Skip to main content
Self-Certifying Names for Named Data Networking

Project Coordinator (EU) :

Athens University of Economics and Business - Research Centre (AUEB)

Country of the EU Coordinator :

Greece

Organisation Type :

Academia

Project participants :

This project is a joint effort between the Athens University of Economics and Business (AUEB) and the University of Memphis (UofM).

The AUEB members:

  • Project Manager: George Xylomenos(M), Professor
  • Technical Manager: George C. Polyzos (M), Professor
  • Vasilis A. Siris (M), Professor, DID-related activities and the integration with NDN
  • Nikos Fotiou (M), PhD, Researcher, DID-related tasks and security-related experiments design
  • Yiannis Thomas (M),PhD, Researcher, NDN integrationand network-related experiment design
  • Iakovos Pittaras (M), PhD student, execution of experiments

The UofM members:

  • Christos Papadopoulos (M), Professor, running experiments on the NDN testbed and the UofM servers

State of US partner :

Tennessee

Starting date :

NGI related Topic :

Privacy and Trust enhancing technologies

Self-Certifying Names for Named Data Networking


Experiment description

The SCN4NDN project will experiment with the merger of two promising NGI technologies: Information-Centric Networking (ICN)1 and Decentralized Identifiers (DIDs)2

ICN has been on the spotlight of many research efforts for more than a decade. It has been explored as a standalone future Internet architecture, as well as an enabler for other NGI architectures, including 5G, IoT, and architectures focused on big dataand/orcyber security. ICN’s goal is to enable fast and secure content dissemination by leveraging direct and intrinsic information identification; this allows supporting multicast, multipath, and caching, as well as novel trust mechanisms.
 
In this project we will experiment with the Named-Data Networking (NDN)3 ICN architecture. A DID is a new form of identifier under standardization by W3C. A DID system can be regarded as a key-value lookup system, where the key is the identifier, the DID, and the value is a DID document. A DID document contains “properties” including information that can be used for verifying DID ownership, as well as the document's integrity. In this project we will experiment with a self-sovereign DID system, i.e., a system where DID documents are managed by the DID owners themselves (as opposed to systems where DID documents are managed by a trusted “registry”). The project is driven by the goals of improving ICN security, enhancing content-owner's privacy, and enabling decentralized data governance. To this end, the project will validate and evaluate a solution that uses self-sovereign DIDs to protect content authenticity in NDN. The integration of DIDs into NDN is expected to provide robust security against fake content (that is, content that does not correspond to its name) without relying on third parties, as well as efficient spam prevention. The project will evaluate the use of per-content DIDs. These DIDs will be randomly generated and they will not reveal any information related to the (content) owner (as opposed, for example, to a digital certificate bound to an owner-specific identifier): this is expected to provide enhanced privacy and resilience against user censorship attacks, since it will not be possible to track and/or filter content belonging to specific owners. Furthermore, the project anticipates improved decentralized data governance by enabling content owners to specify and integrate into their content items lists of authorized storage nodes, as well as basic access control policies. The project vision includes achieving these goals without degrading key functionalities of ICN (and of NDN in particular), including support for advanced traffic management (such as multicast and multisource).
 

 
The proposed solution builds on the emerging paradigm of Decentralized Identifiers (DIDs), a new form of identification under standardization by W3C which allows self-sovereignty. DIDs are associated with a DID document that contains cryptographic materials that can be used for performing various security-related tasks.
Our solution proposes the use of DIDs as content names. A content owner will be able to define the public keys that correspond to various “roles” and/or “rights” in the DID document. For example, an owner will be able to define who can “host” an item, who can “change its contents”, or even who can “change its encoding.”
Additionally, a content owner will be able to digitally sign some “metadata” and include them with the corresponding content items; then, the cryptographic material included in the DID document will be used for verifying the metadata signature.While most DID systems assume a registry for managing DID documents, the proposed solution uses an innovative concept that enables decentralized and autonomous DID document management.
This approach allows DID documents to be integrated in the content items themselves in a secure and verifiable way. With respect to key aspects of NDN (and ICN in general), our solution is expected to have (measurable) impact in the following areas:
  • Security. The solution allows the detection of fake replicas of a content item without relying on 3rdparties, i.e., it can be used not only for verifying an item’s integrity, but also an item’s authenticity.
  • Multicast and Caching. The solution favours the so-called “channel” mode of delivery which facilitates multicast, but it creates some challenges to caching, which we address.
  • Multisource. The solution supports content name “aliases.” Using aliases, it will be possible to implement multisource in a transparent way.•
  • Multipath. Our solution allows the “definition” of authorized in-network nodes allowed to modify “control fields” used for orchestratingmultipath transmission.
 
The SCN4NDN experiments will be conducted on the NDN testbed. The NDN testbed is a global shared resource, with origins, management, and majority presence in the USA. It was created for research purposes and it relies on software routers at several participating institutions, application host nodes, and other devices. Currently,the testbed includes 37 nodes located in the USA, Portugal, Korea, Thailand, Norway, Japan, Brazil, Italy, and France. The testbed is centrally managed and runs a routing protocol that allows communication with every other node. The testbed enables broad areas of research on virtually any type of application and forms a network for the real-life evaluationof NDN technologies, protocols, and applications. The project will have access to (through the UofM) a 24-server lab environment that can emulate dozens of virtual machines connected as various network topologies for controlled experiments.The project will implement two types of experiments: end-to-end experiments and incremental deployment experiments. With end-to-end experiments, our solution will be used at the application layer of the communicating endpoints and it will be adjusted to be compatible with the NDN protocols as deployed in the NDN testbed. For incremental deployment experiments, the project will consider a dual approach: (i) a local testbed with fewer nodes with full access will be deployed at AUEB premises, and (ii) a number of VMs connected to the NDNtestbed will be provided by UofM, where modifications to the NDN software stack and incremental deployment of our solution will be explored. The proposed experiments will address key NGI topics, including privacy and trust enhancing technologies, decentralized data governance, and discovery and identification technologies. The project is expected to investigate a multitude of traffic patterns, content types, content delivery modes, as well as security scenarios.
 

1 G. Xylomenos, C.N. Ververidis, V.A. Siris, N. Fotiou, C. Tsilopoulos, X. Vasilakos, K.V. Katsaros, G.C. Polyzos, "A Survey of Information-Centric Networking Research," IEEE Communications Surveys & Tutorials, vol. 16, no. 2, pp. 1024-1049, 2014.

2 W3C Credentials Community Group, “A primer for decentralized identifiers,” 2019; available athttps://w3c-ccg.github.io/did-primer/

3 V. Jacobson, D.K. Smetters, J.D. Thornton, M.F. Plass, N.H. Briggs, R.L. Braynard, “Networking Named Content,”Proc. ACM CoNEXT 2009, Rome, Italy, December 2009

 

Implementation plan :

Our DID implementation is based on the specifications of “DID:self”, a DID method we have published in Mobile Multimedia Laboratory, “DID:self method specification"4  A Python3-based software library5 currently at TRL3, provides DID document (self-)management functionality by implementing the corresponding Cre ate, Update, and Readmethods. The Create method is used for creating the initial DID document, the Update method is used for modifying it (including key rotation), and the Read method outputs the final DID document and a proof chain that can be used for verifying the binding between a DID and the corresponding document. An application layer solution will combine our implementation with python-ndn 6, an NDN client library, to provide the desired functionality as follows. For each content item, the application will generate a public-private key pair from the Curve25519 elliptic curve. The public key will be then treated as a DID and will be used as the name of the content item. The private key that corresponds to a DID/content name, will be used for signing content item metadata. Metadata will include information that can be used for verifying various properties of an item, such as its integrity, version, type, and alternative names. Eventually, the DID document that corresponds to an item, the appropriate proof, and the signed metadata will be included in the payload of a NDN packet. Using python-ndn, the application will interact with the “NDN Forwarding Daemon” (NFD) of a testbed node in order to perform the appropriate (ICN) operations. Our final software will be at least at TRL4, and possibly at TRL5.

Our experiments will consider the following content item types: immutable items, mutable items that may have multiple “representations” (e.g., an image file stored under different encodings), and mutable items that may have different “versions.” When mutable items are used, we need a mechanism to distinguish among different versions or representations of the same item: this is achieved by including the corresponding information in the metadata (e.g., using a “version” and a “type” field). In addition, for mutable items, the DID document may specify the public keys of the entities that are allowed to generate new versions and/or representations of an item. Similarly, our experiments will consider two content delivery modes: the document mode and the channel mode.In the former mode, a content name will be mapped to a data “bucket,” e.g., an image file, whereas in the second case, a content name will be mapped to a data “stream,” e.g., a streamed video. During the project we will perform experimentsrelated tothe following ICN functionalities:

  • Caching and Multicast Caching and multicast functionalitiesare provided by the NFD. Therefore, experimentation with these functionalities simply requires the allocation of a suitable topology within the testbed and the application of an appropriate workload at the endpoints.
  • Multisource. In order to experiment with multisource, we will implement content name “aliases”. In particular, a content item will be provided by multiple sources and each source will use a different content name. All these name “aliases” will be included in a special field of the item’s metadata called “alsoknownas”. A client application will request simultaneously many of the item’s names, making sure that each request concerns different chunks. This will result in the client receiving different chunks of an item from different sources.
  • Multipath. In order to experiment with multipath we will add a new node in the NDN testbed which will be attached to, at least, two nodes, located in different locations. Furthermore, we will allow the content owner to include in DID documents the public keys of in-network nodes that are authorized to modify “control fields” used for orchestrating multipath transmission
  • Security. Our security related experiments will focus on detecting fake content. In particular,we will consider cases where an attacker signs a fake item using a revoked or a breached key.Our scenarios will consider various types of compromised keys, including keys allowed to update the DID document, as well as keys allowed to generate new versions/representations of an item.In our experiments we will “inject” fake content from various points of the testbed

 

4 https://github.com/mmlab-aueb/did-sel

5 Mobile Multimedia Laboratory, “DID:self method python library,” available at https://github.com/mmlab-aueb/did-self-py

6 Named Data Networking, “A Named Data Networking client library with AsyncIO support in Python 3,” available at https://github.com/named-data/python-ndn

Expected Impacts :

With respect to the NGI initiative, our project is anticipated to have impact in the following areas:

  • Enhanced EU –US cooperation in Next Generation Internet, including policy cooperation. Beyond ICN, and ICT research in general, we believe that our project can be a starting point for better future EU-US relations in science and technology: both partners, AUEB and UofM, through their active collaboration in organizing international events, such as the ACM SIGCOMM ICN conference, and in participation in international working groups, such as IRTF’s ICNRG, have already established a fruitful relationship that guarantees a successful collaboration. The outcomes of the project will become an excellent showcase of cooperation between the two continents and will set up an example for other similar activities.
  • Reinforced collaboration and increased synergies between the Next Generation Internet and the Tomorrow's Internet programmes. The project combines EU-based and US-based researchers and resources to experiment with networking architecture and components that are of interest to both the Next Generation Internet and the Tomorrow’s Internet programmes. For instance, our “DID:self” method is applicable to a number of emerging authentication and authorization standards. Furthermore, the DID-based content authentication mechanism can be applied in other networking and application contexts, such as the emerging Inter-Planetary File System(IPFS)[10], or even HTTP-based services.
  • Developing interoperable solutions and joint demonstrators, contributions to standards. The project is expected to be a showcase of the merger of two emerging standards, managed by different standardization bodies. On the one hand, DIDs are primarily pursued by the W3C. On the other hand, ICN standards are mainly developed under the umbrella of the IETF. Both standardization efforts involve partners from academia and industry. Beyond the demonstration of the joint standards, the project is anticipated to inspire new activities in the respective standardization bodies. In particular, we expect to ignite discussions related to self-managed DIDs, as well as to novel content authentication mechanisms. An EU -US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet-related communities collaborating on the evolution of the Internet. The team envisions that this project will not be a mere collaboration between two ICN pioneers but will also establish a permanent link between EU-US ICT research based on the Future Internet ICN approach. EU ICN research efforts are more human-centric, focusing mostly on security and trust, self-sovereignty, and distributed data governance. US efforts on the other hand prioritize deployment and real-world exploitation. Research teams on both continents will benefit from this complementary partnership.

Expected Results :

For each considered ICN functionality we expect to obtain the following results:

  • Caching and Multicast. For these functionalities, the project will compare this approach to “vanilla” NDN by experimenting with mutable and immutable items, as well as document and channel delivery modes. When it comes to mutable items and channel mode, we expect to see O(N) reduction in network overhead, where N is the number of recipients receiving the stream. On the other hand, when mutable items and document mode are combined, we expect to see an increase in the number of content “advertisements” required to keep caches up to date, since there is a need to distinguish among the various versions. The degree of the increase depends on two factors: (i) whether or not a new version of an item deprecates the old ones, and (ii) whether or not caches are capable of parsing our item metadata format (a case that will be explored using “incremental deployment” scenarios). Finally, it is expected to see similar performance between the project approach and vanilla NDN when mutable items are used (no matter the delivery mode).
  • Multisource and multipath When it comes to multisource and multipath, we will perform two types of experiments. Firstly, the team will utilize multiple sources/paths simultaneously and we will measure the improvement in throughput; this improvement is expected to be log(N) compared to vanilla NDN, where N is the number of paths/sources. Secondly, the team will use the additional paths/sources as a “fallback” mechanism and introduce network failures. In that case, the team will measure the amount of time required to re-gain the original throughput; this is expected to be a few milliseconds. For these experiments, the expected results will also be affected by whether or not in-network nodes can parse and verify DID documents.
  • Security. With respect to the security aspects of our system we will perform two types of experiments. Firstly, the team will measure the time required for users to start receiving the correct version of a file in the presence of attackers that have access to the signing key of the content owner. Secondly, the team will measure the time required for users to start receiving the correct version of a file in the presence of attackers that have been authorized by the content owner to host/modify an item, but after some time they start behaving maliciously hence their privileges have to be revoked. In both cases, we expect to see results in the order of a few seconds.

Expected TRL at experiment completition :

4

NGI related Topic :

Privacy and Trust enhancing technologies

Call Reference :

1

Call Reference ID

The 30-months project NGIatlantic.eu will push the Next Generation Internet a step further by providing cascade funding to EU-based researchers and innovators in carrying out Next Generation Internet related experiments in collaboration with US research teams.




contact action add button