Project Coordinator (EU) :
Athens University of Economics and Business - Research CenterCountry of the EU Coordinator :
GreeceOrganisation Type :
AcademiaProject participants :
AUEB
George Xylomenos is a Professor at AUEB and a member of the Mobile Multimedia Laboratory (MMlab). He has participated in the groundbreaking EU-funded projects PSIRP, PURSUIT, and POINT that developed and implemented an ICN architecture and integrated it as an underlay for the Internet and recently in the SOFIE project on federated IoT with blockchains.
George C. Polyzos is leading the Mobile Multimedia Laboratory (MMlab) at AUEB, where he is Professor since 1999 and Director of the Graduate Program in Computer Science. His current research interests focus on the Internet-of-Things, security and privacy, Internet architecture and protocols, and wireless mobile multimedia networking.
Vasilios Siris is Professor at AUEB and a member of the Mobile Multimedia Laboratory (MMlab). His current research interests include resource management and traffic control in wired and wireless networks, exploitation of Distributed Ledger Technologies (DLTs) and blockchains for trusted communication with constrained and mobile devices in the Internet of Things
Nikos Fotiou is a senior researcher with the MMLab/AUEB, where he completed his PhD in 2014 on “Information-Centric Networking: Security Requirements and Solutions.” His current research interests include user privacy, access control mechanisms, and content integrity and provenance verification.
The University of Memphis
Christos Papadopoulos received his PhD in 1999 from Washington University in St. Louis, MO. Before joining the Computer Science Department at the University of Memphis he was an assistant professor at the University of Southern California and a professor at Colorado State University. His research interests include network and cyber-physical systems security, global Internet measurements, information-centric networks and smart and autonomous systems.
Spiros Thanasoulas is a senior software engineer with the computer security lab at the University of Memphis.
State of US partner :
TennesseeStarting date :
SECOND: Securing Content Delivery and Provenance
Experiment description
The Securing Content Delivery and Provenance (SECOND) project will explore the full potential of Self-Verifiable Content (SVC) in Named Data Networking (NDN), the most popular Information-Centric Networking (ICN) implementation. SECOND will exploit the Decentralized Identifier (DID) paradigm for self-sovereign identities and, in particular, the did:self method which was specified and implemented during the NGIatlantic.eu funded project SCN4NDN. SECOND will improve the trustworthiness of NGI architectures, giving users control of their data, decreasing the need for trusted intermediaries, enabling new security-sensitive applications, as well as enhancing users’ privacy.
SECOND envisions the integration of SVC in many inter-networking functions of NDN, which,combined with a vertical ICN-based security management API, will:
- Improve the security and reliability of critical components for content delivery, such as caches and forwarders. SVCs will (a) prevent advertisement of “fake” content items, (b) allow controlled delegation of “content storage”, and (c) enable new trust relationships among namespace “owners”, content “producers”, and content “storage providers”.
- Improve SVC usability and content provenance, by supporting human-readable names through Certificate-less Public Key Cryptography (Certificate-less PKC). did:self (as most DID methods) uses public keys as DID identifiers, which are not human memorable. Certificate-less PKC is an “identity-based” encryption system that allows arbitrary strings to be used as public keys. However, as opposed to commonly used identity-based encryption systems, certificate-less PKC does not suffer from the so-called “key escrow” problem, i.e., there is no trusted entity that can generate all private keys; instead, each entity can securely generate (and keep secret) the private key that corresponds to an identity.
- Enhance privacy, by allowing the retrieval of verifiable subsets of SVC using BBS+digital signatures, which support Zero-Knowledge Proofs (ZKP). Using this approach, storage providers will be able to hide portions of an SVC, without preventing content consumers from verifying its integrity. This will allow fine-grained access control mechanisms that will prevent content consumers from accessing sensitive parts of the content, without losing the SVC property of DIDs.
- Simplify security management, by leveraging the information-centric API of NDN. did:self is a “registry-less” DID method. Although this has many advantages, it creates challenges when it comes to revocation. Similarly, Certificate-less PKC requires the dissemination of some system-wide “parameters”, and it requires a name registration system. SECOND will experiment with a solution that uses NDN to provide this functionality.
Impacts :
With respect to the NGI initiative, our project is anticipated to have impact in the following areas:
Enhanced EU – US cooperation in Next Generation Internet, including policy cooperation
Beyond ICN, and ICT research in general, our project aimed to be a starting point for better EU-US relations in science and technology. AUEB and UofM have already established a fruitful relationship during the SCN4NDN project, which became more productive during SECOND: UofM is working on ICN for vehicular applications (see below), where partial content revelation (as developed by SECOND) is extremely useful; this was one of the main points discussed during the research visit of Prof. Siris to UofM. In addition, the ties established between AUEB and the (mostly US based) NDN testbed team allowed us to collaborate on solving the issues that we found with the certificate issuance process for NDN nodes. Finally, our experiment monitoring tool (see D2) will be made available to other NDN testbed users, assisting them in automating their own experiments.
Reinforced collaboration and increased synergies between the Next Generation Internet
and the Tomorrow's Internet programmes.
Our project combines EU-based and US-based researchers and resources to experiment with networking architecture and components that are of interest to both the Next Generation Internet and the corresponding NSF programmes. For instance, our did:self method is applicable to a number of emerging authentication and authorization standards. Furthermore, our DID-based content authentication mechanism can be applied in other contexts. UofM has recently been awarded an NSF-funded (award #2213733) secure in-vehicle data collection and distribution using ICN, called Open Community Platform for Sharing Vehicle Telematics Data for Research and Innovation, with the aim of building a Platform for Innovative use of Vehicle Open Telematics (PIVOT). This is a great match with SECOND, both in the authentication area, where DIDs can be used, and in the selective disclosure of vehicular data, where the ZKP approach can be employed. Possible collaborations on future research projects were discussed during the visit of Prof. Siris to UofM. We also established links with the Inter-Planetary File System (IPFS) team and collaborated with them in combining DIDs with IPFS.
Developing interoperable solutions and joint demonstrators, contributions to standards
Our project was a showcase of the merger of two emerging standards, managed by different standardization bodies. On the one hand, DIDs are primarily pursued by the W3C. On the other hand, ICN standards are mainly developed under the umbrella of the IETF. Both standardization efforts involve partners from academia and industry. Beyond the demonstration of the joint standards, the project aims to inspire new activities in the respective standardization bodies. We are very actively pushing DIDs to the ICN community, with multiple workshop and conference submissions as part of the project, as well as a recent presentation to the ICNRG WG of the IRTF, focusing on routing security and partial content revelation. As part of SECOND, we implemented Certificate-less PKC for the Charm-Crypto cryptographic library, and this has been merged to the “dev” branch, which is available to all developers using the library.
An EU - US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet-related communities collaborating on the evolution of the Internet
We envisioned this project to be not a mere collaboration between two ICN pioneers but to also establish and maintain a permanent link between EU-US ICT research based on the Future Internet ICN approach. EU ICN research efforts are more human-centric, focusing mostly on security and trust, self-sovereignty, and distributed data governance. US efforts on the other hand prioritize deployment and real-world exploitation. The AUEB team is focusing on solutions for ICN security and privacy (both in terms of content and access patterns), which we are aiming to integrate with the UofM approach in exploiting ICN for vehicular networks.
By expanding the scope of SVC and the capabilities it offers in the SECOND project, such as supporting human readable content names and selective disclosure of content, as well as embedding the did:self mechanisms inside the core NDN implementation, we are making concrete progress in offering new abilities to NDN, thus making it more attractive for standardization. The workshop and conference submissions describing these advances, as well as their presentation to the ICNRG WG of the IRTF, served to create a momentum behind creating Internet Drafts. A second goal is to push this work to the W3C Credentials Community Group (CCG) and the Decentralized Identity Foundation (DIF), where technology companies, as well as policy makers from both EU and US participate, as case studies of practical uses of the DID and SVC concepts.
Results :
The results obtained show that the proposed solutions are valid and can be integrated into NDN (and ICN in general). All the goals set in the proposal have been achieved, that is, use of Certificate-less PKC to securely bind names to content, use of ZKPs for partial content revelation and full integration of our scheme into NDN, including exploitation of caching, without changing the code running in the NDN testbed.
Our experiments helped us discover issues that were not considered during the design phase of our solution. These issues were related to how NDN handles cached content and how NDN implements naming of content items using application layer parameters. In both cases, we were able to overcome these issues by leveraging functionality already provided by the NDN testbed.
A declared goal of this project was the integration of our security mechanisms into the core functions of NDN. Both partners co-designed a solution that achieves protection of “Advertisement” messages without modifying NDN’s code. We believe that this is a significant achievement, since it creates opportunities for new security solutions that can be easily tested and deployed.
Future Plan :
SECOND explored the use of Decentralized Identifiers (DIDs), Verifiable Credentials (VCs) and Zero-Knowledge Proofs (ZKPs) for improving the security and privacy of Named Data Networking (NDN), the most popular Information-Centric Networking (ICN) implementation. Through experimentation in the NDN testbed, we validate our approach, and we discovered new issues. Starting from our previous NGIAtlantic.eu funded project SCN4NDN, SECOND was able to produce more results and achieve a bigger impact.
With SECOND we leveraged Certificate-less Certificate-less PKC and we implemented human readable DIDs, providing an improved user experience, compared to SCN4NDN that used public keys as DIDs. Additionally, we leveraged NDN’s ICN functionality to disseminate DID documents, which resulted in smaller packets and improved resistance to key breaches. Furthermore, we managed to use this functionality to protect NDN’s core functions without modifying the NDN code and/or its API. Finally, we experimented with a novel ZKP-based mechanism that allows selective content retrieval, again without modifying the NDN code and/or its API.
In SECOND the US-based partner had a larger contribution compared to SCN4NDN, as in addition to facilitating access to the NDN testbed, it co-designed the approach for using the developed security solutions to protect NDN advertisements. This is a significant achievement which provides a solid and realistic solution to a big problem of NDN, which is “content pollution”. The research visit to UofM also helped us work on future collaborative projects. SECOND produced three accepted scientific publications and some of the project results were presented in an IRTF meeting. Furthermore, in addition to the code made available to MMlab’s public github repository, SECOND contributed its implementation of Certificate-less PKC to Charm-Crypto cryptographic library. Finally, project outcomes are used in related projects of both partners.
Key results
-
Successfully applied Decentralized Identifiers (DIDs), Verifiable Credentials and Zero Knowledge Proofs to Named Data Networking (NDN).
-
Further outcomes are reported on the project website.
-
Source code, supporting the papers is freely available in GitHub repository Second.
-
Accepted paper: V. Kalos, G.C. Polyzos, “Requirements and Secure Serialization for Selective Disclosure Verifiable Credentials,” Proc. 37th International Conference on ICT Systems Security and Privacy Protection (IFIP SEC), Copenhagen, DK, June 2022.
-
Accepted paper: N. Fotiou, V. Kalos, Y. Thomas, G. Xylomenos, V.A. Siris, G.C. Polyzos, “Selective Content Disclosure using Zero-Knowledge Proofs,” Proc. 2022 Global Information Infrastructure and Net-working Symposium (GIIS), Argostoli, GR, September 2022.
-
Accepted paper: Authentication and Authorization for Content-Centric Routing using W3C DIDs and VCs, Nikos Fotiou, Yannis Thomas, George Xylomenos, Vasilios A. Siris and George C. Polyzos, Proceedings of the IEEE Conference on Standards for Communications and Networking (CSCN), Thessaloniki, GR, 2022.