Named, Secured Data: A Fundamental Building Block for Secure Networking
Securing network communications is a major challenge facing the Internet today.Due to the point-to-point communication model of TCP/IP architecture, at the time when security became a necessity, the channel-based security model, represented by Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), was applied to secure network communication between hosts. However, designed for synchronous channels over the network infrastructure, this security solution does not fit many emerging network scenarios that require asynchronous communication. In addition, with the growth of content delivery applications, the mismatch between what application needs, i.e., secured data, and what is provided by the channel-based security model, i.e., secured channels, has also been observed in recent years.
A newly proposed architecture, Named Data Networking (NDN), has been developed over the past decade.Departing from TCP/IP's network model, NDN considers named secured data, instead of channels, as the building block of the communication, and provides an alternative to today's security model by securing data directly. Not relying on the network context, a piece of named secured data can be forwarded, cached, and reused without breaking the security primitives. To deliver named secured data at the network layer, NDN uses a stateful forwarding plane and forwards packets by names instead of IP addresses.
Under this background, there is an urge to understand the difference between the conventional channel-based security model and the new data-centric security model, and explore how to utilize the new way of doing network security to address today's security issues.For this purpose, we first revisit the key concepts of network security from the application's perspective and analyze the main features of the two security models. Then, we present our design of a number of security solutions built over NDN's named secured data, including (i) a self-contained smart home control system, (ii) a DDoS mitigation mechanism that supports fine-grained traffic throttling, (iii) a distributed ledger system for distributed rooftop solar energy system, (iv) a multiparty signing and verification toolset, and (v) a secured data prefetching system for vehicular networking.
We also describe two security solutions built on to the application level for (i) asynchronous and privacy-preserving single sign-on (SSO) and (ii) reliable leaker identification in sensitive data sharing, respectively.While not directly built over NDN because of today's deployment constraints, they follow the notion of the data-centric security model.
Through the design discussion of these systems, we confirm the unique advantages of the data-centric security model and demonstrate how the new security model and especially, NDN's named secured data, can be applied to address some challenges that are intractable to the channel-based security model.