; on the other hand, NDN suffers from new challenges in terms of data security. Among them, a content poisoning attack is the most common data security challenge. The aim of this attack is to inject poisoned content with an invalid signature to the network. Therefore, to prevent NDN against possible content poisoning attack, a signature of the contents is appended to each data packet for verifications. In this paper, we propose an identity-based signature scheme for IoT-based NDN networks, with a special emphasis on content integrity and authenticity. The proposed scheme is based on the concept of the Hyperelliptic curves, which provide the same level of security as Rivest-Shamir-Adleman (RSA), Bilinear pairing and Elliptic Curve Cryptosystems (ECC) with lower-key size. The proposed scheme is subject to both formal and informal security analysis in order to show the feasibility of our scheme. Finally, the performance of the proposed scheme is analyzed via comparison with the relevant existing schemes that authenticates the superiority of our scheme in terms of security and efficiency.

Yong Yu,Yannan Li,Xiaojiang Du,Ruonan Chen,Bo Yang

DOI: https://doi.org/10.1109/mcom.2018.1701086

IF: 9.03

2018-11-01

IEEE Communications Magazine

Abstract:ICNs are promising alternatives to current Internet architecture since the Internet struggles with a number of issues such as scalability, mobility, and security. ICN offers a number of potential benefits including reduced congestion and enhanced delivery performance by employing content caching, simpler network configurations, and stronger security for the content. NDN, an instance of ICN, enables content delivery instead of host-centric approaches by naming data rather than host. In order to make NDN practical in the real world, the challenging issues of content security need to be addressed. In this article, we examine the architecture and content security as well as possible solutions to these issues of NDN, with a special focus on the content integrity and provenance. We propose a variety of digital signature schemes to achieve the data integrity and origin authentication in NDN for various applications, which include cost-effective signatures, privacy preserving signatures, network coding signatures, and post-quantum signatures. We also present speed-up techniques in generating signatures and verifying signatures such as pre-computation, batch verification, and server-aided verification to reduce the computational cost of the producers and receivers in NDN. A number of certificate-free trust management approaches and possible adoptions in NDN are investigated.

telecommunications,engineering, electrical & electronic

Jiangtao Luo,Chen He,Junxia Wang,Lianglang Deng,Yongyi Ran

DOI: https://doi.org/10.1109/hoticn53262.2021.9680834

2021-01-01

Abstract:Named Data Networking (NDN), one typical representative of revolutionary future Internet architectures, enables users to obtain content from everywhere in the network, leveraging ubiquitous in-network caches, which facilitates content sharing more efficiently than the current Internet. However, it becomes a big challenge to implement access control in NDN since it is difficult for a content provider to know when, where and who has retrieved the content. The usual solution is to encrypt the entire content or each packet and then distribute the key to each subscribed user, but the cost of re-encryption to revoke the user is often significant. Inspired by the secret sharing method now commonly used in distributed storage for Big Data, we propose a novel scheme that can enforce access control to the entire content employing a piece of encoded data block, called anchor share. The scheme is thus named anchored secret share, abbreviated as anchor-SS. The performance of anchor-SS as well as its revocation efficiency is analyzed and evaluated. Testing results show that the re-encryption time will be significantly reduced in comparison to the popular approach, nearly inverse proportion to the number of shares.

Qi Xia,Isaac Amankona Obiri,Jianbin Gao,Hu Xia,Xiaosong Zhang,Kwame Omono Asamoah,Sandro Amofa

DOI: https://doi.org/10.1109/tifs.2023.3327660

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The Named Data Networking (NDN) architecture is a futuristic internet infrastructure that aims to deliver content efficiently. However, NDN is faced with the challenge of ensuring the privacy of both content and names. Traditional solutions have focused on encrypting and signing content before injecting the resultant ciphertext into the NDN platform to provide confidentiality and integrity. However, these solutions fail to protect content name privacy in critical applications such as the military and healthcare. To address this challenge, we propose Privacy-Preserving Data Sharing on Named Data Networking (PRIDN), which employs a combination of proxy re-encryption and symmetric mechanisms to secure both content and names. PRIDN offers several advantages over existing solutions. Firstly, it eliminates the need for subscribers to communicate with content publishers for decryption keys, reducing communication overhead and ensuring that content publishers do not need to be online all the time to respond to key generation requests. Second, the proxy re-encryption mechanism prevents replication of ciphertexts, thus avoiding multiple instances of the same content in the network. Lastly, PRIDN also protects sensitive information in content names, preventing user profiling and censorship. Simulation results from ndnSIM and MIRACL libraries demonstrate that PRIDN reduces content retrieval time on NDN. A crypto-verification tool, Verifpal, shows that the proposed protocols are secure for real-world deployment.

Yi Wang,Zhuyun Qi,Bin Liu

DOI: https://doi.org/10.1145/3063955.3063993

2018-01-01

China Communications

Abstract:Named Data Networking (NDN) improves the data delivery efficiency by caching contents in routers. To prevent corrupted and faked contents be spread in the network, NDN routers should verify the digital signature of each published content. Since the verification scheme in NDN applies the asymmetric encryption algorithm to sign contents, the content verification overhead is too high to satisfy wire-speed packet forwarding. In this paper, we propose two schemes to improve the verification performance of NDN routers to prevent content poisoning. The first content verification scheme, called “user-assisted”, leads to the best performance, but can be bypassed if the clients and the content producer collude. A second scheme, named “Router-Cooperation”, prevents the aforementioned collusion attack by making edge routers verify the contents independently without the assistance of users and the core routers no longer verify the contents. The Router-Cooperation verification scheme reduces the computing complexity of cryptographic operation by replacing the asymmetric encryption algorithm with symmetric encryption algorithm. The simulation results demonstrate that this Router-Cooperation scheme can speed up 18.85 times of the original content verification scheme with merely extra 80 Bytes transmission overhead.

Cong Wang,Xu Deng,Maode Ma,Qiang Li,Hongpeng Bai,Yanan Zhang

DOI: https://doi.org/10.1002/ett.4979

IF: 3.6

2024-04-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abstract The Named Data Networking (NDN) architecture, known for its caching strategies and name‐based routing, is an exemplary paradigm for content distribution across Internet of Things (IoT) devices. In the environment of NDN‐IoT, there is an urgent demand for a lightweight signature authentication scheme suitable for terminal devices to ensure the integrity of Data packets and the legitimacy of their sources. Many researchers opt for employing certificateless public key cryptography measures to enhance the security of communication among terminal devices in NDN‐IoT. However, among the array of proposed solutions, issues such as lack of resistance against signer identity exposure, susceptibility to man‐in‐the‐middle attacks, and replay attacks persist. Some researchers advocate for partitioning the devices in NDN‐IoT into different zones, yet there remains a deficiency in the design of packet exchange mechanisms across distinct zones. To address these issues, this paper proposes a novel blockchain‐based certificate‐less signature scheme in the NDN‐IoT environment that integrates key features such as distributed legitimate producer management, inter‐domain interaction mechanisms, anonymous identity protection, and blockchain storage optimization. The overarching goal is to provide robust security services for resource‐constrained devices within the NDN infrastructure while ensuring authenticity and integrity of data packets while alleviating the burden of certificate management on end devices. Compared to similar existing solutions, our proposed method incurs only 34% of the computational overhead required for Data packet signature verification, while maintaining equivalent cache occupancy and achieving higher security performance.

telecommunications

Zuoqi Jiang,Jiangtao Luo,Fei Zhang,Chen He,Mengnan Wang,Yanyong Zhang

DOI: https://doi.org/10.1109/hoticn48464.2019.9063215

2019-01-01

Abstract:The current data-centric security architecture for the Information Centric Network (ICN) does not provide efficient user authentication mechanisms, thus causing undesirable issues such as interest flooding a ttacks (IFA). I no rder to address them, this paper proposes a pseudonym authentication scheme on network layer based on the system of identity-based cryptography (IBC). In the proposed approach, each consumer needs to be authenticated before sending Interest packets into the network. After successful authentication, the consumer will be assigned a temporary nickname to be used in later data request. During the procedure, IBC is adopted to protect real names of consumers and verify the interest origin. As a result, this approach can complete user authentication and protect his real identity simultaneously. The proposed approach is case studied in IFA depression and expected results are achieved.

Kuan Wang,Mingxuan Song,Genqing Bian,Bilin Shao,Kaiqi Huang

DOI: https://doi.org/10.3390/electronics13071316

IF: 2.9

2024-04-01

Electronics

Abstract:Network coding is a potent technique extensively utilized in decentralized Internet of Things (IoT) systems, including the Internet of Medical Things (IoMT). Nevertheless, the inherent packet-mixing characteristics of network coding expose data transmission to pollution attacks, potentially compromising the integrity of original files. The homomorphic signature scheme serves as a robust cryptographic tool that can bolster network coding's resilience against such attacks. However, current schemes are computationally intensive for signature verification, making them impractical for IoMT environments. In this study, we propose a lightweight identity-based network coding scheme (IBNS) that minimizes computational overhead during the signing and verification processes. This scheme has been demonstrated to be secure against adaptive chosen-message attacks and is well-suited for IoMT applications. Furthermore, we assess the performance of our IBNS through both theoretical and experimental analyses. Simulation outcomes confirm that our scheme outperforms previous ones in terms of practicality and efficiency.

engineering, electrical & electronic,computer science, information systems,physics, applied

Qi Li,Xinwen Zhang,Qingji Zheng,Ravi Sandhu,Xiaoming Fu

DOI: https://doi.org/10.1109/tifs.2014.2365742

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Named data networking (NDN) is a new paradigm for the future Internet wherein interest and data packets carry content names rather than the current IP paradigm of source and destination addresses. Security is built into NDN by embedding a public key signature in each data packet to enable verification of authenticity and integrity of the content. However, existing heavyweight signature generation and verification algorithms prevent universal integrity verification among NDN nodes, which may result in content pollution and denial of service attacks. Furthermore, caching and location-independent content access disables the capability of a content provider to control content access, e.g., who can cache a content and which end user or device can access it. We propose a lightweight integrity verification (LIVE) architecture, an extension to the NDN protocol, to address these two issues seamlessly. LIVE enables universal content signature verification in NDN with lightweight signature generation and verification algorithms. Furthermore, it allows a content provider to control content access in NDN nodes by selectively distributing integrity verification tokens to authorized nodes. We evaluate the effectiveness of LIVE with open source CCNx project. Our paper shows that LIVE only incurs average 10% delay in accessing contents. Compared with traditional public key signature schemes, the verification delay is reduced by over 20 times in LIVE.

Cesar Ghali,Gene Tsudik,Ersin Uzun

DOI: https://doi.org/10.48550/arXiv.1402.3332

2014-02-13

Networking and Internet Architecture

Abstract:In contrast to today's IP-based host-oriented Internet architecture, Information-Centric Networking (ICN) emphasizes content by making it directly addressable and routable. Named Data Networking (NDN) architecture is an instance of ICN that is being developed as a candidate next-generation Internet architecture. By opportunistically caching content within the network (in routers), NDN appears to be well-suited for large-scale content distribution and for meeting the needs of increasingly mobile and bandwidth-hungry applications that dominate today's Internet. One key feature of NDN is the requirement for each content object to be digitally signed by its producer. Thus, NDN should be, in principle, immune to distributing fake (aka "poisoned") content. However, in practice, this poses two challenges for detecting fake content in NDN routers: (1) overhead due to signature verification and certificate chain traversal, and (2) lack of trust context, i.e., determining which public keys are trusted to verify which content. Because of these issues, NDN does not force routers to verify content signatures, which makes the architecture susceptible to content poisoning attacks. This paper explores root causes of, and some cures for, content poisoning attacks in NDN. In the process, it becomes apparent that meaningful mitigation of content poisoning is contingent upon a network-layer trust management architecture, elements of which we construct while carefully justifying specific design choices. This work represents the initial effort towards comprehensive trust management for NDN.

Miao He,Xiangman Li,Jianbing Ni,Haomiao Yang

DOI: https://doi.org/10.1109/PST52912.2021.9647772

2021-01-01

Abstract:In this paper, we investigate the efficiency of network access control with the co-existence of multiple network operators and propose an efficient and secure network access control architecture (ESNAC) that offers fast identity authentication and access authorization in space-air-ground integrated networks. The major challenge lies in enabling multiple independent network operators to authorize and authenticate mobile users for network access in a secure and efficient way, even they are not mutually trusted. To address this challenge, we introduce an aggregate anonymous credential mechanism to enable a mobile user to present network access authorization of a group of network operators based on the consolidated anonymous credential that is aggregated from the partial anonymous credentials of the network operators. In addition, the efficient authentication of packet delivery is provided based on a sequential aggregate signature that allows each network operator to sign network packets for authentication and sequentially aggregate signatures for communication efficiency. Finally, we discuss the desired security properties of ESNAC and demonstrate its computational and communication efficiency by comparing with the conventional scheme without aggregation.

Y. Rajkumar,S. V. N. Santhosh Kumar

DOI: https://doi.org/10.1007/s12083-024-01636-8

IF: 3.488

2024-02-23

Peer-to-Peer Networking and Applications

Abstract:Traffic data generated by the vehicles are often transported in a wide open wireless communication channel which poses several security and privacy vulnerabilities. In case of any malicious or illicit behavior exhibited by the vehicles, it is difficult to trace back the original identity. Hence message authentication and traceability plays a major role in achieving the stability of the network. To address the objectives of message authentication and traceability, a lightweight privacy preserving distributed certificate-less aggregate signature authentication technique has been proposed. The proposed work utilized pseudo-identity and partial private keys which are distributed to perform mutual authentication and key revocation in case of legal proceedings that incurs computations which are lightweight. Formal and informal security analysis has been provided to demonstrate the strength of the authentication scheme using random-oracle model. In this work, the experiment has been carried by utilizing MIRACL C + + cryptographic library and by OMNET + + Simulator. The proposed scheme performs mutual authentication using certificate-less scheme thereby reducing the computational cost of 2.0284 ms with a reduction in the verification delay around 90% when compared with the other existing authentication schemes.

computer science, information systems,telecommunications

Kwangsu Lee,Dong Hoon Lee

DOI: https://doi.org/10.1371/journal.pone.0128081

2014-11-18

Abstract:Aggregate signatures allow anyone to combine different signatures signed by different signers on different messages into a single short signature. An ideal aggregate signature scheme is an identity-based aggregate signature (IBAS) scheme that supports full aggregation since it can reduce the total transmitted data by using an identity string as a public key and anyone can freely aggregate different signatures. Constructing a secure IBAS scheme that supports full aggregation in bilinear maps is an important open problem. Recently, Yuan {\it et al.} proposed an IBAS scheme with full aggregation in bilinear maps and claimed its security in the random oracle model under the computational Diffie-Hellman assumption. In this paper, we show that there exists an efficient forgery attacker on their IBAS scheme and their security proof has a serious flaw.

Cryptography and Security

M. Anisetti,Filippo Berto,C. Ardagna,E. Damiani

DOI: https://doi.org/10.1109/TNSM.2022.3165144

2022-09-01

IEEE Transactions on Network and Service Management

Abstract:Information-Centric Networking is an emerging alternative to host-centric networking designed for large-scale content distribution and stricter privacy requirements. Recent research on Information-Centric Networking focused on the protection of the network from attacks targeting the content delivery protocols, while assuming genuine content can always be retrieved from trustworthy nodes. In this paper, we depart from the assumption of the trustworthiness of network nodes and propose a novel certification methodology for information-centric networks that supports continuous security verification of non-functional properties. Our methodology provides a complete and detailed view of the network security status, increasing the trustworthiness of the network and its services. The proposed approach builds on an enhanced certification model capturing the evolution of the system over time. It also defines certification services that fully integrate with existing networks to collect evidence on the target of certification and carry out the certification process. It finally proposes two certification processes, centralized and decentralized, balancing the impact on the network and the system performance. Efficiency, performance, and soundness of our approach are experimentally evaluated in a simulated Named Data Networking (NDN) network targeting property availability.

Computer Science

Bing Li,Mingxuan Zheng,Maode Ma

DOI: https://doi.org/10.1049/2024/6616095

2024-03-12

IET Information Security

Abstract:Named Data Networking (NDN) is a promising network architecture that differs from the traditional TCP/IP network, as it focuses on data rather than the host. A new secure model is required to provide the data-oriented trust instead of the host-oriented trust. This paper proposes a new secure solution in the NDNs named Secure Mechanism supported by Certificateless Digital Signature and Blockchain (CLDS-B). The CLDS-B scheme employs a certificateless digital signature to guarantee the authentication and integrity of data. On the one hand, the key escrow problem has been solved to eliminate the risks of compromised private key generators; on the other hand, the data name has been bound to the public key to prevent the false public key. Moreover, the blockchain is used to manage cryptographic information. Each domain designates an information service entity to join the blockchain so that the consumer could retrieve the cryptographic information public parameter in the local domain if necessary. Furthermore, due to the decentralization of the blockchain, the CLDS-B would be robust to resist the single-node failure. Simulation results show that the CLDS-B scheme outperforms a classic NDN scheme, although it shows slightly inferior to the other secure NDN scheme. The security verification and analysis show that the CLDS-B would resist the key escrow attack. The CLDS-B would be a competitive solution in scenarios with a high-security level.

computer science, information systems, theory & methods

LONG Ke,YU Neng-hai,LIU Bin

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.06.037

2011-01-01

Abstract:Aiming at the delay/disruption feature of sparse mobile Ad Hoc network,this paper proposes a novel message signature scheme based on IBC(Identity–Based Cryptography) and ECBP(Elliptic Curve Bilinear Pairings). The security and performance of scheme is also analyzed. This scheme can solve the key escrow problem,limit the invalid message caused by the compromised private keys spreading in the network. On the premise of ensuring security,effective reduction of the key length,signature length and computation,and thus the network communication bandwidth and node memory and computation makes this scheme more suitable for sparse mobile Ad Hoc network.

Chen He,Jiangtao Luo,Fei Zhang,Zuoqi Jiang,Mengnan Wang

DOI: https://doi.org/10.1109/hoticn.2018.8606005

2018-01-01

Abstract:Named Data Networking (NDN) is regarded as a promising architecture for the future Internet. Due to the characteristics of in-network caching and name-based routing in NDN, access control cannot be tied to a particular location, and traditional channel-based access control mechanisms are no longer viable, which brings a major challenge to the access control enforcement. To enhance content-based access control in NDN, this paper presents a per-packet protection (PPP) scheme based on a combination of public key encryption and symmetric-key cryptography, which adopts one-way hash functions to generate random cipher keys for different data packets. Furthermore, PPP using secret sharing method provides efficient and flexible access control, which supports scalability and collusion resistance. The experimental results prove that our solution introduces acceptable overheads and reduces the computation time at the users.

Xin Ye,Gencheng Xu,Xueli Cheng,Yuedi Li,Zhiguang Qin

DOI: https://doi.org/10.1155/2021/6677137

2021-01-01

Abstract:Development of Internet of Vehicles (IoV) has aroused extensive attention in recent years. The IoV requires an efficient communication mode when the application scenarios are complicated. To reduce the verifying time and cut the length of signature, certificateless aggregate signature (CL-AS) is used to achieve improved performance in resource-constrained environments like vehicular ad hoc networks (VANETs), which is able to make it effective in environments constrained by bandwidth and storage. However, in the real application scenarios, messages should be kept untamed, unleashed, and authentic. In addition, most of the proposed schemes tend to be easy to attack by signers or malicious entities which can be called coalition attack. In this paper, we present an improved certificateless-based authentication and aggregate signature scheme, which can properly solve the coalition attack. Moreover, the proposed scheme not only uses pseudonyms in communications to prevent vehicles from revealing their identity but also achieves considerable efficiency compared with state-of-the-art work, certificateless signature (CLS), and CL-AS schemes. Furthermore, it demonstrates that when focused on the existential forgery on adaptive chosen message attack and coalition attack, the proposed schemes can be proved secure. Also, we show that our scheme exceeds existing certification schemes in both computing and communication costs.