Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy in Content-Oriented Networking: Threats and Countermeasures

Published byElwin Sparks Modified over 5 years ago

Similar presentations

Presentation on theme: "Privacy in Content-Oriented Networking: Threats and Countermeasures"— Presentation transcript:

1 Privacy in Content-Oriented Networking: Threats and Countermeasures
Abdelberi Chaabane Emiliano De Cristofaro Mohamed Ali Kaafar Ersin Uzun

2 What is Content-Oriented Networking?
Content-oriented networking is a proposed network architecture to better accommodate the needs of modern systems and applications. Has potential for wide range of benefits, such as reduced congestion, improved delivery speed, simpler configuration of network devices, and security at the data level.

3 Content-Oriented Networking
Content-Oriented Networking (CON) is an architecture designed to decouple contents from hosts, at the network layer, by relying on the publish/subscribe paradigm CON shifts identification from the host to content, so that it can be located anywhere in the network.

4 CON (Continued) Content in CON is self-contained, has a unique name, and can be retrieved by means of an interest for that name. It is also cached in any arbitrary location, and digitally signed to ensure the integrity and authenticity for the content.

5 In this paper, the authors discuss different attack scenarios that threaten privacy in CON
For each attack, the authors describe the attackers capabilities and their impact on user privacy. They suggest several countermeasures and detail the strengths and weaknesses of each approach. The authors also highlight a number of open problems for further research.

6 CON CON has several building blocks:
Named Content Content-based Routing Content Delivery In-network storage. These building blocks are used to develop a CON-based architecture such as DONA or CCN.

7 Named Content In CON, objects are always named to facilitate data dissemination and search The security model is now shifted to from host authentication to content authentication.

8 Content-Based Routing
Content routing in CON relies on content rather than hosts The aim is to handle increased amounts of network traffic, and be more resilient to network bursts and user mobility

9 Content Delivery Content is efficiently delivered using multi-path routing and leveraging in-network caching Minimizes network bandwidth and delivery delay, as well as handle mobile users.

10 In-network Storage All CON components provide a caching capability.
This is different from packet buffers in standard router’s In CON, cache size is expected to be several orders of magnitude larger.

11 Figure 1: An overview of the main CON features: content routing, caching, and content signature. Content is address by name (x).

12 CCN/CCNx CCNx is a CON instance, and it implements content-centric networking Whenver a router receives an interest for X, it performs a longest-prefix match lookup on it’s three main tables First it will look in it’s main cache (Content store) If that fails, it looks in the Pending Interest Table Else, it will look for the most suitable interface in the Forward Information Base, and then make an entry in the Pending Interest Table.

13 Privacy challenges on CON
There are many challenges for privacy on CON, including: Cache privacy Content Privacy Name privacy Signature privacy In the next few slides, we will be going over the forms of attacks and counteremeasures

14 Cache Privacy Timing Attacks Protocol Attacks
Measure the delay in retrieval to determine what router the content is stored in Protocol Attacks Attack the basic framework for CCNx If content Y has prefix X, can facilitate easy extraction without knowing Y’s filename

15 Countermeasures Wait before reply Collaborative Caching
Delay all requests sent to router, this helps curb timing attacks. Collaborative Caching Have neighbor caches collaborate to create a distributed cache that serves a larger set of users This would create anonymity, making attackers think it is only one cache.

16 Countermeasures Probabilistic caching
Make the caching procedure random can reduce the effectiveness of attacks. One possible approach could be the router deciding to cache based on position from the forwarding path, as well as available space in the cache. Since the decision is based on a router’s internal state, the attacker will not know it.

17 Content Privacy Monitoring and Censorship
Since DPI (Deep Packet Inspection) can be used on unencrypted communications in a regular network, CON is more affected due to persistent caches in the network. This raises the issue of content privacy as DPI works just as well on CON.

18 Countermeasures Encryption (both Symmetric and Asymmetric)
Broadcast encryption Send a message out to n receivers each with a different private key. Proxy re-encryption Cover files

19 Name Privacy In CCNx, content is named by the network and is routed based on content names, This creates a privacy threat, as the content names are not only visible, but are also expected to be related to the content in some way.

20 Bloom Filter

21 Signature Privacy One of the main goals of a CON is to decouple content from its location and allow retrieving from nearby caches. In order to trust fetched data, CCNx digitally signs the content to guarantee integrity Ordinary digital signatures may leak information about a user.

22 Countermeasure Confirmer signature Group signatures
Use another undeniable signature delegated to a third party for verification. Group signatures Let the user hide in a group of signatures to provide signer-ambiguity Ephemeral Identities Let the user create a proxy identity, and use that to sign, protecting themselves

23 The potential of CON privacy
In this section, the authors look at privacy in a CON through a few privacy related concepts: Anonymity Censoring Traceability Confidentiality

24 Anonymity In IP, an traditional way to obtain anonymity is through use of a trusted proxy In CON, anonymity is provided natively without the use of a third party. Essentially, a neighboring router in CON can be seen as a proxy.

25 Censoring In CON, content naming facilitates keyword filtering
Since CON routers have larger computational and memory resources, content blocking can be carried more efficently, without use of dedicated hardware Since interests and data are not encrypted, an attacker just needs to modify the routing protocol so that any “unwanted” interest is dropped from the protocol.

26 Traceabliltiy In IP, most tracking can be done easily through party identifiers (IP addresses) In CON, it is hard to implement because CON, by design, removes party identifiers. Lack of traceability might improve user privacy, but raises security challenges. Makes attacks like DoS harder to trace an attacker

27 Confidentiality Today’s internet model runs on a “one-size-fits-all” model of trust Trust in CON is end-to-end, and does not depend on any physical or temporal frame. This modularity gives CON an advantage, as new trust management models can be employed at will.

28 Conclusion CON proposes a major transition away from the current Internet into a more content-based architecture. CON has the potential benefit of security by design, based on digital signatures that provide data authenticity and integrity. Further work will involve employing the proposed countermeasures and analyzing their feasibility.

29 Questions?

Download ppt "Privacy in Content-Oriented Networking: Threats and Countermeasures"

Similar presentations

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Security and Privacy of Future Internet Architectures: Named-Data Networking Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content.

Security and Privacy of Future Internet Architectures: Named-Data Networking Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content.
IP: The Internet Protocol

IP: The Internet Protocol
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
CSCI 4550/8556 Computer Networks Comer, Chapter 19: Binding Protocol Addresses (ARP)

CSCI 4550/8556 Computer Networks Comer, Chapter 19: Binding Protocol Addresses (ARP)
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.

Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
Freenet. Anonymity  Napster, Gnutella, Kazaa do not provide anonymity  Users know who they are downloading from  Others know who sent a query  Freenet.

Freenet. Anonymity  Napster, Gnutella, Kazaa do not provide anonymity  Users know who they are downloading from  Others know who sent a query  Freenet.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Proxy-assisted Content Sharing Using Content Centric Networking (CCN) for Resource-limited Mobile Consumer Devices Jihoon Lee, Dae Youb Kim IEEE Transactions.

Proxy-assisted Content Sharing Using Content Centric Networking (CCN) for Resource-limited Mobile Consumer Devices Jihoon Lee, Dae Youb Kim IEEE Transactions.
CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.

CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.
CEN 4500 - Network Fundamentals Chapter 19 Binding Protocol Addresses (ARP) To insert your company logo on this slide From the Insert Menu Select “Picture”

CEN Network Fundamentals Chapter 19 Binding Protocol Addresses (ARP) To insert your company logo on this slide From the Insert Menu Select “Picture”
An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks Authors: A. Boukerche, K. El-Khatib, L. Xu, L. Korba.

An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks Authors: A. Boukerche, K. El-Khatib, L. Xu, L. Korba.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
2012.1.12 Review of the literature : DMND:Collecting Data from Mobiles Using Named Data Takashima Daiki Park Lab, Waseda University, Japan 1/15.

Review of the literature : DMND:Collecting Data from Mobiles Using Named Data Takashima Daiki Park Lab, Waseda University, Japan 1/15.
Chapter 19 - Binding Protocol Addresses

Chapter 19 - Binding Protocol Addresses
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Privacy in Content Oriented Networking: Threats and countermeasures Abdelberi Chaabane, Emiliano De Cristofaro, Mohamed Ali Kaafar, and Ersin Uzun.

Privacy in Content Oriented Networking: Threats and countermeasures Abdelberi Chaabane, Emiliano De Cristofaro, Mohamed Ali Kaafar, and Ersin Uzun.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

Similar presentations

Ads by Google