[ieee 2013 12th annual mediterranean ad hoc networking workshop (med-hoc-net) - ajaccio, france...

Download [IEEE 2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET) - Ajaccio, France (2013.06.24-2013.06.26)] 2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET) - Social network based security scheme in mobile information-centric network

Post on 30-Jan-2017




5 download

Embed Size (px)


  • Social Network Based Security Scheme in Mobile Information-Centric Network

    You Lu, Zhiyang Wang, Yu-Ting Yu, Ruolin Fan, Mario Gerla

    Department of Computer Science University of California, Los Angeles

    Los Angeles, CA 90095, USA {youlu, seanwangsk, yutingyu, ruolinfan, gerla}@cs.ucla.edu

    AbstractWith the spread of mobile Internet, users have increased opportunities to retrieve content from the content producer via the application in mobile information-centric network. For security consideration, the content data must be encrypted and the content producer must be authenticated. Content data is signed by the producer and delivered to the requester via the public-key cryptography. A Certificate Authority (CA) generally verifies the binding between public-key and the producer identity. However, CA verification is not suitable in a mobile information-centric network where connection to a CA cannot be guaranteed. In this paper, we propose a social network based security scheme to verify the public-key and producer identity binding. The proposed scheme is evaluated on an artificial social network model first and is then validated on a real social network data.

    Keywordssecurity; social network; information-centric network

    I. INTRODUCTION With the development of mobile ad hoc network,

    people have easy access to their interesting information using mobile devices. The growing requirement of the content retrieval has created increasing attention to information-centric networks (ICNs) in both academia and industry.

    ICN is designed for content data search and retrieval, offering an alternative approach to IP-based computer networking. In ICN, users focus on the content they are interested in. They need not know where this content is stored and by whom it is carried. Each content data is identified by a unique name from the hierarchical naming scheme. The content retrieval follows the query-reply mode. Content requester spreads his Interest packet through the network. When matching content is found either in the content producer or at an intermediate content cache server, the content data will trace its way back to the content request along the reversed route of the incoming Interest. Several existing ICN proposals have been studied and implemented in Internet and MANET test beds. CCN

    [1] and NDN [2] are two popular designs for the ICN implementation in Internet. Vehicle-NDN [3] and MANET-CCN [4] are two examples of the ICN architecture in mobile ad hoc network, and address the mobility challenge in content retrieval.

    Since the purpose of ICN is to obtain the content data requested by the requester, there is a growing motivation to validate the content received from other users to avoid security breaches. For example, a malicious intermediate node may penetrate security and replace parts of the message content in a multi-hop wireless network. This is known as the man in the middle attack. In other scenarios, attackers may impersonate the sender, etc.

    Security consideration for the ICN application mainly contains two aspects, the trust of the content producer and the integrity of the data. The trust authentication scheme [5] answers the question of how trustworthy the content producer is. The existing public-key cryptography [6] and PKI [7] schemes can be used in ICN to provide adequate security.

    Public-key cryptography refers to a cryptographic system requiring two separate keys, one of which is secret and one of which is public. Although different, the two parts of the key pair are mathematically linked. The public key may be published without compromising security, while the private key must not be revealed to anyone not authorized to read the messages.

    The Public-Key Infrastructure (PKI) system is used to verify the binding relationship between the public-key and the user identity in public-key cryptography scheme. However, the current PKI scheme has been considered inefficient, unusable and difficult to deploy, especially for the mobile application scenario. For example, in the application scenario of vehicular network without any infrastructure, the PKI service is unusable. Mobile ICN needs a more flexible and usable mechanism to verify the binding relationship of the user identity and public-key.

    978-1-4799-1004-5/13/$31.00 2013 IEEE

    2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)


  • In this paper, we propose a social network based security scheme to solve both authenticity and integrity problem for the mobile information-centric network application. Our scheme allows user to verify the content producer identity and its public-key binding relationship by retrieving the identity bundle from a trust social network. We evaluate the scheme in a large social network and report its performance in terms of scalability and practicability.

    The rest of the paper is organized as follows. Related work is briefly reviewed in section II. The proposed security scheme is described in section III. Experiment results are presented in section IV. Conclusions follow in section V.

    II. RELATED WORKS In this section, we review the general idea of

    information-centric network, and discuss its security consideration in ICN in terms of the public-key cryptography and PKI scheme.

    A. Information-Centric Network Information-centric network is an alternative approach

    to the architecture of IP-based computer networks. The basic principle is that user only needs to focus on his interested content data, rather than having to reference a specific, physical location where that data is to be retrieved from. ICN differs from IP-based routing in three aspects. First, all content is identified or named by the hierarchical naming scheme. Name becomes the object of request. Second, carefully designed caching system among the entire network helps the content distribution and provides the native features to support many applications, e.g., multicast. Third, the packet communication follows the form of query-reply mode. User (content requester) spreads his interested content name in the Interest packet to the network. When one Interest packet hits the content name in intermediate cache server or the media server (content producer), the content data packets will be forwarded back to the content requester along the reversed route of the incoming Interest.

    A number of previous studies focused on the ICN with high level architectures and provided sketches of the required components. Content-Centric Network (CCN) [1] and Named Data Network (NDN) [2] are two well-known proposals for the ICN implementation in Internet. Their components including FIT, PIT, and Content Store form the caching and forwarding system for the content data transmission in the Internet application. Meanwhile, several mobile ICN architectures have been proposed for the mobile ad hoc scenario, e.g., Vehicle-NDN [3] for the traffic information dissemination in vehicular networks, and MANET-CCN [4] for the tactical and emergency application in MANETs.

    Communication in ICN is driven by the receiving end, i.e., the data requester. To receive data, a requester sends out an Interest packet, which carries a name that identifies the desired data, as shown in Figure 1. For example, a requester may request /parc/videos/WidgetA.mpg. A router remembers the interface from which the request comes in, and then forwards the Interest packet by looking up the name in its Forwarding Information Base (FIB), which is populated by a name-based routing protocol. Once the Interest reaches a node that has the requested data, a Data packet is sent back, which carries both the name and the content of the data, together with a signature by the producers key, as shown in Figure 1. This Data packet traces in reverse the path created by the Interest packet back to the requester. Note that neither Interest nor Data packets carry any host or interface addresses (such as IP addresses); Interest packets are routed towards data producers based on the names carried in the Interest packets, and Data packets are returned based on the state information set up by the Interests at each router hop, as shown in Figure 2.

    Figure 1. Packets in ICN.

    Figure 2. Forwarding process in an ICN node.

    ICN routers keep both Interests and Data for some period of time. When multiple Interests for the same data are received from downstream, only the first Interest is sent upstream towards the data source. The router then stores the Interest in the Pending Interest Table (PIT), where each entry contains the name of the Interest and a set of interfaces from which the matching Interests have

    2013 12th Annual Mediterranean Ad Hoc Networking Workshop (MED-HOC-NET)


  • been received. When the Data packet arrives, the router finds the matching PIT entry and forwards the data to all the interfaces listed in the PIT entry. The router then removes the corresponding PIT entry, and caches the Data in the Content Store, which is basically the routers buffer memory subject to a cache replacement policy. Data takes the exact same path as the Interest that solicited it, but in the reverse direction. One Data satisfies one Interest across each hop, achieving hop-by-hop flow balance.

    To assure the authenticity and integrity of data, the consumer must trust the host who holds the data, and use secure mechanisms to identity, locate, and retrieve data from that host. Securing data directly reduces the trust we must place in network intermediaries. Applications communicating by names can seal data by the original producer at creation time. This leaves only one problem to solve: securing the link between a name and its content. ICN uses application data names to make data available as a mapping triple, as shown in


View more >