KRB-CCN: Lightweight Authentication and Access Control for Private Content-Centric Networks

  • Ivan O. Nunes
  • Gene Tsudik
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10892)


Content-Centric Networking (CCN) is an internetworking paradigm that offers an alternative to today’s IP-based Internet Architecture. Instead of focusing on hosts and their locations, CCN emphasizes addressable named content. By decoupling content from its location, CCN allows opportunistic in-network content caching, thus enabling better network utilization, at least for scalable content distribution. However, in order to be considered seriously, CCN must support basic security services, including content authenticity, integrity, confidentiality, authorization and access control. Current approaches rely on content producers to perform authorization and access control, which is typically attained via public key encryption. This general approach has several disadvantages. First, consumer privacy vis-a-vis producers is not preserved. Second, identity management and access control impose high computational overhead on producers. Also, unnecessary repeated authentication and access control decisions must be made for each content request. (This burden is particularly relevant for resource-limited producers, e.g., anemic IoT devices.)

These issues motivate our design of KRB-CCN – a complete authorization and access control system for private CCN networks. Inspired by Kerberos in IP-based networks, KRB-CCN involves distinct authentication and authorization authorities. By doing so, KRB-CCN obviates the need for producers to make consumer authentication and access control decisions. KRB-CCN preserves consumer privacy since producers are unaware of consumer identities. Producers are also not required to keep any hard state and only need to perform two symmetric key operations to guarantee that sensitive content is confidentially delivered only to authenticated and authorized consumers. Furthermore, KRB-CCN works transparently on the consumer side. Most importantly, unlike prior designs, KRB-CCN leaves the network (i.e., CCN routers) out of any authorization, access control or confidentiality issues. We describe KRB-CCN design and implementation, analyze its security, and report on its performance.



The authors would like to thank Christopher Wood for fruitful discussions and feedback. This work was supported by CISCO University Research Award (2017).


  1. 1.
    Jacobson, V., Smetters, D.K., Thornton, J.D., Plass, M.F., Briggs, N.H., Braynard, R.L.: Networking named content. In: Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies, pp. 1–12. ACM (2009)Google Scholar
  2. 2.
    Zhang, L., Estrin, D., Burke, J., Jacobson, V., Thornton, J.D., Smetters, D.K., Zhang, B., Tsudik, G., Massey, D., Papadopoulos, C., et al.: Named data networking (NDN) project. Relatório Técnico NDN-0001, Xerox Palo Alto Research Center-PARC (2010)Google Scholar
  3. 3.
    Smetters, D.K., Golle, P., Thornton, J.: CCNx access control specifications. Technical report, PARC (2010)Google Scholar
  4. 4.
    Misra, S., Tourani, R., Majd, N.E.: Secure content delivery in information-centric networks: design, implementation, and analyses. In: Proceedings of the 3rd ACM SIGCOMM Workshop on Information-Centric Networking, pp. 73–78. ACM (2013)Google Scholar
  5. 5.
    Wood, C.A., Uzun, E.: Flexible end-to-end content security in CCN. In: 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC), pp. 858–865. IEEE (2014)Google Scholar
  6. 6.
    Ion, M., Zhang, J., Schooler, E.M.: Toward content-centric privacy in ICN: attribute-based encryption and routing. In: Proceedings of the 3rd ACM SIGCOMM Workshop on Information-Centric Networking, pp. 39–40. ACM (2013)Google Scholar
  7. 7.
    Kuriharay, J., Uzun, E., Wood, C.A.: An encryption-based access control framework for content-centric networking. In: 2015 IFIP Networking Conference (IFIP Networking), pp. 1–9. IEEE (2015)Google Scholar
  8. 8.
    Yu, Y., Afanasyev, A., Zhang, L.: Name-based access control, Named Data Networking Project, Technical Report NDN-0034 (2015)Google Scholar
  9. 9.
    Ghali, C., Schlosberg, M.A., Tsudik, G., Wood, C.A.: Interest-based access control for content centric networks. In: Proceedings of the 2nd International Conference on Information-Centric Networking, pp. 147–156. ACM (2015)Google Scholar
  10. 10.
    Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. Mag. 32(9), 33–38 (1994)CrossRefGoogle Scholar
  11. 11.
    Mosko, M., Solis, I., Wood, C.: CCNx semantics, IRTF Draft, Palo Alto Research Center, Inc. (2016)Google Scholar
  12. 12.
    Ricciardi, F.: Kerberos protocol tutorial. The National Institute of Nuclear Physics Computing and Network Services, LECCE, Italy (2007)Google Scholar
  13. 13.
    Mockapetris, P.V.: Domain names-concepts and facilities (1987)Google Scholar
  14. 14.
    PARC: CCNx distillery (2016).
  15. 15.
    Sodium: The sodium crypto library (libsodium) (2017).
  16. 16.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). Scholar
  17. 17.
    Dworkin, M.: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. US Department of Commerce, National Institute of Standards and Technology (2007)Google Scholar
  18. 18.
    DiBenedetto, S., Gasti, P., Tsudik, G., Uzun, E.: ANDaNA: anonymous named data networking application, arXiv preprint arXiv:1112.2205 (2011)
  19. 19.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. Technical report, Naval Research Lab Washington DC (2004)Google Scholar
  20. 20.
    Mosko, M., Uzun, E., Wood, C.A.: Mobile sessions in content-centric networks. In: IFIP Networking (2017)Google Scholar
  21. 21.
    Doraswamy, N., Harkins, D.: IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks. Prentice Hall Professional, Upper Saddle River (2003)Google Scholar
  22. 22.
    Nunes, I.O., Tsudik, G., Wood, C.A.: Namespace tunnels in content-centric networks. In: 2017 IEEE 42nd Conference on Local Computer Networks (LCN), pp. 35–42. IEEE (2017)Google Scholar
  23. 23.
    Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). Scholar
  24. 24.
    Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005). Scholar
  25. 25.
    Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(1), 1–30 (2006)CrossRefGoogle Scholar
  26. 26.
    Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 185–194. ACM (2007)Google Scholar
  27. 27.
    Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2006)Google Scholar
  28. 28.
    Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 321–334. IEEE (2007)Google Scholar
  29. 29.
    Solis, I., Scott, G.: CCN 1.0 (tutorial). In: ACM ICN (2014)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.University of California IrvineIrvineUSA

Personalised recommendations