Skip to main content
SECOND

Project Coordinator (EU) :

Athens University of Economics and Business - Research Center

Country of the EU Coordinator :

Greece

Organisation Type :

Academia

Project participants :

AUEB

George Xylomenos is a Professor at AUEB and a member of the Mobile Multimedia Laboratory (MMlab). He has participated in the groundbreaking EU-funded projects PSIRP, PURSUIT, and POINT that developed and implemented an ICN architecture and integrated it as an underlay for the Internet and recently in the SOFIE project on federated IoT with blockchains.

George C. Polyzos is leading the Mobile Multimedia Laboratory (MMlab) at AUEB, where he is Professor since 1999 and Director of the Graduate Program in Computer Science. His current research interests focus on the Internet-of-Things, security and privacy, Internet architecture and protocols, and wireless mobile multimedia networking.

Vasilios Siris is Professor at AUEB and a member of the Mobile Multimedia Laboratory (MMlab). His current research interests include resource management and traffic control in wired and wireless networks, exploitation of Distributed Ledger Technologies (DLTs) and blockchains for trusted communication with constrained and mobile devices in the Internet of Things

Nikos Fotiou is a senior researcher with the MMLab/AUEB, where he completed his PhD in 2014 on “Information-Centric Networking: Security Requirements and Solutions.” His current research interests include user privacy, access control mechanisms, and content integrity and provenance verification.

The University of Memphis

Christos Papadopoulos received his PhD in 1999 from Washington University in St. Louis, MO. Before joining the Computer Science Department at the University of Memphis he was an assistant professor at the University of Southern California and a professor at Colorado State University. His research interests include network and cyber-physical systems security, global Internet measurements, information-centric networks and smart and autonomous systems.

Spiros Thanasoulas is a senior software engineer with the computer security lab at the University of Memphis.

State of US partner :

Tennessee

Starting date :

SECOND: Securing Content Delivery and Provenance


Experiment description

The Securing Content Delivery and Provenance (SECOND) project will explore the full potential of Self-Verifiable Content (SVC) in Named Data Networking (NDN) [1], the most popular Information-Centric Networking (ICN) implementation [2]. SECOND will exploit the Decentralized Identifier (DID) paradigm [3] for self-sovereign identities and, in particular, the did:self method [4] which was specified and implemented during the NGIatlantic.eu funded
project SCN4NDN [5]. SECOND will improve the trustworthiness of NGI architectures, giving users control of their data, decreasing the need for trusted intermediaries, enabling new security-sensitive applications, as well as enhancing users’ privacy.

SECOND envisions the integration of SVC in many inter-networking functions of NDN, which,combined with a vertical ICN-based security management API, will:

  • Improve the security and reliability of critical components for content delivery, such as caches and forwarders. SVCs will (a) prevent advertisement of “fake” content items, (b) allow controlled delegation of “content storage”, and (c) enable new trust relationships among namespace “owners”, content “producers”, and content “storage providers”.
  • Improve SVC usability and content provenance, by supporting human-readable names through Certificate-less Public Key Cryptography (Certificate-less PKC). did:self (as most DID methods) uses public keys as DID identifiers, which are not human memorable. Certificate-less PKC is an “identity-based” encryption system that allows arbitrary strings to be used as public keys. However, as opposed to commonly used identity-based encryption systems, certificate-less PKC does not suffer from the so-called “key escrow” problem, i.e., there is no trusted entity that can generate all private keys; instead, each entity can securely generate (and keep secret) the private key that corresponds to an identity.
  • Enhance privacy, by allowing the retrieval of verifiable subsets of SVC using BBS+digital signatures, which support Zero-Knowledge Proofs (ZKP). Using this approach, storage providers will be able to hide portions of an SVC, without preventing content consumers from verifying its integrity. This will allow fine-grained access control mechanisms that will prevent content consumers from accessing sensitive parts of the content, without losing the SVC property of DIDs.
  • Simplify security management, by leveraging the information-centric API of NDN. did:self is a “registry-less” DID method. Although this has many advantages, it creates challenges when it comes to revocation. Similarly, Certificate-less PKC requires the dissemination of some system-wide “parameters”, and it requires a name registration system. SECOND will experiment with a solution that uses NDN to provide this functionality.

 

Impacts :

With respect to the NGI initiative, our project is anticipated to have impact in the following
areas:

Enhanced EU – US cooperation in Next Generation Internet, including policy cooperation
Beyond ICN, and ICT research in general, we believe that our project can be a starting point
for better EU-US relations in science and technology: both partners, AUEB and UofM, through
their active collaboration in organizing international events, such as the ACM SIGCOMM ICN
conference, and in participation in international working groups, such as IRTF’s ICNRG, have
already established a fruitful relationship that guarantees a successful collaboration. We
strongly believe that the outcomes of the project will become an excellent showcase of
cooperation between the two continents and will set up an example for other similar
activities.

Reinforced collaboration and increased synergies between the Next Generation Internet
and the Tomorrow's Internet programmes
.
Our project combines EU-based and US-based researchers and resources to experiment with
networking architecture and components that are of interest to both the Next Generation
Internet and the Tomorrow’s Internet programmes. For instance, our did:self method is
applicable to a number of emerging authentication and authorization standards. Furthermore,
our DID-based content authentication mechanism can be applied in other networking and
application contexts, such as the emerging Inter-Planetary File System (IPFS) [15], or even
HTTP-based services.


Developing interoperable solutions and joint demonstrators, contributions to standards
Our project is expected to be a showcase of the merger of two emerging standards, managed
by different standardization bodies. On the one hand, DIDs are primarily pursued by the W3C.
On the other hand, ICN standards are mainly developed under the umbrella of the IETF. Both
standardization efforts involve partners from academia and industry. Beyond the
demonstration of the joint standards, the project is anticipated to inspire new activities in the
respective standardization bodies. In particular, we expect to ignite discussions related to self-
managed DIDs, as well as to novel content authentication mechanisms.

An EU - US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet-related
communities collaborating on the evolution of the Internet

We envision that this project will not be a mere collaboration between two ICN pioneers but
will also establish and maintain a permanent link between EU-US ICT research based on the
Future Internet ICN approach. EU ICN research efforts are more human-centric, focusing
mostly on security and trust, self-sovereignty, and distributed data governance. US efforts on
the other hand prioritize deployment and real-world exploitation. We believe that research
teams on both continents will benefit from this complementary partnership.

 

Results :

Our project has defined a set of KPIs to assess the benefits of the proposed experiments. We categorize them below, depending on the type of experiment that will assess them.

Validation experiments

KPI-1

Network overhead due to new packet headers. Our solution increases the size of packets by introducing new packet headers. The added overhead depends on the deployment scenario. We will consider various cases and measure the added network overhead, as well as the impact of our solution on routing and caching state.

Few bytes increase in packet size, log(N) increase in state, where N is the number of objects

 

Attack emulation experiments

KPI-2

Impact on routing state advertisement. Our solution will allow routers to verify content advertisements, thus preventing “poisoning attacks”, which are the most impactful attacks in ICN. We will measure the performance overhead added due to these verifications, and in particular the delay added to route advertisements propagation.

Few milliseconds

KPI-3

Time to recover from a compromised key. We will leverage NDN versioning to provide solutions that allow recovering from compromised signing keys. We will consider scenarios that involve delegation and will measure the efficiency of our approach, considering cases where the delegator or the de-legatee must update their private keys.

Few seconds

 

Traffic optimization experiments

 

KPI-4

Improvement due to support for selective content disclosure. Our solution allows caches to securely respond to requests for a particular chunk of a piece of content. We will consider scenarios that require secure content delivery, and we will measure how caching is improved in these scenarios due to our solution.

Cache hit ratio increases linearly to the number of chunks per object

KPI-5

Improvement on content retrieval due to self-certifying names. Currently, NDN requires (in some cases) additional round trips to retrieve content verification keys, something not required with our solution. We will measure the improvement that our solution brings by considering cases where content verification is performed only by endpoints, as well as cases where content verification is performed by in network nodes.

Few milliseconds

KPI-6

Improvement due to smarter aggregation. We will consider scenarios that require secure content delivery and users request different chunks of the same content item. Our solution allows routers to forward only a single, aggregated, request and then securely satisfy all other requests using selective disclosure.

k*n, where k are the number of aggregable requests and n is the size of a chunk

 

Expected TRL at experiment completition :

5

NGI related Topic :

Open Internet Architecture and Renovation

Call Reference :

4

The 30-months project NGIatlantic.eu will push the Next Generation Internet a step further by providing cascade funding to EU-based researchers and innovators in carrying out Next Generation Internet related experiments in collaboration with US research teams.




contact action add button